Microsoft DS Exploiting IP Addresses
This is a list of IP addresses that have been caught either doing stealth SYN scans or attacking port 445 of Windows machines. This behaviour, along with payloads that we've collected, coming from some of these IPs, match that of ransomware malware. The update frequency is currently set to 4 hours and will be completely automated from now on.
Importing and Using
This list contains a lot of IP adresses and is typically not suggested to import all of them because it could slow down your firewall.
Import to UFW
while read -r line; do ufw insert 1 deny from $line to any done < <(grep "^[^#]" ms-ds-violation-ips.ipset)
Import to IPTables
This is similar to the UFW import, just change the command.
while read -r line; do iptables -A INPUT -s $line -j DROP done < <(grep "^[^#]" ms-ds-violation-ips.ipset)
Where do these IPs come from?
From various places and people. There has been proof for all IPs added to the list.
Are you sure they are evil?
These IPs have been reported to scan servers/honepots specifically on port 445 and/or that have attempted to send malicious payloads on an open 445 port. There's no reason someone would try to do this other than being having malicious intent.
How do I report IPs?
How long will these IPs stay on this list?
For a long time, but likely not more than a year.
I see my IP in that list, how do I get it off the list?
If you're asking yourself this question, it is likely that you are not a bad actor, thus IPs will be whitelisted based on proof that you (recently) obtained said IP address. However, the reputation of the organization that owns this IP address or space will greatly influence the decision. Regardles, open an issue and the request will be evaluated. If your IP is removed from this list and it later appears to have resumed malicious activity, then it'll remain on the list for a very long time.
This repository is licenced under the MIT License because threat intelligence should be completely open.