Compromised Website Report

LAST UPDATED: 2022-06-26

This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised.

These websites might be used for sending spam, participating in DDoS attacks, redirecting users to exploit kits, etc. This information will be listed in the “category” field of the report.

A large subset of these compromises are caused by outdated versions of CMS, such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.

As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different criminal groups abusing the same compromised system for different purposes; the same IP/domain that is hosting a spambot may also be used for infecting unsuspecting users. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.

You can learn more on the report in our Compromised Website Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Filename(s): compromised_website


  • timestamp
    Timestamp that the URL was last seen/verified to be compromised in UTC+0
  • ip
    IP hosting the compromised website
  • port
    Port the compromised website is served on
  • hostname
    Reverse DNS of the IP of the compromised website
  • tag
    Name of the malware family/type the website is compromised with/by
  • application
    Layer 7 protocol (HTTP/HTTPS)
  • asn
    ASN of the IP hosting the compromised URL
  • geo
    Country of the IP hosting the compromised URL
  • region
    State or province from the Geo
  • city
    City from the Geo
  • url
    URI path of the component indicating the website compromise
  • http_host
    Domain/IP part of the URL
  • category
    Type of maliciousness the compromised website is being used for
  • system
    Operating system on the server hosting the compromised website (Windows/Linux)
  • detected_since
    Timestamp that the URL was first seen/verified to be compromised in UTC+0
  • server
    Server side software such as Apache/Nginx
  • cc_url
    In the case that a C&C server is involved, the URL of that server


"2014-06-16 00:16:33","",80,"","hacked-webserver-stealrat-t1","http",15003,"US","NEW YORK","NEW YORK CITY","sslcVv.php","","spam","WINNT","2014-06-04 00:15:09",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-content/plugins/jifen/modules/donate/test.php","","spam","Linux","2014-05-18 00:16:35",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-includes/returnV04Z.php","","spam","Linux","2014-03-08 01:16:06",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","ibcd/newsHlwJ.php","","spam","Linux","2014-04-10 00:17:06",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",4847,"CN","BEIJING","BEIJING","wp-includes/Text/Diff/Renderer/inc.php","","spam","Linux","2014-05-17 00:16:09",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-includes/js/tinymce/plugins/wpgallery/gallery.php","","spam","Linux","2014-05-09 00:16:15",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",46606,"US","UTAH","PROVO","accountQpS.php","","spam","Linux","2014-06-05 00:16:07",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-includes/pomo/index21V2.php","","spam","Linux","2014-03-14 00:17:06",,""
"2014-06-16 00:16:33","",80,,"hacked-webserver-stealrat-t1","http",18450,"US","MISSOURI","PIERCE CITY","wp-content/plugins/wordpress-popular-posts/lang/returnkhy.php","","spam","Linux","2014-03-04 01:15:06",,""

Our 137 Report Types