Network Reporting

Every day, Shadowserver sends custom remediation reports to more than four thousand vetted subscribers, including nearly 100 national governments and many Fortune 500 companies. These reports are detailed, targeted, relevant and free. To become better informed about the state of your networks and their security exposures, subscribe now.

Subscribe to reports »

Our 73 Report Types

This report identifies DNS servers that have the potential to be used in DNS amplification attacks by criminals that wish to perform denial of service attacks. Sourced from Service Scan. Updated every 24 hours.

This report identifies hosts that have the X Display Manager service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

In this report, we summarize the total activity over all time for the top 25 ASNs related to Command and Controls for botnets. This is a summary from all data sources. Updated weekly (Sunday).

This report identifies URLs captured from botnet communications. Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL. This data is sourced from Botnet monitoring. Updated every 24 hours.

This report identifies all the IPs that joined the sinkhole server that did not join via a referral URL. Sourced from Sinkholes. Updated every 24 hours.

This report identifies hosts that have the Android Debug Bridge (ADB) running, bound to a network port (5555/tcp) and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Apple Filing Protocol (AFP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Cisco Smart Install feature running and are accessible to the Internet at large. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an FTP instance running on port 21/TCP that’s accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that are running Hadoop and have either the NameNode or DataNode web interfaces running and accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an SMB instance running on port 445/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Secure Shell (SSH) service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an Telnet instance running on port 23/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have a VNC instance running on port 5900/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the rsync service running, bound to a network port (873/tcp) and accessible on the Internet without a password. It’s a Service Scan, and it’s updated every 24 hours.

This report contains observed reflected amplification DDoS events. Sourced from Honeypots. Updated every 24 hours.

This report lists all the infected machines, drones, and zombies we were able to capture from the monitoring of IRC Command and Controls, the capturing of IP connections to HTTP botnets, or the IPs of Spam relays. Obtained from a variety of sources. Updated every 24 hours.

This report identifies hosts that have been observed performing brute force attacks. Sourced from Honeypots. Updated every 24 hours.

This report is the aggregation of a variety of different Blacklist providers, for end-users’ reference. This data is aggregated from blacklist providers. Updated every 24 hours.

This report identifies click-fraud attempts, which we see when botnets are given the direction to click on revenue-generating URLs. The specific URLs targeted are listed. Sourced from Botnet Monitoring. Updated every 24 hours.

This report provides information about specific hosts that were seen to be compromised from a botnet. These are usually seen when another infected system reports on each host that had been compromised. Sourced from Botnet Monitoring. Updated every 24 hours.

This report is a list of all the websites we or our partners have verified to be compromised, which are therefore likely to be abused for various types of attacks. Sourced from tracking systems. Updated every 24 hours.

These reports list all the currently known active C&C’s. Sourced from Tracking System. Updated every 7 days.

This report records traffic observed to darknet networks. Source from Darknet (Network Telescope). Updated every 24 hours.

These reports list out all the attacks and targets for a DDoS in your area of responsibility, whether the recipient is the target or the source of the attack. Sourced from Botnet Monitoring. Updated every 24 hours.

This report is a list of all the infected machines, drones, and zombies that we were able to capture from the monitoring of IRC Command and Controls, capturing IP connections to HTTP botnets, or the IPs of Spam relays. Sourced from Botnet Monitoring (IRC and HTTP) and Sinkholes. Updated every 24 hours.

This report summarizes the total activity over all time for the top 25 countries related to Command and Controls for botnets. This is a summary from all data sources. Updated weekly (Sunday).

This is a report of the source URLs from which malware was downloaded by the Honeypot systems. Sourced from Honeypots. Updated every 24 hours.

This report identifies hosts that have been observed performing HTTP-based scanning activity. Sourced from Honeypots. Updated every 24 hours.

This report identifies hosts that have been observed performing scanning activity against Industrial Control System (ICS) sensors. Sourced from Honeypots. Updated every 24 hours.

These reports summarize the ports used by IRC servers as Command and Control for a Botnet, sorted by most seen, highest rate of shutdown, and lowest rate of shutdown. This is a summary from all data sources. Updated weekly (Sunday).

This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft Sinkhole servers. Sourced from Sinkholes. Updated every 24 hours.

This report identifies hosts that appear to have an openly accessible backdoor on a Netcore/Netis router. It’s a Service Scan and is updated every 24 hours.

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NTP service running that responds to Mode 6 requests. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the CPE WAN Management Protocol (CWMP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the DB2 Discovery Service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible chargen service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Elasticsearch server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that appear to have an openly accessible IPMU service running that responds to an IPMI ping. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have an LDAP instance running on port 389/UDP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an LDAP instance running on port 389/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the mDNS service running and accessible from the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Memcached key-value server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible MongoDB NoSQL server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible MS-SQL Server Resolution Service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.

This report identifies any host that appears to have an openly accessible portmapper service running that responds to an rpcinfo request. It’s a Service Scan and is updated every 24 hours.

This report detects open proxies or jump points, either used directly or sold to other criminals. Sourced from Search Engine Scraping, Botnets, and other sources. Updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Quote Of The Day service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Redis key-value server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible SNMP service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Simple Service Discovery Protocol service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the TFTP service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the Ubiquiti Discovery service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies IPv4 hosts that have been observed using an outdated DNSSEC Key. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies IPv6 hosts that have been observed using an outdated DNSSEC Key. It’s a Service Scan, and it’s updated every 24 hours.

This report detects proxy servers, which are commonly used to make malicious activity seem anonymous. This data is sourced from Botnet monitoring. Updated every 24 hours.

This report includes sets of URLs that were accessed by malware. There are two versions of this report: filtered and unfiltered. Sourced from our sandboxed systems. Updated every 24 hours.

This report is a summary of all the connections that the sandbox system saw for the specific interval. Sourced from our sandboxed systems. Updated every 24 hours.

This report is a summary of all the IRC based networks that were found after analyzing malware. Sourced from our sandboxed systems. Updated every 24 hours.

A list of email addresses used by malware during a sandbox run. Sourced from our sandboxed systems. Updated every 24 hours.

Vulnerability scanning is a standard part of any botnet arsenal. We report on these as a warning that specific network blocks are being targeted. It’s a Service Scan and is updated every 24 hours.

This report lists the IPv6 addresses for all the devices that connected to our IPv6 Sinkhole server. Sourced from Sinkholes. Updated every 24 hours.

A list of referral URLs that pushed systems to the sinkhole server. Sourced from Sinkholes. Updated every 24 hours.

A list of the URLs and relays for spam that was received. Sourced from spam and email. Updated every 24 hours.

This report identifies any host (IP) that could be used in a SSL FREAK attack. It’s a Service Scan and is updated every 24 hours.

This report identifies any host (IP) that appears to be vulnerable to a SSL POODLE attack. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that are potentially compromised with the SYNful knock back door. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have a vulnerable IKE service accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

Help us make the Internet more secure
Help us make the Internet more secure

The Shadowserver Foundation offers all services free of charge, for public benefit. We don’t sell data. Our funding comes from sponsorships, grants, and charitable donations.