Data Source Catalog

A catalog of data sources on cyber security risks and vulnerabilities. Cybergreen use many of these data sources in its Stats Platform.

We welcome contributions. Here are instructions on how to add a data source »

Download catalog as CSV Download the DataPackage.json

Data Sources

Showing 39 of 39 data sources

OpenDNS from Open Resolver Project CG✓ Project website »

A list of 32 million resolvers that respond to queries in some fashion. 28 million of these pose a significant threat (as of 27-OCT-2013).

Open NTP project CG✓ Project website »

List of all IP Addresses which are so called Open NTP servers. For a description of what an open NTP server is, please see

Open SSDP project CG✓ Project website »

List of open SSDP ports found via scanning.

Open SNMP project CG✓ Project website »

A list of open SNMP ports found via scanning

Spam from CERT at Project website »

Regular spam emails (full text including email headers)

Spam from CERT br Project website »

Regular spam emails (full text including email headers)

Android Malware Tracker Project website »

The Android Malware tracker main purpose is to keep track of the Android malware HTTP C&Cs (and probably telephone numbers in the future). All of the links are verified manually and are live when they are added. However, there is no guarantee that the links are in any way suitable for the purpose that you have in mind. In other words: you are using it AS IS and you are responsible for anything that may happen. an IP based abuse tracker Project website » is a community based IP blacklist service. You can report malicious IPs and you can download blacklists or query our API to find out if a IP is listed. We refer to a ‘badip’ or ‘badips’ as an IP that was seen in context with malicious activities on hosts which are connected with the internet. These activities include, but are not limited to, brute force login attempts, SPAM delivery attempts, Form SPAM attempts or (D)DOS attacks and so on and so forth.

Bambenek Consulting C&C domain list Project website »

Master Feed of known, active and non-sinkholed C&Cs domain names

Bambenek Consulting C&C domain list Project website »

The dga-feed list is a listing of all known DGA generated. This data doesn’t necessarily mean these domains are malicious. In fact, most domains are unregistered, but nonsense domains tend to indicate malicious activity. This feed is provided for informational purposes only and author assumes no Liability. Domains used by malware for domains 2 days prior to 3 days after the current data. fail2ban reporting service Project website »

All IP addresses that have attacked one of customers/servers in the last 48 hours. Services include: sh, mail, apache, imap, ftp, sip, ircbots, bruteforce logins on CMSes. Can be obtained

Blueliv CYBER THREAT MAP Project website »

Public API of threat map with information about crime servers.

BruteForceBlocker SSH login probes Project website »

BruteForceBlocker is a perl script, that works along with pf – firewall developed by OpenBSD team. When this script is running, it checks sshd logs from syslog and looks for Failed Login attempts – mostly some annoying script attacks, and counts number of such attempts.

Cisco IronPort SenderBase Security Network Project website »

Cisco’s provides a view into real-time threat intelligence across web and email. SenderBase is powered by Cisco Talos, the industry-leading threat intelligence organization dedicated to providing protection before, during, and after cybersecurity threats. The data is made up of over 100TB of daily security intelligence across over 1.6 million deployed Web, Email, Firewall and IPS appliances.

Clean MX anti spam solution from net4sec UG Project website »

Information about phishing sites, URLs linking to malware and taken over portals/network resources.

Cyber Crime Tracker Project website »

Tracking the C&Cs panels.

CyberTracker from MalwareHunterTeam Project website »

Tracking the C&Cs panels, malicious links, phishing sites and e-mails.

DNS-BH – Malware Domain Blocklist Project website »

The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting. Feodo botnet C&C servers tracker Project website »

Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version A, version B, version C and version D. Feodo Tracker offers various types of blocklists that allows you to block Feodo botnet C&C traffic.

GreenSnow BlockingList Project website »

GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, …

hpHosts Online from Hosts-File Dot Net and Project website »

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites.

Tor Node List Project website »

List of Tor nodes in format: |||||||

Malc0de – malicious URLs Project website »

Malc0de database delivers information about URLs which serve malware, i.e. malicious executables. There is an IP address and AS number associated with every URL as well as MD530 hash of binary with hyperlink to report from ThreatExpert service.

