Title,Cybergreen,Homepage,Taxonomy,Risk types,Size,Coverage (Geo),Start,End,Description,Level of information,Tools for fetching the data,Authentication needed?,Owner type,AggregateOrRaw,Format,Public,OpenOrClosed,UrlOrIP,Available to CERTs?,Relevance,Timeliness,Accuracy,Completeness,Ingestibility,Detection method,Vantage Point OpenDNS from Open Resolver Project,yes,http://openresolverproject.org,Vulnerable,OpenDNS,TB,global,2014,today,A list of 32 million resolvers that respond to queries in some fashion. 28 million of these pose a significant threat (as of 27-OCT-2013).,Low level,"private, scp",YES,Internet super hero,raw,CSV,No,closed,IP,need to discuss,high,weekly,?,global,fair,scanning,from scanning server Open NTP project,yes,http://openntpproject.org,Vulnerable,OpenNTP,TB,global,2014,today,"List of all IP Addresses which are so called Open NTP servers. For a description of what an open NTP server is, please see ",Low level,"private, scp",YES,Internet super hero,raw,CSV,No,closed,IP,need to discuss,high,weekly,?,?,fair,scanning,from scanning server Open SSDP project,yes,http://openssdpproject.org/,Vulnerable,OpenSSDP,TB,global,2016,today,List of open SSDP ports found via scanning.,Low level,"private, scp",YES,Internet super hero,raw,CSV,No,closed,IP,need to discuss,high,weekly,?,?,fair,scanning,from scanning server Open SNMP project,yes,http://opensnmpproject.org,Vulnerable,OpenSNMP,TB,global,2014,today,A list of open SNMP ports found via scanning,Low level,"private, scp",YES,Internet super hero,raw,CSV,No,closed,IP,need to discuss,high,weekly,?,?,fair,scanning,from scanning server Spam from CERT at,no,http://hetzner.cert.at/cgi-bin/topspamsubjects.exe,Spam,Spam,GB,global,,today,Regular spam emails (full text including email headers),Detection indicators,"curl, http",YES,"CERT.at, CERT.br",raw,EMAIL,semi,open,BOTH,YES,medium,daily,,low,fair,"honeypots, spamtraps",from Austria and CERT.br from a global network of Spam honeypots Spam from CERT br,no,https://kolos.cert.br/data-donation/region/world,Spam,Spam,GB,global,,today,Regular spam emails (full text including email headers),Detection indicators,"curl, http",YES,"CERT.at, CERT.br",raw,EMAIL,semi,open,BOTH,YES,medium,daily,?,low,fair,"honeypots, spamtraps",from Austria and CERT.br from a global network of Spam honeypots Android Malware Tracker,no,https://amtrckr.info/,blacklist,Android malware C&C servers,kB,global,,,"The Android Malware tracker main purpose is to keep track of the Android malware HTTP C&Cs (and probably telephone numbers in the future). All of the links are verified manually and are live when they are added. However, there is no guarantee that the links are in any way suitable for the purpose that you have in mind. In other words: you are using it AS IS and you are responsible for anything that may happen. ",Detection indicators,"curl, http",no,,raw,JSON,Yes,open,BOTH,Yes,medium/high,,,medium,fair,, BadIPs.com an IP based abuse tracker,no,https://www.badips.com/,blacklist,Attackers' IP addresses,,global,,,"badips.com is a community based IP blacklist service. You can report malicious IPs and you can download blacklists or query our API to find out if a IP is listed. We refer to a 'badip' or 'badips' as an IP that was seen in context with malicious activities on hosts which are connected with the internet. These activities include, but are not limited to, brute force login attempts, SPAM delivery attempts, Form SPAM attempts or (D)DOS attacks and so on and so forth.",Detection indicators,"curl, http",Usually no,,both,JSON,Yes,open,IP,Yes,high,,,medium,fair,community's reporting, Bambenek Consulting C&C domain list,no,http://www.bambenekconsulting.com/,blacklist,C&C domain names,kB,global,,now,"Master Feed of known, active and non-sinkholed C&Cs domain names",Detection indicators,"curl, http",NO,,raw,CSV,Yes,open,URL,Yes,high,Every 10 minutes,,medium,fair,aggregation from other sources, Bambenek Consulting C&C domain list,no,http://www.bambenekconsulting.com/,blacklist,DGA C&C domain names,MB,global,2 day prior current data,3 days after current data,"The dga-feed list is a listing of