CHECK POINT THREAT ALERT: SHODAN
EXECUTIVE SUMMARY
- Shodan (https://www.shodan.io/) is a search engine that uses a variety of filters to find devices, such as computers, routers, and servers, which are connected to the Internet.
- Shodan collects data mostly on web servers (HTTP port 80), but there is also data about FTP (21), SSH (22), Telnet (23), SNMP (161) and SIP (5060) services.
- Shodan is often dubbed as “Google for hackers”, as it exposes vulnerable devices.
DESCRIPTION
- Shodan is a scanner which can find systems connected to the Internet, including traffic lights, security cameras, home heating systems and baby monitors, as well as SCADA system such as gas stations, water plants, power grids and nuclear power plants. Many of these systems have a number of vulnerabilities and very little security in place.
- Shodan can identify the physical location of any Internet-connected equipment, as well as its IP address, and often even what type of software it’s running.. This provides sufficient information for hackers to carry out targeted attacks.
- A massive data hack in the UK, attributed to Shodan scans, exposed sensitive data including family photographs, medical records and bank statements. This was due to security flaws in Iomega hard drives which were used to back up personal and business data.
CHECK POINT IPS PROTECTIONS
- Shodan “crawls” the Internet for publicly accessible devices, looking for specific IP addresses and hosts (see Appendix).
- Blocking these IP addresses is not enough, as similar scanners are used by hackers seeking other IPs.
- To fill these gaps, Check Point provides the following IPS protections:
- Shodan.io Internet Of Things Portal
- Shodan Scanner ISAKMP Request
- Shodan Scanner SIP Request
Shodan Scanner BACNET Request - Shodan Scanner GTP Request
- Shodan Scanner ENIP Request
These protections search for specific patterns in the SYN request that characterize Shodan and similar scanners.
REFERENCES
- Shodan: https://en.wikipedia.org/wiki/Shodan_(website)
- Shodan in the news:
- http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html
- http://www.computerworld.com/article/3016072/security/13-million-mackeeper-users-exposed-by-shodan-search-no-password-or-hacking-required.html
APPENDIX – SHODAN HOST NAMES AND IP ADDRESSES
IP Host Name
93.120.27.62 m247.ro.shodan.io
85.25.43.94 rim.census.shodan.io
85.25.103.50 pacific.census.shodan.io
82.221.105.7 census11.shodan.io
82.221.105.6 census10.shodan.io
71.6.167.142 census9.shodan.io
71.6.165.200 census12.shodan.io
71.6.135.131 census7.shodan.io
66.240.236.119 census6.shodan.io
66.240.192.138 census8.shodan.io
198.20.99.130 census4.shodan.io
198.20.70.114 census3.shodan.io
198.20.69.98 census2.shodan.io
198.20.69.74 census1.shodan.io
188.138.9.50 atlantic.census.shodan.io
You may also like
The Gentlemen: A New Ransomware Threat Climbing the Charts — Fast
Key Findings The Gentlemen ransomware-as-a-service (RaaS) operation has claimed over ...
The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point of Choice
In Q1 2026, Microsoft continued to be the most impersonated ...
March 2026 Cyber Threat Landscape Shows No Relief as Ransomware Rebounds and GenAI Risks Intensify
Global Attack Volumes Begin to Moderate In March 2026, global cyber attack activity ...
Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance
Tax season remains one of the most attractive periods of ...