On 15 September 2015, FireEye published information about potentially compromised Cisco routers under the name SYNful Knock. As soon as Shadowserver became aware of these potential compromises, Shadowserver and Cisco worked together and cooperated to scan the internet to detect these affected routers to allow a more accurate notification of the affected end-users. We are pleased to partner with Cisco on its response to SYNful Knock. Cisco supported the initial public disclosure of this malware and has created an Event Response Page for its customers.
We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 80/tcp with a specifically crafted SYN packet and capturing the SYNACK response. We intend no harm, but if we are causing problems, please contact us at: dnsscan [at] shadowserver [dot] org.
To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is whitelisted will be publicly available here: https://synfulscan.shadowserver.org/exclude.html
If you would like other statistics and information on historical trends, please take a look at: https://synfulscan.shadowserver.org/stats/. Otherwise, stats from the most current scan are listed below.
(Click image to enlarge)
If you would like to see more regions click here
If you would like us to not scan your network, please let us know and we will remove your networks from the scan.
Likewise, if you have anymore questions please feel free to send us an email at: gro [tod] revreswodahs [ta] nac ssnd