CRITICAL: Compromised Website Report

DESCRIPTION LAST UPDATED: 2024-02-10

DEFAULT SEVERITY LEVEL: CRITICAL

This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised. The report is meant to cover a broad category of  web related compromises. It may include a compromised CMS for example, but also includes devices that we have detected to be compromised with webshells or implants that are accessible via HTTP.

This reason for listing will be provided either in the “tag” or the “category” field of the report. Please also review the “url” and “detail” fields for contextualization. Please note that when attempting to remotely identify a webshell by connecting to a url specified in the report, a 404 reply does not imply that the webshell in fact does not exist. Make sure to investigate on the compromised system side!

As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different threat actors abusing the same compromised system for different purposes. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.

As of 2024-02-09, the following compromises are being reported:

You can track current compromised website detections on our Dashboard, by selecting compromised_website or compromised_website6 as a source. You can view specific detection types by selecting the tags, for example, all current Citrix compromises.

You can learn more on the report in our Compromised Website Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report comes in two versions – for IPv4 and IPv6.

Severity levels are described here.

Filename(s): compromised_website, compromised_website6

Fields

  • timestamp
    Timestamp that the URL was last seen/verified to be compromised in UTC+0
  • severity
    Severity level
  • ip
    IP hosting the compromised website
  • protocol
    Protocol
  • port
    Port the compromised website is served on
  • hostname
    Reverse DNS of the IP of the compromised website
  • tag
    Attributes for the given event
  • application
    Layer 7 protocol (HTTP/HTTPS)
  • asn
    ASN of the IP hosting the compromised URL
  • geo
    Country of the IP hosting the compromised URL
  • region
    State or province from the Geo
  • city
    City from the Geo
  • url
    URI path of the component indicating the website compromise
  • http_host
    Domain/IP part of the URL
  • category
    Type of maliciousness the compromised website is being used for
  • system
    Operating system on the server hosting the compromised website (Windows/Linux)
  • detected_since
    Timestamp that the URL was first seen/verified to be compromised in UTC+0
  • server
    Server side software such as Apache/Nginx
  • redirect_target
    Redirect url if any
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname
  • sector
    Sector of the IP in question
  • cc_url
    In the case that a C&C server is involved, the URL of that server
  • family
    Name of the malware family/type the website is compromised with/by
  • status
    Status of the affected IP, for example, compromised
  • account
    Account information, if relevant
  • detail
    Any additional details for contextualization
  • public_source
    Source of the data (may not be dislosed)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","redirect_target","naics","hostname_source","sector","cc_url","family","status","account","detail","public_source"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,443,node01.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node01.example.com,,,"2010-02-10 00:00:00",nginx,,0,,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,443,node02.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node02.example.com,,,"2010-02-10 00:00:01",openresty,,0,ptr,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,443,node03.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node03.example.com,,,"2010-02-10 00:00:02",nginx,,0,,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,

Our 124 Report Types