Cybergordon.com
CyberGordon quickly provides you threat and risk information about observables like IP address or web domain. This great tool is created by Marc-Henry Geay (contact page).
30+ fast engines – CyberGordon submits your observables to multiple sources (engines) to ensure good coverage in few seconds.
| ID | Name | Observable types | Information retrieved |
|---|---|---|---|
| 1 | IPinfo.io Website | IPV4, IPV6 | GeoIP (City, Country), hostname (PTR/rDNS), Organization (AS Number, AS Name) Risk assessment: false |
| 2 | AbuseIPDB Website | IPV4, IPV6 | Overall risk score (%), number of reports with dictint reporter number and the last report date Risk assessment: true Remark: data limited to the last 180 days |
| 3 | VirusTotal Website | FQDN, MD5, SHA1, SHA256 | Anti-virus analysis results with malicious and suspicious score ratios, reputation, votes (Safe, Dangerous). For files: filetype, corresponding hashes. Around November 26, 2022, VirusTotal decreased the monthly quota of our API key and added a rather strict daily quota. IPv4 removed temporarily. Risk assessment: true |
| 4 | urlscan.io Website | IPV4, IPV6, FQDN, URL, SHA256 | Total number of scan, presence in phishing/threat feeds and the top 5 domains reported in scans Risk assessment: true Remark: Except first metric, limited to the last 100 scans data |
| 5 | Google Safe Browsing (GSB) Website | FQDN, URL | Presence on GSB database and threat type list Risk assessment: true |
| 6 | Hybrid Analysis Website | MD5, SHA1, SHA256 | Final verdict, threat score /100, anti-virus positive detection percentage, corresponding hashs Risk assessment: true |
| 7 | Google DNS Website | FQDN, IPV4 | Live DNS lookups of A, NS and MX records for FQDN trough Google DNS. For IPV4, PTR record Risk assessment: false Remark: DNS lookup could be considered as an active request to the observable. DNS records may differ depending of geographic position |
| 8 | Wayback Internet Archive Website | FQDN, URL | Last snapshot date Risk assessment: false |
| 9 | MalShare Website | MD5, SHA1, SHA256 | Sample match and corresponding hashes Risk assessment: true |
| 10 | Fortiguard Web Filter (disabled) Website | IPV4, FQDN | Web clasification (category). Disabled on July 2023. Risk assessment: true |
| 11 | DShield / ISC Website | IPV4, IPV6 | Match against honeypots : community report count and last date Risk assessment: true |
| 12 | AlienVault OTX Website | IIPV4, IPV6 | Reputation score, activities and check in pulse (feed) Risk assessment: true |
| 13 | BinaryEdge (disabled) Website | IPV4 | Opened and exposed port with service/OS fingerprinting. Engine disabled: the free quota is no longer adapted to the demand Risk assessment: false |
| 14 | EmailRep Website | Mail address and domain reputation, data leak and DNS configuration Risk assessment: true Remark: Important lack of availability | |
| 15 | crt.sh Website | FQDN | Public certificate plublished on Certificate Transparency logs with up to 8 valid (not expired) certificates details : DNS names, dates, issuer Risk assessment: false Remark: search stopped if more than 200 results |
| 16 | Whois XML API (disabled) Website | FQDN | Whois records : TLD, registrar (name and IANA ID), registrant (name, Country), dates, status. Due of subscription changes, this engine has been disabled on March, 9th 2022 ; please use [E31] RDAP engine. Risk assessment: false Remark: due of Whois data structure inconsistency, some results may be missing |
| 17 | Pulsedive Website | IPV4, IPV6, FQDN, URL | Risk, last activity date, threat/feed lists, opened services Risk assessment: true |
| 18 | Malware Bazar Website | MD5, SHA1, SHA256 | Sample match, last seen, signature, tags, delivery method and corresponding hashes Risk assessment: false |
