Network Reporting

Please scroll down to see a full list of our reports and their details.

Every day, Shadowserver sends custom remediation reports to more than 8000 vetted subscribers, including 135 national governments (201 National CSIRTs) covering 175 countries and territories, as well as many Fortune 500 companies, ISPs, CSPs, banks, enterprises, universities, small business etc. These reports are detailed, targeted, relevant, free and actionable. To become better informed about the state of your networks and their security exposures (your attack surface), subscribe now. Our data comes from daily Internet-wide scans, sinkholes, honeypot sensors, sandboxes, blocklists and many other sources.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

We recommend you also use our API to automate your process of report ingestion. We have published API helper scripts and a simple Report Manager tool on our GitHub page. For API access, you must request an API key. You can do so when signing up for our reports or later by contacting us.

If you are the final consumer of our data (ie, are not a National or Sectoral CERT/ISAC type entity that acts as an information hub for its constituency) we suggest integrating our feeds with Splunk  or Elasticsearch. We also support the Common Events Format. If you are acting on behalf a larger constituency (especially a National or Sectoral CERT/ISAC type entity)  free open source tools such as IntelMQ exist to help automate our feed parsing, handling and sharing.

Questions? Please have a look at our FAQ.

Subscribe to reports »

Our 131 Report Types

Basic API documentation

An API to allow querying of the collected SSL data from the daily SSL scans.

A module to allow trusted partners to query information about malware, networks, and trusted programs.

Returns routing details for a given address or ASN.

Returns a JSON response containing static details about the requested sample as well as antivirus vendor and signature details.

An API to query the different reports received as well as do basic queries of the data itself.  This is meant as an optional replacement to the emails received with the report URL’s

Returns a JSON response containing the details for the requested program.

This report identifies hosts that have an ActiveMQ service running, bound to a network port (61616/TCP) and accessible on the Internet. It may also identify any vulnerabilities found. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Android Debug Bridge (ADB) running, bound to a network port (5555/TCP) and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Apple Filing Protocol (AFP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the AMQP service enabled on port 5672/TCP. It is a Service Scan and is updated every 24 hours.

This report identifies hosts that have the Apple Remote Desktop service on port 3283/udp running and accessible on the Internet. It is a Service Scan and it’s updated every 24 hours.

This report identifies hosts that have a BGP service accessible on port 179/TCP. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Cisco Smart Install feature running and are accessible to the Internet at large. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Constrained Application Protocol (CoAP) service enabled on port 5683/UDP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the CouchDB server enabled on port 5984/TCP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Docker service enabled on port 2375/TCP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Erlang Portmapper Daemon server enabled on port 4369/TCP and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an FTP instance running on port 21/TCP that’s accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that are running Hadoop and have either the NameNode or DataNode web interfaces running and accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have accessible HTTP proxies running on them. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that are responding to various specialized ICS protocol queries (such as Modbus or Siemens S7) – ie. are accessible on the Internet. These are various scans, and are updated every 24 hours.

The report identifies hosts that are responding to queries to the Kubernetes API service on ports 6443 and 443. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Microsoft Message Queuing (MSMQ) enabled and are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the the MS RDP UDP extension service available. This service can be abused for amplification DDoS attacks. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an MySQL server instance accessible. This constitutes a potential attack surface. This is a Service Scan and is updated every 24 hours.

This report identifies hosts that have an PostgreSQL server instance accessible. This constitutes a potential attack surface. This is a Service Scan and is updated every 24 hours.

Quick UDP Internet Connections (QUIC) is a protocol that potentially will be used to replace standardized web traffic.  More can be read at Wikipedia on the details of the protocol.  This is a 443/UDP test to see if the server is allow QUIC connections and which version of that protocol is available. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Radmin service running omn port 4899/TCP and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have Remote Desktop (RDP) Service running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the SIP service running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Service Location Protocol (SLP) running and are accessible to the world on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an SMB instance running on port 445/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an SMTP instance running on port 25/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the Secure Shell (SSH) service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an SSL/TLS service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an Telnet instance running on port 23/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have a VNC instance running on port 5900/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the rsync service running, bound to a network port (873/tcp) and accessible on the Internet without a password. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies all hosts that have a SOCKS 4/5 proxy running on port 1080/tcp. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies all hosts that have a STUN service running on port 3478/udp. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies all hosts that have a WS-Discovery service running on port 3702/udp. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the X Display Manager service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report is the aggregation of a variety of different Block list providers, for end-users’ reference. This data is aggregated from blacklist providers. Updated every 24 hours.

