Data Source Catalog

List of all IP Addresses which are so called Open NTP servers. For a description of what an open NTP server is, please see http://www.internetsociety.org/doc/amplification-hell-revisiting-network-protocols-ddos-abuse

List of open SSDP ports found via scanning.

A list of open SNMP ports found via scanning

Regular spam emails (full text including email headers)

Regular spam emails (full text including email headers)

The Android Malware tracker main purpose is to keep track of the Android malware HTTP C&Cs (and probably telephone numbers in the future). All of the links are verified manually and are live when they are added. However, there is no guarantee that the links are in any way suitable for the purpose that you have in mind. In other words: you are using it AS IS and you are responsible for anything that may happen.

badips.com is a community based IP blacklist service. You can report malicious IPs and you can download blacklists or query our API to find out if a IP is listed. We refer to a ‘badip’ or ‘badips’ as an IP that was seen in context with malicious activities on hosts which are connected with the internet. These activities include, but are not limited to, brute force login attempts, SPAM delivery attempts, Form SPAM attempts or (D)DOS attacks and so on and so forth.

Master Feed of known, active and non-sinkholed C&Cs domain names

The dga-feed list is a listing of all known DGA generated. This data doesn’t necessarily mean these domains are malicious. In fact, most domains are unregistered, but nonsense domains tend to indicate malicious activity. This feed is provided for informational purposes only and author assumes no Liability. Domains used by malware for domains 2 days prior to 3 days after the current data.

All IP addresses that have attacked one of customers/servers in the last 48 hours. Services include: sh, mail, apache, imap, ftp, sip, ircbots, bruteforce logins on CMSes. Can be obtained

Public API of threat map with information about crime servers.

BruteForceBlocker is a perl script, that works along with pf – firewall developed by OpenBSD team. When this script is running, it checks sshd logs from syslog and looks for Failed Login attempts – mostly some annoying script attacks, and counts number of such attempts.

Cisco’s SenderBase.org provides a view into real-time threat intelligence across web and email. SenderBase is powered by Cisco Talos, the industry-leading threat intelligence organization dedicated to providing protection before, during, and after cybersecurity threats. The data is made up of over 100TB of daily security intelligence across over 1.6 million deployed Web, Email, Firewall and IPS appliances.

Information about phishing sites, URLs linking to malware and taken over portals/network resources.

Tracking the C&Cs panels.

Tracking the C&Cs panels, malicious links, phishing sites and e-mails.

The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.

Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D. Feodo Tracker offers various types of blocklists that allows you to block Feodo botnet C&C traffic.

GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, …

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites.

List of Tor nodes in format: |||||||

Malc0de database delivers information about URLs which serve malware, i.e. malicious executables. There is an IP address and AS number associated with every URL as well as MD530 hash of binary with hyperlink to report from ThreatExpert service.

Malware Domain List is a non-commercial community project. It collects information about domain names connected with mawlare, e.g. C&C servers, gateways to EK, phishing sites, infection pages etc

The Malware Patrol project began in 2005 as an open source community for sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We are proud to provide a platform and resources to facilitate the collection and distribution of our community’s data. We believe that information sharing is one of the most effective ways to fight against cyber threats. Our data is available in the form of URL block lists. In return for the valuable information available on these block lists, we ask only that you share with the community any new threat you may detect by emailing void@malware.com.br.

Free information and statistics from honeypot systems including: DNS amplification, SSH, telnet, web, SNMP.

The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.

OpenPhish launched in June 2014 as a result of a three-year research project on phishing detection. The research yielded a set of autonomous algorithms for detecting zero-day phishing sites. These algorithms form a self-contained kernel that can tell whether a given URL is a phish or not. Essentially, OpenPhish is the algorithmic kernel complemented with data extraction and analysis functionalities for generating various feeds. Any data provided by OpenPhish via its site and feeds can be used for non-commercial and internal business purposes only. For any other commercial use of the data, you must obtain OpenPhish’s written permission in advance.

At the heart of Open Threat Exchange is the pulse, an investigation of an online threat. Pulses describe any type of online threat including malware, fraud campaigns, and even state sponsored hacking. Pulses are comprised of indicators of compromise (or IoCs), which describe the infrastructure of that threat – including IPs, file hashes, e-mail addresses affiliated with the threat, etc. Due to the ever-changing threat landscape, OTX takes a dynamic approach with how threat intelligence is shared. Threats are easily searchable and identified by keywords related to the attack. Users can also subscribe to pulses created by fellow members of the OTX community. When a user creates or updates a pulse, subscribers are notified and any systems they have instrumented with OTX data are automatically updated.

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.

Ransomware Tracker to distinguishes between the following threats: Ransomware botnet Command & Control servers (C&Cs), Payment Sites, Distribution Sites

Domain is blacklisted by applying some criteria: fake content, phishing, get rich quick scam, spam, fraud, rogue pharmacy, malware. User submission available.

The Spamhaus DROP (Don’t Route Or Peer) lists are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

List of IP addresses of attackers

IP blacklist of spammers

Virbl is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.

URLs linking to malware with MD5.

ZeuS Tracker provides you the possiblity to track ZeuS Command&Control servers (C&C) and malicious hosts which are hosting ZeuS files. ZeuS tracker captures and tracks ZeuS hosts aswell as the associated config files, binaries and dropezones. The main focus is to provide system administrators the possiblity to block well-known ZeuS hosts and to avoid and detect ZeuS infections in their networks. For this purpose, ZeuS Tracker offers several blocklists (see ZeuS blocklist).

Last 20 special defacements published, updated every 5 minutes