CRITICAL: Compromised Website Report

DESCRIPTION LAST UPDATED: 2026-05-21

DEFAULT SEVERITY LEVEL: CRITICAL

This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised. The report is meant to cover a broad category of web related compromises. It may include a compromised CMS for example, but also includes devices that we have detected to be compromised with webshells or implants that are accessible via HTTP.

This reason for listing will be provided either in the “tag” or the “category” field of the report. Please also review the “url” and “detail” fields for contextualization. Please note that when attempting to remotely identify a webshell by connecting to a url specified in the report, a 404 reply does not imply that the webshell in fact does not exist. Make sure to investigate on the compromised system side!

As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different threat actors abusing the same compromised system for different purposes. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.

The following compromises are being reported:

cPanel(and also related Roundcube) instances we see attempting to exploit our honeypots or seen in darknets (network telescopes), likely also compromised as a result of CVE-2026-41940 compromises.
cPanel (and potentially other assets) compromised via CVE-2026-41940 by the .Sorry Ransomware tagged sorry-ransomware (see also https://censys.com/blog/the-cpanel-situation-is/) and sites compromised by a credential stealer WHMStealer, tagged whmstealer [tagging first added 2026-05-04]. We also added mr_rot13 related backdoors, based on https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment. These are taggedmr-rot13. [tagging for mr_rot13 added 2026-05-13].
ClickFix injected JavaScript, often the result of compromise of outdated WordPress installations or plugins. The visitors of the website get tricked to install malware when the injected JavaScript executes. This is achieved by the threat actor using social engineering tricks like instructing the user to hit Win+R and pasting commands that the website has inserted into the copy buffer. The presence of the injected JavaScript is determined via remote detection of the injected code. Make sure to identify and close the attack vector to avoid the same code showing up again. Events tagged as clickfix. For more insights on how to investigate such cases, please review: https://www.atea.no/siste-nytt/it-sikkerhet/investigating-a-clearfake-clickfix-etherhide-campaign/. Additionally, you can use (free tier) resources to check your own website for injected code for example Sucuri or free tier options to secure WordPress at WordFence. [tagging first added 2026-03-12]
Ivanti Endpoint Manager Mobile (EPMM) artifacts/webshells, likely the result of CVE-2026-1281 exploitation. This is based on remote artifact/webshell detection. If you receive an alert from us, please review the Ivanti Security advisory at: https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340. Make sure to run the Exploitation Detection RPM Package provided. Tagged as ivanti-epmm-compromised. Track results on the Dashboard here. [tagging first added 2026-02-06]
Sangoma FreePBX webshells, likely the result of CVE-2025-57819 exploitation. This is based on remote webshell detection. See: https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203. 2026-01-30 update: https://www.fortinet.com/blog/threat-research/unveiling-the-weaponized-web-shell-encystphp Tagged as freepbx-compromised.Track results on the Dashboard here. [tagging first added 2025-08-29 and then expanded 2026-01-30]
Microsoft SharePoint webshells, likely the result of CVE-2025-53770 exploitation. See https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770 and https://research.eye.security/sharepoint-under-siege/ for details. This is based on remote webshell detection. Tagged as sharepoint-compromised.[tagging first added 2025-07-20]
Fortinet FortiWeb devices with webshells, likely the result of CVE-2025-25257 exploitation. This is based on remote webshell detection. Tagged as fortiweb-compromised.[tagging first added 2025-07-14]
SAP NetWeaver instances compromised via CVE-2025-31324 exploitation. This is based on remote webshell detection. For details on the attacks, please read the blog from ReliaQuest and Rapid7. Tagged as netweaver-compromised. [tagging first added 2025-04-28]
Fortinet devices compromised using previously known but not patched vulnerabilities to deliver a symlink-based persistence mechanism. Tagged as fortinet-compromised. See Fortinet’s Advisory for for mitigation steps (also CISA Advisory, ACSC Advisory, CERT.NZ Advisory). Statistics available on our public Dashboard. [tagging first added 2025-04-11]
Murdoc botnet compromised devices (AVTECH devices). Tagged as murdoc-botnet. See https://blog.qualys.com/vulnerabilities-threat-research/2025/01/21/mass-campaign-of-murdoc-botnet-mirai-a-new-variant-of-corona-mirai. [tagging first added 2025-02-04]
Ivanti Connect Secure devices compromised as a result of multiple (we believe) campaigns. In some cases this may be related to CVE-2025-0282 but likely older or other activity may be involved as well. Compromised devices are detected by scans using a methodology suggested by NCSC.FI. These are tagged backdoor;ivanti-connect-secure. We initially included cve-2025-0282 as part of the tags but this has been removed as of 2025-01-23. If you receive an alert from us, please make sure to check for compromise in the path shared (and elsewhere). You can also follow CISA’s mitigation advice. You can track results on our Dashboard. [tagging first added 2025-01-21]
Fortinet devices (Fortigate Management Interface CVE-2022-40684 related compromises). This is based on data published by Belsen Group after it was announced on Breach Forums. Events are tagged as fortinet-exfil;cve-2024-55591 as it was initially (mistakenly) assumed this data was from exploitation of CVE-2024-55591 when it should be CVE-2022-40684. One event per file exfiled, including size in bytes and sha256 hash. If vpn credentials were exfiled, usernames will be listed under accounts. This is a one-off dataset only that has been shared once 2025-01-15. For additional context on the Fortigate attacks, see https://www.fortiguard.com/psirt/FG-IR-22-377, https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 and https://www.truesec.com/hub/blog/fortinet-cve-2022-40684-vulnerability-from-an-incident-response-perspective [tagging first added 2025-01-14]
Palo Alto Networks devices (PAN-OS Management Interface CVE-2024-0012 related compromises). This is based on a query detecting compromise related artefacts. Events tagged as “panos-compromised“. For additional context on PAN-OS attacks, see https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ [tagging first added 2024-10-26].
Samsung Techwin Network Video Recorder (NVR) Web Viewer devices compromised with a webshell. Check for webshell file named update.php in the /root/webviewer/ directory. Events tagged as “http;samsung-techwin-nvr-web-viewer;webshell“. See our Dashboard tracker for latest scan results. [tagging first added 2024-09-26]
TellYouThePass ransomware compromised devices from PHP CVE-2024-4577 exploitation campaigns. See: Imperva article on and BleepingComputer article [tagging added 2024-06-19]
Qlik Sense instances that have been compromised by the Cactus ransomware group (as a result of CVE-2023-48365, CVE-2023-41265, CVE-2023-41266 exploitation campaigns. Please find the details at “Sifting through the spines: identifying (potential) Cactus ransomware victims” blog by Fox-IT. Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension. Tagged as “injected-code;qliksense;ssl;webshell“. See our Dashboard tracker for latest scan results. [tagging first added 2024-04-25]
Ivanti Connect Secure VPN devices that have signs of compromise (observed backdoor activity) as a result of CVE-2024-21893 attack campaigns. These checks are based on this Orange Cyberdefense publication. Tagged as “backdoor-activity;ivanti-connect-secure“. See our Dashboard tracker for latest scan results. [tagging added 2024-02-09]
Ivanti Connect Secure VPN devices with injected credential stealer code installed as part of CVE-2024-21887 and CVE-2023-46805 attack campaigns. Tagged as “ivanti-connect-secure;credential-stealer;injected-code“. See our Dashboard tracker for latest scan results.
Ivanti Connect Secure VPN devices: GIFTEDVISITOR webshell variant installed as part of CVE-2024-21887 and CVE-2023-46805 exploitation campaign as discovered by Volexity. Data shared in collaboration with Volexity. Tagged “ivanti-connect-secure;webshell“. See our Dashboard tracker for latest scan results. If you received a report on your network/constituency, please check out the suggested recovery steps from Ivanti (and investigate your network for wider possible compromise).
Badcandy Device implants installed as part of the Cisco IOS XE compromises described in the Cisco Talos blog Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities. This is tagged “badcandy” & “device-implant“. 2025-11-03 update: see also the Australian ASD https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy advisory on the topic
Citrix webshells installed as part of CVE-2023-3519 exploitation campaigns (please see Technical Summary of Observed Citrix CVE-2023-3519 Incidents and Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. Tagged “citrix” and “webshell“.
Citrix code-injections, also installed as part of CVE-2023-3519 exploitation campaigns and used for credential harvesting (please see the IBM X-Force writeup). Tagged “citrix” and “injected-code“, with “detail” specifying also the detected injected domain used to steal credentials.
Webservers compromised by StealRat, tagged “hacked-webserver-stealrat-t1” or “redirecting-to-stealrat-t1“.

