Compromised Website Report

This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised.

These websites might be used for sending spam, participating in DDoS attacks, redirecting users to exploit kits, etc. This information will be listed in the “category” field of the report.

A large subset of these compromises are caused by outdated versions of CMS, such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.

As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different criminal groups abusing the same compromised system for different purposes; the same IP/domain that is hosting a spambot may also be used for infecting unsuspecting users. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.

Fields

timestamp

Timestamp that the URL was last seen/verified to be compromised in UTC+0
ip

IP hosting the compromised website
port

Port the compromised website is served on
hostname

Reverse DNS of the IP of the compromised website
tag

Name of the malware family/type the website is compromised with/by
application

Layer 7 protocol (HTTP/HTTPS)
asn

ASN of the IP hosting the compromised URL
geo

Country of the IP hosting the compromised URL
region

State or province from the Geo
city

City from the Geo
url

URI path of the component indicating the website compromise
http_host

Domain/IP part of the URL
category

Type of maliciousness the compromised website is being used for
system

Operating system on the server hosting the compromised website (Windows/Linux)
detected_since

Timestamp that the URL was first seen/verified to be compromised in UTC+0
server

Server side software such as Apache/Nginx
cc_url

In the case that a C&C server is involved, the URL of that server

Sample

"timestamp","ip","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","cc_url"
"2014-06-16 00:16:33","23.80.185.68",80,"23.80.185.68.rdns.as15003.net","hacked-webserver-stealrat-t1","http",15003,"US","NEW YORK","NEW YORK CITY","sslcVv.php","000628.com","spam","WINNT","2014-06-04 00:15:09",,""
"2014-06-16 00:16:33","108.171.205.43",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-content/plugins/jifen/modules/donate/test.php","003la.com","spam","Linux","2014-05-18 00:16:35",,""
"2014-06-16 00:16:33","108.171.205.43",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-includes/returnV04Z.php","003la.com","spam","Linux","2014-03-08 01:16:06",,""
"2014-06-16 00:16:33","108.171.205.43",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","ibcd/newsHlwJ.php","003la.com","spam","Linux","2014-04-10 00:17:06",,""
"2014-06-16 00:16:33","123.196.112.160",80,,"hacked-webserver-stealrat-t1","http",4847,"CN","BEIJING","BEIJING","wp-includes/Text/Diff/Renderer/inc.php","0-00.cn","spam","Linux","2014-05-17 00:16:09",,""
"2014-06-16 00:16:33","108.171.205.43",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-includes/js/tinymce/plugins/wpgallery/gallery.php","003la.com","spam","Linux","2014-05-09 00:16:15",,""
"2014-06-16 00:16:33","74.220.202.17",80,,"hacked-webserver-stealrat-t1","http",46606,"US","UTAH","PROVO","accountQpS.php","007sales.com","spam","Linux","2014-06-05 00:16:07",,""
"2014-06-16 00:16:33","108.171.205.43",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-includes/pomo/index21V2.php","003la.com","spam","Linux","2014-03-14 00:17:06",,""
"2014-06-16 00:16:33","108.171.205.43",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-content/plugins/wordpress-popular-posts/lang/returnkhy.php","003la.com","spam","Linux","2014-03-04 01:15:06",,""

Our 111 Report Types

« Back to Network Reporting