CHECK POINT THREAT ALERT: SHODAN
EXECUTIVE SUMMARY
- Shodan (https://www.shodan.io/) is a search engine that uses a variety of filters to find devices, such as computers, routers, and servers, which are connected to the Internet.
- Shodan collects data mostly on web servers (HTTP port 80), but there is also data about FTP (21), SSH (22), Telnet (23), SNMP (161) and SIP (5060) services.
- Shodan is often dubbed as “Google for hackers”, as it exposes vulnerable devices.
DESCRIPTION
- Shodan is a scanner which can find systems connected to the Internet, including traffic lights, security cameras, home heating systems and baby monitors, as well as SCADA system such as gas stations, water plants, power grids and nuclear power plants. Many of these systems have a number of vulnerabilities and very little security in place.
- Shodan can identify the physical location of any Internet-connected equipment, as well as its IP address, and often even what type of software it’s running.. This provides sufficient information for hackers to carry out targeted attacks.
- A massive data hack in the UK, attributed to Shodan scans, exposed sensitive data including family photographs, medical records and bank statements. This was due to security flaws in Iomega hard drives which were used to back up personal and business data.
CHECK POINT IPS PROTECTIONS
- Shodan “crawls” the Internet for publicly accessible devices, looking for specific IP addresses and hosts (see Appendix).
- Blocking these IP addresses is not enough, as similar scanners are used by hackers seeking other IPs.
- To fill these gaps, Check Point provides the following IPS protections:
- Shodan.io Internet Of Things Portal
- Shodan Scanner ISAKMP Request
- Shodan Scanner SIP Request
Shodan Scanner BACNET Request - Shodan Scanner GTP Request
- Shodan Scanner ENIP Request
These protections search for specific patterns in the SYN request that characterize Shodan and similar scanners.
REFERENCES
- Shodan: https://en.wikipedia.org/wiki/Shodan_(website)
- Shodan in the news:
- http://www.dailymail.co.uk/news/article-3207396/Thousands-exposed-massive-new-data-hack-s-not-just-adulterers-outed-web-PC-hard-drive-risk-Google-hackers.html
- http://www.computerworld.com/article/3016072/security/13-million-mackeeper-users-exposed-by-shodan-search-no-password-or-hacking-required.html
APPENDIX – SHODAN HOST NAMES AND IP ADDRESSES
IP Host Name
93.120.27.62 m247.ro.shodan.io
85.25.43.94 rim.census.shodan.io
85.25.103.50 pacific.census.shodan.io
82.221.105.7 census11.shodan.io
82.221.105.6 census10.shodan.io
71.6.167.142 census9.shodan.io
71.6.165.200 census12.shodan.io
71.6.135.131 census7.shodan.io
66.240.236.119 census6.shodan.io
66.240.192.138 census8.shodan.io
198.20.99.130 census4.shodan.io
198.20.70.114 census3.shodan.io
198.20.69.98 census2.shodan.io
198.20.69.74 census1.shodan.io
188.138.9.50 atlantic.census.shodan.io
You may also like
DMV-Themed Phishing Campaign Targeting U.S. Citizens
In May 2025, a sophisticated phishing campaign emerged, impersonating several ...
Malicious Loan App Removed from iOS and Google Play App Store Posed Severe Risks to Users
In February 2025, our detection engines identified a SpyLoan application ...
Hijacked Trust: How Malicious Actors Exploited Discord’s Invite System to Launch Global Multi-Stage Attacks
Attackers took advantage of a Discord feature that lets expired ...
Check Point Research Warns of Holiday-Themed Phishing Surge as Summer Travel Season Begins
Over 39,000 new vacation-related domains registered in May 2025, with ...