You can track current compromised website detections on our Dashboard, by selecting compromised_website or compromised_website6 as a source. You can view specific detection types by selecting the tags, for example, all current Citrix compromises.

You can learn more on the report in our Compromised Website Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report comes in two versions – for IPv4 and IPv6.

Severity levels are described here.

Filename(s): compromised_website, compromised_website6

Fields

timestamp

Timestamp that the URL was last seen/verified to be compromised in UTC+0
severity

Severity level
ip

IP hosting the compromised website
protocol

Protocol
port

Port the compromised website is served on
hostname

Reverse DNS of the IP of the compromised website
tag

Attributes for the given event
application

Layer 7 protocol (HTTP/HTTPS)
asn

ASN of the IP hosting the compromised URL
geo

Country of the IP hosting the compromised URL
region

State or province from the Geo
city

City from the Geo
url

URI path of the component indicating the website compromise
http_host

Domain/IP part of the URL
category

Type of maliciousness the compromised website is being used for
system

Operating system on the server hosting the compromised website (Windows/Linux)
detected_since

Timestamp that the URL was first seen/verified to be compromised in UTC+0
server

Server side software such as Apache/Nginx
redirect_target

Redirect url if any
naics

North American Industry Classification System Code
hostname_source

Hostname
sector

Sector of the IP in question
cc_url

In the case that a C&C server is involved, the URL of that server
family

Name of the malware family/type the website is compromised with/by
status

Status of the affected IP, for example, compromised
account

Account information, if relevant
detail

Any additional details for contextualization
public_source

Source of the data (may not be dislosed)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","redirect_target","naics","hostname_source","sector","cc_url","family","status","account","detail","public_source"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,443,node01.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node01.example.com,,,"2010-02-10 00:00:00",nginx,,0,,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,443,node02.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node02.example.com,,,"2010-02-10 00:00:01",openresty,,0,ptr,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,443,node03.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node03.example.com,,,"2010-02-10 00:00:02",nginx,,0,,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,

Our 141 Report Types

« Back to Network Reporting