Shodan Release new feature: Tracking Hacked Websites

On December 1, Shodan introduced a new feature that allows you to trace hacked websites. Normally, One thing they tend to have in common though is that they start their signature with “Hacked by”. That makes it very easy to find hacked websites with Shodan using the http.title search filter:

https://www.shodan.io/search?query=http.title%3A%22Hacked+by%22

With this query, you can see the result

The shodan parse command extracts the http.title information out of the banners, which are then filtered using grep to ensure only websites that contain “hacked by” in that order get further analyzed. Then we strip out everything that is shown before the “hacked by” string using sed thereby creating a list of attacker names. That list is then sorted, the uniques are counted, sorted by number of occurrence and finally the top 10 results get printed to the terminal. And with that we can present the Top 10 Website Defacers:

1. AnonymousFox: 122
2. GX40: 54
3. Dead Haxor >> <<: 45
4. GHoST61: 31
5. ReKaN Err0r: 24
6. TheWayEnd: 22
7. D.R.S Dz Team: 16
8. Ayy?ld?z Tim …: 16
9. ZeDaN-Mrx: 13
10. virus3033: 12

Tutorial

Source: shodan.io