| 19 | ThreatMiner Website | IPV4, FQDN, MD5, SHA1, SHA256 | Match count of passive DNS, URI, sub-domain, certificate, IP/domain… Risk assessment: false Remark: a match is not necessary suspicious |
| 20 | PhishTank Website | URL | Match in phishing database and, if applicable, the verification date Risk assessment: true |
| 21 | Twitter (disabled) Website | IPV4, IPV6, FQDN, MD5, SHA1, SHA256 | Match in tweet over the past week. Disabled on July 2023 (API restricted). Risk assessment: true Remark: for now, max 100 tweets and search up to 7 days |
| 22 | ViewDNS Spam Blacklist Website | IPV4 | Match in spam blacklist. Risk assessment: true Remark: slow API, sometimes timeout |
| 23 | Offline Feeds Website | IPV4 | Match in multiple offline feeds downloaded and updated every hour by CyberGordon, mainly from FireHOL repository. Feeds: FireHOL Level 1, FireHOL Level 3 (last 30 days), AlienVault IP reputation database, TOR exit nodes (last 30 days), EmergingThreats compromised hosts, CyberCrime – C2, DynDNS.org – Ponmocup malware botnet, BotScout (last 1 day), DigitalSide (last 7 days), IPsum (3+ blocklists), Rescure – Malicious IP, Feodo Tracker – Botnet C2 (last 30 days), Duggy Tuxy – EU Botnets/Zombies/Scanners. Risk assessment: true |
| 24 | BlackList DE Website | IPV4 | Match in blacklist with number of attack and report from the beginning. Risk assessment: true Remark: Sometimes slow (whole data requested) |
| 25 | Auth0 Signals (disabled) Website | IPV4 | Match in blacklists. Auth0 announced deprecation of Signals, disabled on February 8, 2021. Risk assessment: true |
| 26 | MetaDefender Website | IPV4, IPV6, FQDN, URL, MD5, SHA1, SHA256 | For hashs: anti-virus analysis results, reputation and votes (Safe, Dangerous). For others types their reputations on multiple sources. Risk assessment: true |
| 27 | Disposable Email Domains Website | FQDN | Match in disposable email domains database. Risk assessment: true |
| 28 | CryptoScamDB (disabled) Website | IPV4, FQDN | Match in cryptocurrency scams database. Disabled on July 2023 (not responding). Risk assessment: true |
| 29 | Stop Forum Spam Website | IPV4, IPV6, EMAIL | Match in forum/blog abusers database. Risk assessment: true |
| 30 | PhishingReel (disabled) Website | IPV4, FQDN | Match in phishing kits database – only last 7 days entries. The service is no longer available Risk assessment: true |
| 31 | RDAP Website | FQDN | Homemade RDAP client (replacment of WHOIS). Domain records: registrar (name, IANA ID, email abuse), registrant (name), DNSSEC activation, registration/expiration dates, nameservers, status. CyberGordon uses a daily-updated offline-copy of the Bootstrap Registry List from IANA repository. Risk assessment: false |
| 32 | IBM X-Force Website | IPV6, FQDN, URL, MD5, SHA1, SHA256 | Match on IBM Threat Intel database with current risk ; include history risk for IPV4/FQDN/URL. IPv4 removed temporarily. Risk assessment: true Remark: High rate of remote API timeout |
| 33 | GreyNoise Website | IPV4 | Match on GreyNoise Threat Intel database with last reporting date, classification, scanning the Internet and the actor name (RIOT project). Risk assessment: true Remark: Use the GreyNoise Community API |
| 34 | IPdata.co Website | IPV4, IPV6 | Geolocation data, Network data and Threat Intelligence (security risks and blocklists) Risk assessment: true |
| 35 | Redirect Checker Website | URL | Identify for you the target web page of a shortened URL with IP address and HTTP status code. Risk assessment: false |
ThreatFox – Bulk Search
ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers.
# Enter search queries, use Commas or New Lines.
# Queries = IP, URL, DOMAIN, HASH (MD5, SHA256, SHA1)
# If the IOC is not found, no results are displayed.