Network Reporting | The Shadowserver Foundation

Basic API documentation

An API to allow querying of the collected SSL data from the daily SSL scans.

A module to allow trusted partners to query information about malware, networks, and trusted programs.

Returns routing details for a given address or ASN.

Returns a JSON response containing static details about the requested sample as well as antivirus vendor and signature details.

An API to query the different reports received as well as do basic queries of the data itself.  This is meant as an optional replacement to the emails received with the report URL’s

Returns a JSON response containing the details for the requested program.

This report identifies hosts that have the Android Debug Bridge (ADB) running, bound to a network port (5555/tcp) and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Apple Filing Protocol (AFP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Apple Remote Desktop service on port 3283/udp running and accessible on the Internet. It is a Service Scan and it’s updated every 24 hours.

This report identifies hosts that have the Cisco Smart Install feature running and are accessible to the Internet at large. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Constrained Application Protocol (CoAP) service enabled on port 5683/UDP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an FTP instance running on port 21/TCP that’s accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that are running Hadoop and have either the NameNode or DataNode web interfaces running and accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the the MS RDP UDP extension service available. This service can be abused for amplification DDoS attacks. It’s a Service Scan, and it’s updated every 24 hours.

Quick UDP Internet Connections (QUIC) is a protocol that potentially will be used to replace standardized web traffic.  More can be read at Wikipedia on the details of the protocol.  This is a 443/UDP test to see if the server is allow QUIC connections and which version of that protocol is available. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Radmin service running omn port 4899/TCP and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an SMB instance running on port 445/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Secure Shell (SSH) service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an SSL/TLS service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an Telnet instance running on port 23/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have a VNC instance running on port 5900/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the rsync service running, bound to a network port (873/tcp) and accessible on the Internet without a password. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the X Display Manager service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report contains observed reflected amplification DDoS events. Sourced from Honeypots. Updated every 24 hours.

This report is the aggregation of a variety of different Block list providers, for end-users’ reference. This data is aggregated from blacklist providers. Updated every 24 hours.

This report lists all the infected machines, drones, and zombies we were able to capture from the monitoring of IRC Command and Controls, the capturing of IP connections to HTTP botnets, or the IPs of Spam relays. Obtained from a variety of sources. Updated every 24 hours.

This report identifies URLs captured from botnet communications. Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL. This data is sourced from Botnet monitoring. Updated every 24 hours.

This report identifies hosts that have been observed performing brute force attacks. Sourced from Honeypots. Updated every 24 hours.

This CAIDA based report intends to provide a current view of ingress/egress filtering and susceptibility to IP source packet forging (spoofing) on a given network. Updated every 24 hours.

This report identifies click-fraud attempts, which we see when botnets are given the direction to click on revenue-generating URLs. The specific URLs targeted are listed. Sourced from Botnet Monitoring. Updated every 24 hours.

This report provides information about specific hosts that were seen to be compromised from a botnet. These are usually seen when another infected system reports on each host that had been compromised. Sourced from Botnet Monitoring. Updated every 24 hours.

This report is a list of all the websites we or our partners have verified to be compromised, which are therefore likely to be abused for various types of attacks. Sourced from tracking systems. Updated every 24 hours.

These reports list all the currently known active C&C’s. Sourced from Tracking System. Updated every 7 days.

This report records traffic observed to darknet networks. Source from Darknet (Network Telescope). Updated every 24 hours.

These reports list out all the attacks and targets for a DDoS in your area of responsibility, whether the recipient is the target or the source of the attack. Sourced from Botnet Monitoring. Updated every 24 hours.

This report identifies DNS servers that have the potential to be used in DNS amplification attacks by criminals that wish to perform denial of service attacks. Sourced from Service Scan. Updated every 24 hours.

This report is a list of all the infected machines, drones, and zombies that we were able to capture from the monitoring of IRC Command and Controls, capturing IP connections to HTTP botnets, or the IPs of Spam relays. Sourced from Botnet Monitoring (IRC and HTTP) and Sinkholes. Updated every 24 hours.