Exposed F5 iControl REST API one-off Special Report. This is related to a CVE-2022-1388 vulnerability that was recently published. Exposed endpoints have likely been compromised or will be if not patch. If you receive a report of an exposed endpoint act immediately.

This report is a list of compromised e-mail accounts we or our collaborative partners have uncovered (ie. for which we believe attackers have obtained credentials). This is currently not in the form of a daily report, but sent as a one-off whenever we obtain access to new lists.

This report aggregates information about compromised IoT devices detected through other means than HTTP-based scan detection.

This report is a list of compromised SSH hosts we or our collaborative partners have uncovered. This is currently not in the form of a daily report, but sent as a one-off when new data is obtained.

This report is a list of all the websites we or our partners have verified to be compromised, which are therefore likely to be abused for various types of attacks. Sourced from tracking systems. Updated every 24 hours.

This report records traffic observed to darknet networks (ie. network telescopes). Updated every 24 hours.

This report identifies devices that we have uncovered in our daily Internet scans. Devices are identified by vendor, model and device type. Updated every 24 hours.

This report contains information about IPs involved in DDoS attacks. It is sourced from networking devices observing attacks to a victim or from the target itself. Note the attacking IPs may be the actual IPs used for attacks, or it might be IPs with exposed services used in reflection attacks. Finally, traffic might also be spoofed.  Report will activate whenever data is available.

This report identifies DNS servers that have the potential to be used in DNS amplification attacks by criminals that wish to perform denial of service attacks. Sourced from Service Scan. Updated every 24 hours.

This report identifies hosts scanning for exposed ADB services. Sourced from honeypots. Updated every 24 hours.

This report is a list of amplification DDoS events observed by honeypots. Updated every 24 hours.

This report is a list of brute force events observed by honeypots. Updated every 24 hours.

This report contains information about DDoS attack commands observed by honeypot drones. If you are getting this report, it means a C2 (src_ip) issuing the attack command was located on your network or constituency. Updated every 24 hours.

This report contains information about DDoS attack targets observed by honeypot drones. If you are getting this report, it means an IP (dst_ip) that was targeted  was located on your network or constituency (attack destination). Updated every 24 hours.

This report is a list of HTTP scan and exploit attempts observed by honeypots. Updated every 24 hours.

This report is a list of ICS protocol scans observed by honeypots. Updated every 24 hours.

This report is a list of IKEv2 scan and exploit attempts observed by honeypots. Updated every 24 hours.

This reports is a list of  RDP scan and exploit attempts observed by honeypots. Updated every 24 hours.

This report identifies hosts scanning for exposed RocketMQ services. Sourced from honeypots. Updated every 24 hours.

This reports is a list of  SMB scan and exploit attempts observed by honeypots. Updated every 24 hours.

IcedID/Latrodectus historical bot infections from Operation Endgame. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

This report provides a current view of ingress/egress filtering and susceptibility to IP source packet forging (spoofing) on a given network. Sourced from CAIDA. Updated every 24 hours.

This report provides a view of devices (IPs) that can be abused for Loop DoS attacks. This is a scan based report. Updated every 24 hours.

This report contains URLs observed as part of exploitation attempts in the last 24 hours. They are most likely used to spread malware or act as C2 instances. Sourced primarily from honeypots, but other sources are possible. Updated every 24 hours.

This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft non-HTTP Sinkhole servers. Sourced from Sinkholes. Updated every 24 hours.

This report identifies the IP addresses of all the devices that were reported to Shadowserver from Microsoft after communicating with Microsoft HTTP Sinkhole servers. Sourced from Sinkholes. Updated every 24 hours

This report identifies hosts that appear to have an openly accessible backdoor on a Netcore/Netis router. It’s a Service Scan and is updated every 24 hours.

