CRITICAL: Sinkhole HTTP Events Report

DESCRIPTION LAST UPDATED: 2023-12-06

DEFAULT SEVERITY LEVEL: CRITICAL

This report contains events (connections) to HTTP Sinkholes. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.

This report identifies the IP addresses from all the devices that joined a sinkhole server that did not arrive through an HTTP referrer.

Since a sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list. However, the sinkholes may also pick up web crawlers requesting malicious domains.

This report can come in 2 versions, one for IPv4 only connections, the other for IPv6 only connections.

You can learn more on the report in our Sinkhole HTTP Events Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

Severity levels are described here.

File names: event4_sinkhole_http and event6_sinkhole_http.

As of 30th March 2021, the following infections are being observed across all the sinkholes (this includes non-HTTP sinkholes) and shared out:

android_spams

android.bakdoor.prizmes

android.bankbot

android.banker.anubis

android.bankspy

android.darksilent

android.digitime.fota

android.fakeav

android.fakebank

android.fakedoc

android.fakemart

android.fobus

android.fungram

android.gopl

android.hqwar

android.hummer

android.iop

android.milipnot

android.nitmo

android.opfake

android.premiumtext

android.provar

android.rootnik

android.rotexy

android.skyfin

android.smsbot

android.smssilence

android.smsspy

android.smsspy.be24

android.sssaaa

android.teleplus

android.uupay

android.voxv

andromeda

andromeda-b66

avalanche-andromeda

avalanche-bolek

avalanche-citadel

avalanche-corebot

avalanche-dofoil

avalanche-generic

avalanche-gozi2

avalanche-goznym

avalanche-kins

avalanche-marcher

avalanche-matsnu

avalanche-nymaim

avalanche-pandabanker

avalanche-ranbyus

avalanche-rovnix

avalanche-smartapp

avalanche-teslacrypt

avalanche-tinba

avalanche-trusteer

avalanche-unknown

avalanche-urlzone

avalanche-vawtrak

avalanche-xswkit

b54-base

b54-code

b54-config

b54-old

b68-zeroaccess-1-32bit

b68-zeroaccess-1-64bit

b68-zeroaccess-2-32bit

b68-zeroaccess-2-64bit

banatrix

bankpatch

bebloh

bedep

beebone

betabot

bitcoinminer

blackbeard

blakamba

boaxxe

bolek

buhtrap

calypso

caphaw

carberp

chinad

citadel

cobaltstrike

coinminer

comment

conficker

corebot

cryptowall

cve-2009-4324

cycbot

diaminer

dipverdle

dircrypt

disorderstatus

dltminer

dmsniff

dofoil

domreg

dorkbot

dorkbot-ssl

downadup

dresscode

dybalom

emissary-panda

emotet

emotet-c2

enfal-apt

esfury

expiro

exploitkit.fallout

extenbro

fake_cs_updater

familyphotos-apt

flubot

fobber

foxbantrix

foxbantrix-unknown

generic

generic.malware

geodo

ghost-push

goldmax

gootkit

gozi

gozi2

goznym

gspy

gtfobot

hancitor

harnig

ibanking

icedid

iframe exploit

infected

infy-apt

iotreaper

ircbot-b58

isfb

jadtre

jdk-update-apt

js.worm.bondat

junk-domains

kasidet

kbot

kelihos

kelihos.e

keylogger

keylogger-ftp

keylogger-vbklip

kidminer

kingminer

kins

koobface

kovter

kronos

kwampirs

lethic

linux.backdoor.setag

linux.ngioweb

litemanager

loader

lurkbanker

machbot

machete-apt

magecart

maliciouswebsites

malwaretom

marcher

matrix

matsnu

menupass

mewsspy

minr

mirai

mix2

mkero

monero

mozi

muddywater

murofet

mysafeproxymonitor

nametrick

necurs

netsupport

nettraveler

neurevt

nitol

nivdort

nymaim

osiris

osx.fakeflash

pandabanker

phishing

phorpiex

pitou

plasma-tomas

poseidon

powerstats

proxyback

pushdo

pws.pony

pykspa

qadars

qakbot

qqblack

qrypter.rat

qsnatch

ramdo

ramnit

ranbyus

ransomware

ransomware.shade