all known DGA generated. This data doesn't necessarily mean these domains are malicious. In fact, most domains are unregistered, but nonsense domains tend to indicate malicious activity. This feed is provided for informational purposes only and author assumes no Liability. Domains used by malware for domains 2 days prior to 3 days after the current data.",Detection indicators,"curl, http",NO,,raw,CSV,Yes,open,URL,Yes,medium,Every 24 hours,,medium,fair,, Blocklist.de fail2ban reporting service,no,https://lists.blocklist.de/lists/all.txt,blacklist,Attackers' IP addresses,kB,global,Last 48 hours,now," All IP addresses that have attacked one of customers/servers in the last 48 hours. Services include: sh, mail, apache, imap, ftp, sip, ircbots, bruteforce logins on CMSes. Can be obtained",Detection indicators,"curl, http",NO,Internet super hero,raw,TXT,Yes,open,IP,Rather yes,high,Every 30 minutes,?,low,fair/good,probes,probes installed on (production) servers Blueliv CYBER THREAT MAP,no,https://community.blueliv.com/map/,blacklist,Crime servers,MB,global,Last 24 hours,now,Public API of threat map with information about crime servers.,Detection indicators,"curl, http",YES,,raw,JSON,Yes,closed,URL,No,medium,Once per day,,medium,fair,, BruteForceBlocker SSH login probes,no,http://danger.rulez.sk/index.php/bruteforceblocker/,blacklist,Attackers' IP addresses,kB,global,,,"BruteForceBlocker is a perl script, that works along with pf – firewall developed by OpenBSD team. When this script is running, it checks sshd logs from syslog and looks for Failed Login attempts – mostly some annoying script attacks, and counts number of such attempts.",Detection indicators,"curl, http",NO,,raw,CSV,Yes,open,IP,Rather yes,medium,,,medium,fair,Community's probes,servers with SSH daemon Cisco IronPort SenderBase Security Network,no,http://www.senderbase.org,blacklist,Spammers' IPs,MB-GB,global/exploration by country,,,"Cisco's SenderBase.org provides a view into real-time threat intelligence across web and email. SenderBase is powered by Cisco Talos, the industry-leading threat intelligence organization dedicated to providing protection before, during, and after cybersecurity threats. The data is made up of over 100TB of daily security intelligence across over 1.6 million deployed Web, Email, Firewall and IPS appliances.",Detection indicators,"curl, http",NO,Company,raw,JSON,Yes,open,IP,,high,Realtime,,medium,fair,"The data is made up of over 100TB of daily security intelligence across over 1.6 million deployed Web, Email, Firewall and IPS appliances.", Clean MX anti spam solution from net4sec UG,no,http://clean-mx.de/,blacklist,phishing/malware/portals,,global,,,"Information about phishing sites, URLs linking to malware and taken over portals/network resources.",Detection indicators,"curl, http",Yes,Company,raw,JSON,No,Open,BOTH,Yes,medium,,,medium,fair,, Cyber Crime Tracker,no,http://cybercrime-tracker.net/,other,C&Cs panels,kB,global,,,Tracking the C&Cs panels.,Detection indicators,"curl, http",NO,,raw,XML,Yes,open,URL,Yes,medium,Irregular updates,,low,low,, CyberTracker from MalwareHunterTeam,no,http://cybertracker.malwarehunterteam.com/,other,misc threats,kB,global,,,"Tracking the C&Cs panels, malicious links, phishing sites and e-mails.",Detection indicators,"curl, http",Yes,,raw,XML,Yes,Closed,URL,Yes,medium,,,medium,low,, DNS-BH – Malware Domain Blocklist,no,http://www.malwaredomains.com,blacklist,misc malicious sites,MB,global,,now,"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting.",Detection indicators,"curl, http",NO,,raw,CSV,Yes,open,URL,Yes,high,,,medium,fair,, Abuse.ch Feodo botnet C&C servers tracker,no,https://feodotracker.abuse.ch/,blacklist,C&C servers,kB,global,,,"Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D. Feodo Tracker offers various types of blocklists that allows you to block Feodo botnet C&C traffic.",Detection indicators,"curl, http",NO,,raw,TXT/XML,Yes,open,BOTH,Yes,high,,,low,fair,, GreenSnow BlockingList,no,http://blocklist.greensnow.co,blacklist,Attackers' IP addresses,kB,global,,,"GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, ...",Detection