Why am I seeing connection attempts from this host?

The connections you see are part of an independant research project being conducted by computer scientists, information security specialists, and engineers through a collaboration from numerous organizations. This research aids us in providing useful feedback and information related to the state of the internet as it relates to information security and protocol development.

As part of our research, we periodically perform a full internet-wide scan across the entire public IP address space. This periodic scan classifies each IP address (host) we find into numerous categories for more detailed scans. As an example, if we find tcp/80 in an open state we want to ensure it is actually operating a web service daemon.

Why are you sending malicious requests to my website(s)?

As part of this study, every host that is identified as responding to RFC-compliant handshake requests will receive up to six (6) additional requests. These six requests are used to assist us in identifying what, if any security is in place in front of your website. We never store information related to whether your website or host is vulnerable to any exploits. Additionally we will not attempt to exploit any vulnerabilities, brute force any authentication systems, make password guesses, or modify configuration or device settings.

Current Payloads

{
  "payloads": 
  [
    "",
    "%00",
    "?search=%3Cscript%3Ealert%281%29%3C%2Fscript%3E",
    "?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd",
    "?q=%3Cinvalid%3Efoobar",
    "?id=1%20AND%201=1%20UNION%20ALL%20SELECT%201%2C2%2C3%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%20..%2F..%2F..%2Fetc%2Fpasswd"
  ]
}
					

What are you doing with this data?

This research project has grown over time in terms of the number of indivduals involved as well as the stories we can dervie from the data collected. We are still in the early infancy of this project and expect to deliver peer-reviewed research publications, articles, and provide best practices to the public for protecting their web applications and other hypermedia transport services.

Can I request that my server be excluded?

To have your host or network excluded from future scans originating from scanned.io, please contact [email protected] with your IPv4 / IPv6 address and netmask or CIRD block. Alternatively, you can configure your firewall to DROP traffic originating from the subnets we utilize for scan activity:

 199.58.200.128/28 - SHAT.IO SHAT (NET-199-58-200-128-1) 199.58.200.128 - 199.58.200.143.

We are currently working on the addition of a mailing list, news blog, and a RESTful API service that will allow you to lookup the information we have been collecting. It will also provide the ability to opt-out of all scans or specific scans you may wish for us to exclude you from.

Copyright © 2017, SCANNED.IO