This is a report of the source URLs from which malware was downloaded by the Honeypot systems. Sourced from Honeypots. Updated every 24 hours.

This report identifies hosts that have been observed performing HTTP-based scanning activity. Sourced from Honeypots. Updated every 24 hours.

This report identifies hosts that have been observed performing scanning activity against Industrial Control System (ICS) sensors. Sourced from Honeypots. Updated every 24 hours.

These reports summarize the ports used by IRC servers as Command and Control for a Botnet, sorted by most seen, highest rate of shutdown, and lowest rate of shutdown. This is a summary from all data sources. Updated weekly (Sunday).

This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft Sinkhole servers. Sourced from Sinkholes. Updated every 24 hours.

This report identifies hosts that appear to have an openly accessible backdoor on a Netcore/Netis router. It’s a Service Scan and is updated every 24 hours.

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NTP service running that responds to Mode 6 requests. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the CPE WAN Management Protocol (CWMP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the DB2 Discovery Service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible chargen service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Elasticsearch server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible IPMU service running that responds to an IPMI ping. It’s a Service Scan and is updated every 24 hours.

This report identifies devices that have an open IPP (Internet Printing Protocol) service enabled on port 631/TCP.  It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have an LDAP instance running on port 389/UDP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an LDAP instance running on port 389/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the mDNS service running and accessible from the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Memcached key-value server running. It’s a Service Scan and is updated every 24 hours.

The report identifies hosts that appear to have an openly accessible MQTT running. It is a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible MongoDB NoSQL server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible MS-SQL Server Resolution Service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.

This report identifies any host that appears to have an openly accessible portmapper service running that responds to an rpcinfo request. It’s a Service Scan and is updated every 24 hours.

This report detects open proxies or jump points, either used directly or sold to other criminals. Sourced from Search Engine Scraping, Botnets, and other sources. Updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Quote Of The Day service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Redis key-value server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible SNMP service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Simple Service Discovery Protocol service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the TFTP service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the Ubiquiti Discovery service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies IPv4 hosts that have been observed using an outdated DNSSEC Key. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies IPv6 hosts that have been observed using an outdated DNSSEC Key. It’s a Service Scan, and it’s updated every 24 hours.

This report detects proxy servers, which are commonly used to make malicious activity seem anonymous. This data is sourced from Botnet monitoring. Updated every 24 hours.

This report includes sets of URLs that were accessed by malware. There are two versions of this report: filtered and unfiltered. Sourced from our sandboxed systems. Updated every 24 hours.

This report is a summary of all the connections that the sandbox system saw for the specific interval. Sourced from our sandboxed systems. Updated every 24 hours.

This report is a summary of all the IRC based networks that were found after analyzing malware. Sourced from our sandboxed systems. Updated every 24 hours.

A list of email addresses used by malware during a sandbox run. Sourced from our sandboxed systems. Updated every 24 hours.

Vulnerability scanning is a standard part of any botnet arsenal. We report on these as a warning that specific network blocks are being targeted. It’s a Service Scan and is updated every 24 hours.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

This report identifies IPs of recursive DNS servers querying for sinkholed domains. Sourced from Sinkholes. Updated every 24 hours.

This report identifies all the IPs that joined the sinkhole server that did not join via a referral URL. Sourced from Sinkholes. Updated every 24 hours.

This report lists the IPv6 addresses for all the devices that connected to our IPv6 Sinkhole server. Sourced from Sinkholes. Updated every 24 hours.

A list of referral URLs that pushed systems to the sinkhole server. Sourced from Sinkholes. Updated every 24 hours.

A list of the URLs and relays for spam that was received. Sourced from spam and email. Updated every 24 hours.

This report identifies any host (IP) that could be used in a SSL FREAK attack. It’s a Service Scan and is updated every 24 hours.

This report identifies any host (IP) that appears to be vulnerable to a SSL POODLE attack. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that are potentially compromised with the SYNful knock back door. It’s a Service Scan, and it’s updated every 24 hours.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

The report identifies hosts that have an HTTP server exposed with a potential vulnerability. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have a vulnerable IKE service accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.