indicators,"curl, http",NO,,raw,TXT,Yes,open,IP,,medium/high,,,low,fair,, hpHosts Online from Hosts-File Dot Net and Malwarebytes.com,no,https://hosts-file.net/,blacklist,misc malicious sites,MB,global,,now,"hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. ",Detection indicators,"curl, http",NO,Internet super hero,raw,TXT,Yes,open,URL,Yes,medium,,,low,fair,, Tor Node List,no,https://www.dan.me.uk/,blacklist,Tor nodes,kB,global,,now,List of Tor nodes in format: |||||||,Detection indicators,"curl, http",NO,Internet super hero,raw,TXT/CSV,Yes,open,IP,Yes,medium/low,Every 30 minutes,,medium,fair,, Malc0de – malicious URLs,no,http://malc0de.com/database/,blacklist,malicious URLs,MB,global,,,"Malc0de database delivers information about URLs which serve malware, i.e. malicious executables. There is an IP address and AS number associated with every URL as well as MD530 hash of binary with hyperlink to report from ThreatExpert service.",Detection indicators,"curl, http",NO,,raw,XML,Yes,open,URL,Rather yes,medium,,,medium,fair,, Malware Domain List,no,http://www.malwaredomainlist.com/mdlcsv.php,blacklist,Sites conected with malware,kB,global,2009,now,"Malware Domain List is a non-commercial community project. It collects information about domain names connected with mawlare, e.g. C&C servers, gateways to EK, phishing sites, infection pages etc",Detection indicators,"curl, http",NO,Internet super hero,raw,CSV,Yes,open,BOTH,Yes,medium/high,irregular updates,?,medium,fair,"miscellaneous (spam, forums, reversed samples etc)",miscellaneous Malware Patrol,no,https://malwarepatrol.net,blacklist,Sites conected with malware,,global,,,"The Malware Patrol project began in 2005 as an open source community for sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We are proud to provide a platform and resources to facilitate the collection and distribution of our community's data. We believe that information sharing is one of the most effective ways to fight against cyber threats. Our data is available in the form of URL block lists. In return for the valuable information available on these block lists, we ask only that you share with the community any new threat you may detect by emailing void@malware.com.br.",Detection indicators,"curl, http",Yes,,raw,Mozilla Firefox AdBlock,No,open,BOTH,No,medium,,,low,fair,, No Think! Honeypots from Matteo Cantoni,no,http://www.nothink.org/,other,Honeypot attackers and victims,kB,global,,,"Free information and statistics from honeypot systems including: DNS amplification, SSH, telnet, web, SNMP.",Detection indicators,"curl, http",NO,,raw,CSV,Yes,open,BOTH,Yes,medium/high,,,medium/high,fair,honeypots,honeypot servers OpenBL.org Abuse Reporting and Blacklisting,no,http://www.openbl.org/,blacklist,Attackers' IP addresses,kB,global,90 days before,now,"The OpenBL.org project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.",Detection indicators,"curl, http",NO,,raw,TXT,Yes,open,IP,Yes,medium/high,,,low,fair,Probes on distributed net of servers,Public servers OpenPhish – Phishing Intelligence Feeds,no,https://openphish.com/,phishing,Phishing URLs,MB,global,,,"OpenPhish launched in June 2014 as a result of a three-year research project on phishing detection. The research yielded a set of autonomous algorithms for detecting zero-day phishing sites. These algorithms form a self-contained kernel that can tell whether a given URL is a phish or not. Essentially, OpenPhish is the algorithmic kernel complemented with data extraction and analysis functionalities for generating various feeds. Any data provided by OpenPhish via its site and feeds can be used for non-commercial and internal business purposes only. For any other commercial use of the data, you must obtain OpenPhish's written permission in advance. ",Detection indicators,"curl, http",NO,,raw,TXT,Yes,open,URL,Yes,medium/high,several minutes,,low,fair,, OTX AlienVault,no,https://otx.alienvault.com/,other,misc,,global,,,"At the heart of Open Threat Exchange is the pulse, an investigation of an online threat. Pulses describe any type of online threat including malware, fraud