LAST UPDATED: 2023-11-21
This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised. The report is meant to cover a broad category of web related compromises. It may include a compromised CMS for example, but also includes devices that we have detected to be compromised with webshells or implants that are accessible via HTTP.
This reason for listing will be provided either in the “tag” or the “category” field of the report. Please also review the “url” and “detail” fields for contextualization. Please note that when attempting to remotely identify a webshell by connecting to a url specified in the report, a 404 reply does not imply that the webshell in fact does not exist. Make sure to investigate on the compromised system side!
As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different threat actors abusing the same compromised system for different purposes. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.
As of 2023-10-29, the following compromises are being reported:
- Device implants installed as part of the Cisco IOS XE compromises described in the Cisco Talos blog Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities. This is tagged “device-implant”
- Citrix webshells installed as part of CVE-2023-3519 exploitation campaigns (please see Technical Summary of Observed Citrix CVE-2023-3519 Incidents and Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. Tagged “citrix” and “webshell”.
- Citrix code-injections, also installed as part of CVE-2023-3519 exploitation campaigns and used for credential harvesting (please see the IBM X-Force writeup). Tagged “citrix” and “injected-code”, with “detail” specifying also the detected injected domain used to steal credentials.
- Webservers compromised by StealRat, tagged “hacked-webserver-stealrat-t1” or “redirecting-to-stealrat-t1”.
You can track current compromised website detections on our Dashboard, by selecting compromised_website or compromised_website6 as a source. You can view specific detection types by selecting the tags, for example, all current Citrix compromises.
You can learn more on the report in our Compromised Website Report tutorial.
You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.
This report comes in two versions – for IPv4 and IPv6.
Filename(s): compromised_website, compromised_website6