LEGACY: Microsoft Sinkhole Report

UPDATED: 2021-06-08

This report has been replaced by Microsoft Sinkhole Events Report and Microsoft Sinkhole HTTP Events Report.

This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft Sinkhole servers.

The format is the same as the Sinkhole HTTP Drone report.

Fields

  • timestamp
    Timestamp in UTC+0 when the IP accessed the sinkhole system
  • ip
    IP that accessed the sinkhole
  • asn
    ASN of the IP
  • geo
    Country location of the IP
  • url
    HTTP request
  • type
    Drone type (if known)
  • http_agent
    HTTP agent
  • tor
    If client is a TOR exit node
  • src_port
    TCP source port
  • p0f_genre
    First level TCP test of the Operating System
  • p0f_detail
    Detailed results of the OS test
  • hostname
    Reverse DNS of the IP
  • dst_port
    TCP destination port
  • http_host
    Domain accessed by the IP
  • http_referer
    HTTP Referer
  • http_referer_asn
    HTTP Referer ASN
  • http_referer_geo
    HTTP Referer country code
  • dst_ip
    Sinkhole IP the target accessed (if available)
  • dst_asn
    Sinkhole ASN the target accessed (if available)
  • dst_geo
    Sinkhole GEO the target accessed (if available)

Sample

"timestamp","ip","asn","geo","url","type","http_agent","tor","src_port","p0f_genre","p0f_detail","hostname","dst_port","http_host","http_referer","http_referer_asn","http_referer_geo","dst_ip","dst_asn","dst_geo"
"2014-09-12 00:00:00","77.12.73.138",6805,"DE",,"b68-zeroaccess-1-64bit",,,64742,,,,16470,,,,,,"168.63.184.224",8075,"SG"
"2014-09-12 00:00:00","109.64.133.187",8551,"IL",,"b68-zeroaccess-1-64bit",,,62473,,,,16470,,,,,,"168.63.202.23",8075,"HK"
"2014-09-12 00:00:00","187.24.22.90",22085,"BR",,"b68-zeroaccess-1-32bit",,,1030,,,,16471,,,,,,"82.192.70.219",16265,"NL"
"2014-09-12 00:00:00","118.158.226.105",2516,"JP",,"b68-zeroaccess-1-64bit",,,49152,,,,16470,,,,,,"168.63.184.224",8075,"SG"
"2014-09-12 00:00:00","173.196.9.222",20001,"US",,"b68-zeroaccess-2-32bit",,,55253,,,,16464,,,,,,"207.46.138.117",8075,"HK"
"2014-09-12 00:00:00","42.112.141.154",18403,"VN",,"b68-zeroaccess-2-32bit",,,29554,,,,16464,,,,,,"168.63.240.164",8075,"SG"
"2014-09-12 00:00:00","12.179.112.155",7018,"US","/index.php","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.8077)",,57067,,,,443,"204.95.99.205",0,,,,"204.95.99.205",8075,"US"
"2014-09-12 00:00:00","70.60.43.102",10796,"US","/ping.html","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.7357)",,2266,,,,443,"xf5wau9lcpf5.oonucoog.cc",0,,,,"204.95.99.204",8075,"US"
"2014-09-12 00:00:00","189.108.25.26",10429,"BR","/index.php","caphaw","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.9121)",,50634,,,,443,"3k3kwrnj.rgk.cc",0,,,,"204.95.99.204",8075,"US"
"2014-09-12 00:00:01","66.245.69.124",6983,"US","/wild/live/file.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; BRI/1)",,3130,,,,80,"ultimaresource.com",0,,,,"199.2.137.201",3598,"US"
"2014-09-12 00:00:01","50.52.19.180",5650,"US","/file-b29d40.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 3.5.21022)",,52176,,,,80,"199.2.137.202",0,,,,"199.2.137.202",3598,"US"
"2014-09-12 00:00:01","99.243.32.48",812,"CA","/367601b6737825deb58a244576e4f098/file.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AskTB5.6)",,49725,,,,80,"prohomemain.com",0,,,,"199.2.137.201",3598,"US"
"2014-09-12 00:00:01","106.156.210.197",2516,"JP","/view/file.php","citadel-b54","Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AskTbFWV5/5.11.3.15590)",,55400,,,,80,"ronapri.com",0,,,,"199.2.137.202",3598,"US"
"2014-09-12 00:00:01","138.217.89.25",1221,"AU","/message.php","bamital-b58","Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; .NET4.0C)",,62254,,,,80,"9A5BB34EEDE4B85B9E81F40D530B68FF.co.cc",0,,,,"199.2.137.201",3598,"US"

Our 124 Report Types