campaigns, and even state sponsored hacking. Pulses are comprised of indicators of compromise (or IoCs), which describe the infrastructure of that threat – including IPs, file hashes, e-mail addresses affiliated with the threat, etc. Due to the ever-changing threat landscape, OTX takes a dynamic approach with how threat intelligence is shared. Threats are easily searchable and identified by keywords related to the attack. Users can also subscribe to pulses created by fellow members of the OTX community. When a user creates or updates a pulse, subscribers are notified and any systems they have instrumented with OTX data are automatically updated.",Detection indicators,"curl, http/Python SDK",Yes,Company,raw,JSON,Yes,closed,BOTH,,medium/high,,,high,low,, PhishTank from OpenDNS,no,https://www.phishtank.com/,phishing,Phishing URLs,,global,,,"PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge.",Detection indicators,"curl, http/own application",Yes,,raw,XML/CSV/JSON,Yes,closed,URL,,medium,Every 1 hour,,high,low,, Abuse.ch Ransomware Tracker,no,https://ransomwaretracker.abuse.ch,blacklist,Sites conected with malware,kB,global,,now,"Ransomware Tracker to distinguishes between the following threats: Ransomware botnet Command & Control servers (C&Cs), Payment Sites, Distribution Sites",Detection indicators,"curl, http",NO,,raw,CSV,Yes,open,BOTH,Yes,medium/high,Every 5 minutes,,medium/high,fair,, Spam404 Domain Blacklist,no,http://www.spam404.com/,blacklist,Abusive domain names,kB,global,,,"Domain is blacklisted by applying some criteria: fake content, phishing, get rich quick scam, spam, fraud, rogue pharmacy, malware. User submission available.",Detection indicators,"curl, http",NO,,raw,HTML,Yes,open,URL,Yes,medium,,,low,fair,, The Spamhaus Don't Route Or Peer Lists,no,https://www.spamhaus.org,blacklist,Spammers' IPs,kB,global,,,"The Spamhaus DROP (Don't Route Or Peer) lists are advisory ""drop all traffic"" lists, consisting of netblocks that are ""hijacked"" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.",Detection indicators,"curl, http",NO,Company,raw,TXT,Yes,open,IP,,medium/high,,,low,fair,, The Anti Hacker Alliance,no,http://anti-hacker-alliance.com/,blacklist,Attackers' IP,kB,global,,,List of IP addresses of attackers,Detection indicators,"curl, http",NO,,raw,HTML,Yes,open,IP,Yes,medium,,,low,fair,Manual + reports by community with embedded script,community's servers Uceprotect-Network Spam Blacklist,no,http://www.uceprotect.net/en/index.php,blacklist,Spammers' IPs,MB,global,,,IP blacklist of spammers,Detection indicators,"RSYNC, curl, http",NO,,raw,rbldnsd,Yes,open,IP,No,high,,,low,fair,community's reporting,spamtraps Virbl-project IP blacklist from BIT Internet Technology,no,https://virbl.bit.nl/,blacklist,Attackers' IP addresses,kB,global,,now,"Virbl is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.",Detection indicators,"curl, http",NO,,raw,TXT,Yes,open,IP,Yes,medium/high,Every 10 minutes,,low,fair,community's reporting,"mailservers, spamtraps" VX Vault,no,http://vxvault.net,blacklist,Malware URLs,kB,global,,,URLs linking to malware with MD5.,Detection indicators,"curl, http",NO,,raw,HTML/TXT,Yes,open,BOTH,Yes,medium,,,medium,fair,, Abuse.ch ZeuS Tracker,no,https://zeustracker.abuse.ch/,blacklist,C&C servers,kB,global,,,"ZeuS Tracker provides you the possiblity to track ZeuS Command&Control servers (C&C) and malicious hosts which are hosting ZeuS files. ZeuS tracker captures and tracks ZeuS hosts aswell as the associated config files, binaries and dropezones. The main focus is to provide system administrators the possiblity to block well-known ZeuS hosts and to avoid and detect ZeuS infections in their networks. For this purpose, ZeuS Tracker offers several blocklists (see ZeuS blocklist). ",Detection indicators,"curl, http",NO,,raw,TXT/XML,Yes,open,BOTH,Yes,medium/high,,,medium/low,fair,, Zone-H: special defacements,no,https://www.zone-h.org,other,Defacement,kB,global,,,"Last 20 special defacements published, updated every 5 minutes",Detection indicators,"curl, http",NO,,raw,XML,Yes,open,URL,,medium/low,Every 5 minutes,,low,low,,