CRITICAL: Compromised Website Report

DESCRIPTION LAST UPDATED: 2024-11-21

DEFAULT SEVERITY LEVEL: CRITICAL

This report is a list of all the websites we (or our collaborative partners) have been able to identify and verify to be compromised. The report is meant to cover a broad category of web related compromises. It may include a compromised CMS for example, but also includes devices that we have detected to be compromised with webshells or implants that are accessible via HTTP.

This reason for listing will be provided either in the “tag” or the “category” field of the report. Please also review the “url” and “detail” fields for contextualization. Please note that when attempting to remotely identify a webshell by connecting to a url specified in the report, a 404 reply does not imply that the webshell in fact does not exist. Make sure to investigate on the compromised system side!

As always, there is no guarantee that there are no additional infections or compromises on any IP that we report on. We have seen several different threat actors abusing the same compromised system for different purposes. We recommend investigating systems with the assumption that there are more compromises on the systems than are reported.

The following compromises are being reported:

Palo Alto Networks devices (PAN-OS Management Interface CVE-2024-0012 related compromises). This is based on a query detecting compromise related artefacts. Events tagged as “panos-compromised“. For additional context on PAN-OS attacks, see https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ [tagging first added 2024-10-26].
Samsung Techwin Network Video Recorder (NVR) Web Viewer devices compromised with a webshell. Check for webshell file named update.php in the /root/webviewer/ directory. Events tagged as “http;samsung-techwin-nvr-web-viewer;webshell“. See our Dashboard tracker for latest scan results. [tagging first added 2024-09-26]
TellYouThePass ransomware compromised devices from PHP CVE-2024-4577 exploitation campaigns. See: Imperva article on and BleepingComputer article [tagging added 2024-06-19]
Qlik Sense instances that have been compromised by the Cactus ransomware group (as a result of CVE-2023-48365, CVE-2023-41265, CVE-2023-41266 exploitation campaigns. Please find the details at “Sifting through the spines: identifying (potential) Cactus ransomware victims” blog by Fox-IT. Compromised instances are determined remotely by checking for the presence of files with .ttf or .woff file extension. Tagged as “injected-code;qliksense;ssl;webshell“. See our Dashboard tracker for latest scan results. [tagging first added 2024-04-25]
Ivanti Connect Secure VPN devices that have signs of compromise (observed backdoor activity) as a result of CVE-2024-21893 attack campaigns. These checks are based on this Orange Cyberdefense publication. Tagged as “backdoor-activity;ivanti-connect-secure“. See our Dashboard tracker for latest scan results. [tagging added 2024-02-09]
Ivanti Connect Secure VPN devices with injected credential stealer code installed as part of CVE-2024-21887 and CVE-2023-46805 attack campaigns. Tagged as “ivanti-connect-secure;credential-stealer;injected-code“. See our Dashboard tracker for latest scan results.
Ivanti Connect Secure VPN devices: GIFTEDVISITOR webshell variant installed as part of CVE-2024-21887 and CVE-2023-46805 exploitation campaign as discovered by Volexity. Data shared in collaboration with Volexity. Tagged “ivanti-connect-secure;webshell“. See our Dashboard tracker for latest scan results. If you received a report on your network/constituency, please check out the suggested recovery steps from Ivanti (and investigate your network for wider possible compromise).
Device implants installed as part of the Cisco IOS XE compromises described in the Cisco Talos blog Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities. This is tagged “device-implant“
Citrix webshells installed as part of CVE-2023-3519 exploitation campaigns (please see Technical Summary of Observed Citrix CVE-2023-3519 Incidents and Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells. Tagged “citrix” and “webshell“.
Citrix code-injections, also installed as part of CVE-2023-3519 exploitation campaigns and used for credential harvesting (please see the IBM X-Force writeup). Tagged “citrix” and “injected-code“, with “detail” specifying also the detected injected domain used to steal credentials.
Webservers compromised by StealRat, tagged “hacked-webserver-stealrat-t1” or “redirecting-to-stealrat-t1“.

You can track current compromised website detections on our Dashboard, by selecting compromised_website or compromised_website6 as a source. You can view specific detection types by selecting the tags, for example, all current Citrix compromises.

You can learn more on the report in our Compromised Website Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

This report comes in two versions – for IPv4 and IPv6.

Severity levels are described here.

Filename(s): compromised_website, compromised_website6

Fields

timestamp

Timestamp that the URL was last seen/verified to be compromised in UTC+0
severity

Severity level
ip

IP hosting the compromised website
protocol

Protocol
port

Port the compromised website is served on
hostname

Reverse DNS of the IP of the compromised website
tag

Attributes for the given event
application

Layer 7 protocol (HTTP/HTTPS)
asn

ASN of the IP hosting the compromised URL
geo

Country of the IP hosting the compromised URL
region

State or province from the Geo
city

City from the Geo
url

URI path of the component indicating the website compromise
http_host

Domain/IP part of the URL
category

Type of maliciousness the compromised website is being used for
system

Operating system on the server hosting the compromised website (Windows/Linux)
detected_since

Timestamp that the URL was first seen/verified to be compromised in UTC+0
server

Server side software such as Apache/Nginx
redirect_target

Redirect url if any
naics

North American Industry Classification System Code
hostname_source

Hostname
sector

Sector of the IP in question
cc_url

In the case that a C&C server is involved, the URL of that server
family

Name of the malware family/type the website is compromised with/by
status

Status of the affected IP, for example, compromised
account

Account information, if relevant
detail

Any additional details for contextualization
public_source

Source of the data (may not be dislosed)

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","application","asn","geo","region","city","url","http_host","category","system","detected_since","server","redirect_target","naics","hostname_source","sector","cc_url","family","status","account","detail","public_source"
"2010-02-10 00:00:00",critical,192.168.0.1,tcp,443,node01.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node01.example.com,,,"2010-02-10 00:00:00",nginx,,0,,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,
"2010-02-10 00:00:01",critical,192.168.0.2,tcp,443,node02.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node02.example.com,,,"2010-02-10 00:00:01",openresty,,0,ptr,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,
"2010-02-10 00:00:02",critical,192.168.0.3,tcp,443,node03.example.com,device-implant;ssl,https,64512,ZZ,Region,City,/%66eatures/iox/lm/static/localmgmt/sysinfo.html,node03.example.com,,,"2010-02-10 00:00:02",nginx,,0,,,,,,,https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/,

Our 131 Report Types

« Back to Network Reporting