News & Insights

Topic: Scans

Shadowserver Special Reports – Vulnerable Log4j Servers (2021-12-22 update)

December 22, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots continue to detect IPv4 /0 scanning and exploitation attempts. A second run of our Vulnerable Log4j Servers Special Report provides updated data from Alpha Strike Lab's scanning activity performed during the week since our first Special Report. The updated Special Report is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Shadowserver Special Reports – Vulnerable Log4j Servers

December 15, 2021
A maximum risk critical vulnerability in the popular Apache Log4j open source logging software was made public as CVE-2021-44228 on December 9th 2021, potentially providing attackers with easy remote code execution on thousands of systems globally. Although Shadowserver decided not to scan for this vulnerability, our honeypots detected rapid growth in IPv4 /0 scanning. This Special Report provides data from Alpha Strike Labs's scanning activity and is being distributed to National CSIRTs and network owners as a public benefit service to aid in rapid remediation.

Announcing the Device Identification Report

September 8, 2021
We have introduced a new report type, the Device Identification Report. This report contains a list of devices we have identified in our daily Internet scans. The assessment is made based on all our IPv4-wide Internet scan types. All scan responses are processed by a scan signature engine that classifies IPs based on predefined rules that match various response fields. The report is intended for recipients to get a better understanding of device population types on networks they are responsible for

Shadowserver Special Report – Exchange Scanning #5

March 24, 2021
A new one-off Special Report covering efforts to identify additional vulnerable and compromised Microsoft Exchange servers and associated common web shell that are configured to use DNS based virtual hosting, rather than direct IPv4 /0 scanning for default web sites, containing data for the period 2021-03-16 to 2021-03-22.

Shadowserver Special Reports – Exchange Scanning #4

March 15, 2021
Another internet wide scan based one-off Special Report identifying 59218 potentially vulnerable Microsoft Exchange Servers on 2021-03-14 courtesy of Kryptoslogic, with a comparison of the degree of overlap in coverage between this data set and our previous one-off Special Report that was just released. If your mail servers appear in either report - please patch immediately.

Shadowserver Special Reports – Exchange Scanning #3

March 15, 2021
Another one-off Special Report identifying 73608 potentially vulnerable Microsoft Exchange Servers during the period 2021-03-13 and 2021-03-14, which corresponds to 63115 unique IP addresses in 211 countries. These exposed systems remain at very high risk and need patching immediately.

Shadowserver Special Reports – Exchange Scanning #2

March 12, 2021
Another one off Shadowserver Special Report, this time in partnership with Kryptoslogic, provides critical information about compromised Microsoft Exchange Servers with exposed public web shells that were likely exploited using CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Please remediate and patch/rebuild urgently!

Shadowserver Special Reports – Exchange Scanning #1

March 11, 2021
Shadowserver one-off Special Reports are for reporting security events outside our usual 24-hour reporting window. Our second Special Report covers identification Microsoft Exchange Servers potentially vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 by scanning with DIVD after patches were released.

Scanning for Accessible MS-RDPEUDP services

January 25, 2021
We have started daily IPv4 /0 scanning for exposed MS-RDPEUDP instances on port 3389/UDP. Aside from the usual risks associated with exposing RDP services to the Internet, this UDP extension of the popular RDP services has been found to be susceptible to amplification DDoS abuse with an amplification factor of over 84. Over 12 000 instances of MS-RDPEUDP have been found to be accessible on the IPv4 Internet.

Accessible Radmin Report - Exposed Radmin Services on the Internet

July 7, 2020
We have recently enabled a new IPv4 Internet-wide scan and report for accessible Radmin services on port 4899/TCP. Radmin is a remote access software product commonly in use today. Our daily scans uncover around 50,000 accessible Radmin services on port 4899/TCP. While Radmin is in general considered a secure mechanism for remote access, care should be taken as with all similar types of services to ensure no misconfiguration has taken place.