This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NTP service running that responds to Mode 6 requests. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have a BGP service accessible on port 179/TCP and accept BGP OPEN Messages. It’s a Service Scan and is updated every 24 hours

This report identifies hosts that have the CPE WAN Management Protocol (CWMP) running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the DB2 Discovery Service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts running the DVR DHCPDiscover service on port 37810/udp and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible chargen service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Elasticsearch server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts running an open HTTP proxy service (ie. one not requiring authentication). It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible IPMU service running that responds to an IPMI ping. It’s a Service Scan and is updated every 24 hours.

This report identifies devices that have an open IPP (Internet Printing Protocol) service enabled on port 631/TCP.  It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have an LDAP instance running on port 389/UDP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have an LDAP instance running on port 389/TCP that are accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have the mDNS service running and accessible from the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Memcached key-value server running. It’s a Service Scan and is updated every 24 hours.

The report identifies hosts that appear to have an openly accessible MQTT running. It is a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible MongoDB NoSQL server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible MS-SQL Server Resolution Service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible NetBIOS service running. It’s a Service Scan and is updated every 24 hours.

This report identifies any host that appears to have an openly accessible portmapper service running that responds to an rpcinfo request. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Quote Of The Day service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Redis key-value server running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible SNMP service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that appear to have an openly accessible Simple Service Discovery Protocol service running. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the TFTP service running and accessible on the Internet. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that have the Ubiquiti Discovery service running and accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts running Post-Exploitation Frameworks. It is updated every 24 hours.

This report includes sets of URLs that were accessed by malware. There are two versions of this report: filtered and unfiltered. Sourced from our sandboxed systems. Updated every 24 hours.

This report is a summary of all the connections that the sandbox system saw for the specific interval. Sourced from our sandboxed systems. Updated every 24 hours.

This report is a summary of all the IRC based networks that were found after analyzing malware. Sourced from our sandboxed systems. Updated every 24 hours.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

This is a manually processed report of ransomware victims announced on leak sites. May fall out of the our typical 24-hour reporting window.

This report lists IPs connecting to (non-HTTP based) sinkholes. It is updated every 24 hours.

This report identifies IPs of recursive DNS servers querying for sinkholed domains. Sourced from sinkholes. Updated every 24 hours.

This report identifies all the IPs that joined a HTTP sinkhole server that did not join via a referral URL. Sourced from HTTP sinkholes. Updated every 24 hours.

A list of referral URLs that pushed systems to HTTP sinkhole servers. Sourced from Sinkholes. Updated every 24 hours.

A list of the URLs and relays for spam that was received. Sourced from spam and email. Updated every 24 hours.

This report identifies any host (IP) that could be used in a SSL FREAK attack. It’s a Service Scan and is updated every 24 hours.

This report identifies any host (IP) that appears to be vulnerable to a SSL POODLE attack. It’s a Service Scan and is updated every 24 hours.

This report identifies hosts that are potentially compromised with the SYNful knock back door. It’s a Service Scan, and it’s updated every 24 hours.

SystemBC historical bot infections from Operation Endgame. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

This report identifies devices that can be abused for TCP Middlebox reflection DDoS attacks. It’s a Service Scan, and it’s updated every 24 hours.

Special report on vulnerable CUPS instances discovered by a scan from an external party. The is a one-off report.

This report identifies potentially vulnerable Microsoft Exchange Servers. It’s a Service Scan, and it’s updated every 24 hours.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type dedicated to Fortinet FortiManager devices targeted/compromised using CVE-2024-47575. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

A special one-off report type dedicated to Fortinet devices. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

The report identifies hosts that have an HTTP server exposed with a potential vulnerability. It’s a Service Scan, and it’s updated every 24 hours.

This report identifies hosts that have a vulnerable IKE service accessible on the Internet. It’s a Service Scan, and it’s updated every 24 hours.

This report is a one-off Special report on vulnerable Ivanti Secure Connect devices. This is sourced from a scan.

A special one-off report type. It is not sent every 24 hours but activated in special cases when we come across highly valuable incident datasets that fall out of the typical 24-hour reporting cycle.

The report identifies hosts that have an SMTP server exposed with a potential vulnerability. It’s a Service Scan, and it’s updated every 24 hours.

This one-off special report identifies vulnerable or compromised Qlik Sense instances. This is a scan based report.

Help us make the Internet more secure
Help us make the Internet more secure

The Shadowserver Foundation offers all services free of charge, for public benefit. We don’t sell data. Our funding comes from sponsorships, grants, and charitable donations.