renocide

rovnix

sality

sality_old

sality2

shadowpad

shifu

shiz

silon

sinowal

sisron

skunkx

smartapp

sodinokibi

sphinx

spyeye

ssl

ssl-az7

ssl-unknown-bot-test

ssl-vmzeus

stantinko

sunburst

sykipot-apt

teslacrypt

threatneedle

tick

tinba

tinba-dga

tonto-team

torpig

trickbot

trickbot-c2

trickbot-c2u

trickbot-fallback-c2

trickbot-iot-c2

trojan.click3

trojan.includer

trojan.win32.razy.gen

trusteer

tsifiri

unityminer

unknown

unknown-apt

unknown-bot-test

urlzone

valak

vawtrak

vbklip

verst

victorygate.a

victorygate.b

victorygate.c

vinself

virut

vmzeus

vpnfilter

wannacrypt

wauchos

win.neurevt

winnti

worm.phorpiex

wowlik

wrokni

x-agent

xcodeghost

xmrminer

xshellghost

xswkit

yash rat

yoddos

yzf

zeus

zeus_gameover

zeus_panda

zloader

Fields

timestamp

Timestamp when the IP was seen in UTC+0
protocol

Packet type of the connection traffic (UDP/TCP)
src_ip

The IP of the device in question
src_port

Source port of the IP connection
src_asn

ASN of the source IP
src_geo

Country of the source IP
src_region

Region of the source IP
src_city

City of the source IP
src_hostname

Reverse DNS of the source IP
src_naics

North American Industry Classification System Code
src_sector

Sector to which the IP in question belongs; e.g. Communications, Commercial
device_vendor

Source device vendor
device_type

Source device type
device_model

Source device model
severity

Severity level
dst_ip

Destination IP
dst_port

Destination port of the IP connection
dst_asn

ASN of the destination IP
dst_geo

Country of the destination IP
dst_region

Region of the destination IP
dst_city

City of the destination IP
dst_hostname

Reverse DNS of the destination IP
dst_naics

North American Industry Classification System Code
dst_sector

Sector to which the IP in question belongs; e.g. Communications, Commercial
public_source

Source of the event data
infection

Description of the malware/infection
family

Malware family or campaign associated with the event
tag

Event attributes
application

Application name associated with the event
version

Software version associated with the event
event_id

Unique identifier assigned to the source IP or event
http_url

HTTP request
http_host

HTTP host extracted from the URL
http_agent

HTTP user agent
forwarded_by

HTTP proxy header
ssl_cipher

SSL cipher used
http_referer

Content of the HTTP referer
ssl_servername

SSL servername

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","severity","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","http_url","http_host","http_agent","forwarded_by","ssl_cipher","http_referer","ssl_servername"
"2010-02-10 00:00:00",tcp,192.168.0.1,49240,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",,,,critical,172.16.0.1,80,65534,ZZ,Region,City,node01.example.net,0,"Communications, Service Provider, and Hosting Service",,avalanche-andromeda,andromeda,avalanche,,,,/api/v1/update,node01.example.com,,,,http://example.net,
"2010-02-10 00:00:01",tcp,192.168.0.2,17433,64512,ZZ,Region,City,node02.example.com,0,,,,,critical,172.16.0.2,80,65534,ZZ,Region,City,node02.example.net,0,"Communications, Service Provider, and Hosting Service",,avalanche-andromeda,andromeda,avalanche,,,,/api/v1/update,node02.example.com,,,,http://example.net,
"2010-02-10 00:00:02",tcp,192.168.0.3,29019,64512,ZZ,Region,City,node03.example.com,0,,,,,critical,172.16.0.3,80,65534,ZZ,Region,City,node03.example.net,0,"Communications, Service Provider, and Hosting Service",,avalanche-andromeda,andromeda,avalanche,,,,/api/v1/update,node03.example.com,,,,http://example.net,

Our 131 Report Types

« Back to Network Reporting