Compromised Website Report

LAST UPDATED: 2023-11-21

This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised. The report is meant to cover a broad category of web related compromises. It may include a compromised CMS for example, but also includes devices that we have detected to be compromised with webshells or implants that are accessible via HTTP.

This reason for listing will be provided either in the “tag” or the “category” field of the report. Please also review the “url” and “detail” fields for contextualization. Please note that when attempting to remotely identify a webshell by connecting to a url specified in the report, a 404 reply does not imply that the webshell in fact does not exist. Make sure to investigate on the compromised system side!

As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different threat actors abusing the same compromised system for different purposes. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.

As of 2023-10-29, the following compromises are being reported:

Device implants installed as part of the Cisco IOS XE compromises described in the Cisco Talos blog Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities. This is tagged “device-implant”
Citrix webshells installed as part of CVE-2023-3519 exploitation campaigns (please see Technical Summary of Observed Citrix CVE-2023-3519 Incidents and Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. Tagged “citrix” and “webshell”.
Citrix code-injections, also installed as part of CVE-2023-3519 exploitation campaigns and used for credential harvesting (please see the IBM X-Force writeup). Tagged “citrix” and “injected-code”, with “detail” specifying also the detected injected domain used to steal credentials.
Webservers compromised by StealRat, tagged “hacked-webserver-stealrat-t1” or “redirecting-to-stealrat-t1”.

You can track current compromised website detections on our Dashboard, by selecting compromised_website or compromised_website6 as a source. You can view specific detection types by selecting the tags, for example, all current Citrix compromises.

You can learn more on the report in our Compromised Website Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report comes in two versions – for IPv4 and IPv6.

Filename(s): compromised_website, compromised_website6

Fields

timestamp

Timestamp that the URL was last seen/verified to be compromised in UTC+0
ip

IP hosting the compromised website
port

Port the compromised website is served on
hostname

Reverse DNS of the IP of the compromised website
tag

Attributes for the given event
application

Layer 7 protocol (HTTP/HTTPS)
asn

ASN of the IP hosting the compromised URL
geo

Country of the IP hosting the compromised URL
region

State or province from the Geo
city

City from the Geo
url

URI path of the component indicating the website compromise
http_host

Domain/IP part of the URL
category

Type of maliciousness the compromised website is being used for
system

Operating system on the server hosting the compromised website (Windows/Linux)
detected_since

Timestamp that the URL was first seen/verified to be compromised in UTC+0
server

Server side software such as Apache/Nginx
cc_url

In the case that a C&C server is involved, the URL of that server
family

Name of the malware family/type the website is compromised with/by
status

Status of the affected IP, for example, compromised
account

Account information, if relevant
detail

Any additional details for contextualization
public_source

Source of the data (may not be dislosed)

Sample

"timestamp","ip","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","redirect_target","naics","sic","sector","cc_url","family","status","account","detail","public_source"
"2010-02-10 00:00:00",192.168.0.1,443,node01.example.com,citrix;webshell,http,64512,ZZ,Region,City,,example.com,,,"2010-02-10 00:00:00",Apache,,0,0,"Education Services",,,,,,
"2010-02-10 00:00:01",192.168.0.2,80,node02.example.com,hacked-webserver-stealrat-t1,http,64512,ZZ,Region,City,modules/simpletest/tests/psr_0_test/lib/Drupal/psr_0_test/diff.php,example.com,spam,Linux,"2010-02-10 00:00:01",nginx/1.20.2,,0,0,,,,,,,
"2010-02-10 00:00:02",192.168.0.3,80,node03.example.com,hacked-webserver-stealrat-t1,http,64512,ZZ,Region,City,1wps/wp-content/plugins/rh/images/internet_explorer/css.php,example.com,spam,Linux,"2010-02-10 00:00:02","Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16",,0,0,,,,,,,

Our 119 Report Types

« Back to Network Reporting