Malware Domain List Project website »

Malware Domain List is a non-commercial community project. It collects information about domain names connected with mawlare, e.g. C&C servers, gateways to EK, phishing sites, infection pages etc

Malware Patrol Project website »

The Malware Patrol project began in 2005 as an open source community for sharing malicious URLs. This community, more active than ever, continues to collect, analyze, and monitor malware. We are proud to provide a platform and resources to facilitate the collection and distribution of our community’s data. We believe that information sharing is one of the most effective ways to fight against cyber threats. Our data is available in the form of URL block lists. In return for the valuable information available on these block lists, we ask only that you share with the community any new threat you may detect by emailing [email protected]

No Think! Honeypots from Matteo Cantoni Project website »

Free information and statistics from honeypot systems including: DNS amplification, SSH, telnet, web, SNMP. Abuse Reporting and Blacklisting Project website »

The project (formerly known as the SSH blacklist) is about detecting, logging and reporting various types of internet abuse. Currently our hosts monitor ports 21 (FTP), 22 (SSH), 23 (TELNET), 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (Submission), 993 (IMAPS) and 995 (POP3S) for bruteforce login attacks as well as scans on ports 80 (HTTP) and 443 (HTTPS) for vulnerable installations of phpMyAdmin and other web applications.

OpenPhish – Phishing Intelligence Feeds Project website »

OpenPhish launched in June 2014 as a result of a three-year research project on phishing detection. The research yielded a set of autonomous algorithms for detecting zero-day phishing sites. These algorithms form a self-contained kernel that can tell whether a given URL is a phish or not. Essentially, OpenPhish is the algorithmic kernel complemented with data extraction and analysis functionalities for generating various feeds. Any data provided by OpenPhish via its site and feeds can be used for non-commercial and internal business purposes only. For any other commercial use of the data, you must obtain OpenPhish’s written permission in advance.

OTX AlienVault Project website »

At the heart of Open Threat Exchange is the pulse, an investigation of an online threat. Pulses describe any type of online threat including malware, fraud campaigns, and even state sponsored hacking. Pulses are comprised of indicators of compromise (or IoCs), which describe the infrastructure of that threat – including IPs, file hashes, e-mail addresses affiliated with the threat, etc. Due to the ever-changing threat landscape, OTX takes a dynamic approach with how threat intelligence is shared. Threats are easily searchable and identified by keywords related to the attack. Users can also subscribe to pulses created by fellow members of the OTX community. When a user creates or updates a pulse, subscribers are notified and any systems they have instrumented with OTX data are automatically updated.

PhishTank from OpenDNS Project website »

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge. Ransomware Tracker Project website »

Ransomware Tracker to distinguishes between the following threats: Ransomware botnet Command & Control servers (C&Cs), Payment Sites, Distribution Sites

Spam404 Domain Blacklist Project website »

Domain is blacklisted by applying some criteria: fake content, phishing, get rich quick scam, spam, fraud, rogue pharmacy, malware. User submission available.

The Spamhaus Don't Route Or Peer Lists Project website »

The Spamhaus DROP (Don’t Route Or Peer) lists are advisory “drop all traffic” lists, consisting of netblocks that are “hijacked” or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers). The DROP lists are a tiny subset of the SBL, designed for use by firewalls and routing equipment to filter out the malicious traffic from these netblocks.

The Anti Hacker Alliance Project website »

List of IP addresses of attackers

Uceprotect-Network Spam Blacklist Project website »

IP blacklist of spammers

Virbl-project IP blacklist from BIT Internet Technology Project website »

Virbl is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.

VX Vault Project website »

URLs linking to malware with MD5. ZeuS Tracker Project website »

ZeuS Tracker provides you the possiblity to track ZeuS Command&Control servers (C&C) and malicious hosts which are hosting ZeuS files. ZeuS tracker captures and tracks ZeuS hosts aswell as the associated config files, binaries and dropezones. The main focus is to provide system administrators the possiblity to block well-known ZeuS hosts and to avoid and detect ZeuS infections in their networks. For this purpose, ZeuS Tracker offers several blocklists (see ZeuS blocklist).

Zone-H: special defacements Project website »

Last 20 special defacements published, updated every 5 minutes