| Router Security | Shodan and Censys Queries |
Website by Michael Horowitz |
Shodan promotes itself as a search engine that lets you see which computing devices on your network are directly accessible from the Internet. Technically, it reports on open TCP ports in your router and offers some information about the software behind those ports. In the most secure case, there would be no open ports. It also reports on known bugs in the software running on the device at a particular IP address and, if it finds any SSL/TLS certificates, it provides the full certificate details.
I am not sure, but it does not appear to deal with UDP ports.
Open TCP ports are analogous to unlocked doors. They normally come from two sources. In a router or a gateway (combination modem/router in one box) provided by an ISP, ports may be opened because the ISP uses them as a backdoor into your home network. The other common source of open ports is UPnP, a software protocol supported on almost all routers. To understand UPnP, let's back up.
All the computing devices in a home share one public IP address (shown below) and it is assigned to the router. All the computers, tablets, phones, IoT devices, etc. also have private IP addresses that are normally not visible to the outside world. The private IP addresses are how devices in a single location can talk both to each other and to the router. A very common private IP address is 192.168.1.1. A router that supports UPnP can be told to make a device in your home directly accessible from the Internet. In effect, it punches a hole in the firewall provided by the router. Hello bad guys. Consumer routers come with UPnP enabled because it means fewer tech support calls for the few remaining services that need it. It also makes you less secure. Business or professional routers come with UPnP disabled.
Initially, this page only generated a Shodan query of your public IP address (your router). Then, it added queries to Censys, which sort of, kind of, competes with Shodan. Now, it also includes other services that look for malicious activity. That is, bad things may be coming from your network (technically your LAN) but not from your router.
QUALIFICATIONS: To test your router, you need to view/load this page without an active VPN or Tor connection. If you are connected to a VPN, then the public IP address that appears in the generated queries below (and the name shown below) is that of the VPN server rather than your router. This, of course, is by design. Likewise, if you are using Tor, the IP address and name below are from the Tor exit node, rather than your router.
MORE WARNINGS: For most of us, our public IP address changes over time. Thus, your public IP address, shown below, could have belonged to someone else yesterday. Also, the services being queried to not check every IP address every day, so the reports will always be a bit dated. Even if you have had the same IP address for months, the report may have been generated before your router, or a device on your network, was infected with malware.
Your public IP address is: 18.97.9.168
The public name of your router: 18-97-9-168.crawl.commoncrawl.org
Your router has a public name that typically does not matter because you normally do not directly address your router when away from home. Oftentimes, the public name includes the public IP address. Sometimes it is the public IP address (VPN providers like to do this). Sometimes, it identifies the ISP. If you use a sub-optimal VPN, it identifies the VPN provider you are using. Nerds may refer to the name as a "host name" or a "PTR record" or "Reverse DNS".
One ISP that I have seen identify themselves in the public name was Spectrum. Some of their customers have public names that end in rr.com because in the old days Spectrum was Time Warner and they called their Internet service Road Runner. I have also seen residential customers with a name that ended with ".res.spectrum.com". Comcast names in the U.S. often end with XX.comcast.net where XX is a two letter abbreviation for the state where the router is located. Optimum cable customers in the US may have a name that ends with dyn.optonline.net where "dyn" probably refers to a dynamic IP address.
SHODAN: Click the link below to see what Shodan knows about your public IP address. A "Not Found" response is not an error, it just means that Shodan has not examined your public IP address. The link in a new browser window/tab.
Your Customized Shodan Query: www.shodan.io/host/18.97.9.168
If your public IP address is Not Found by Shodan, you can get a taste of what the reports looks like with this query of a Quad9 DNS server:
www.shodan.io/host/149.112.112.112
You will see an SSL/TLS sertificate on TCP port 443.
One port you do not want to find open is 7547. It is often left open on devices given out by an ISP so that they can remotely access the box. Technically, this port is used by a remote management protocol known as both TR-069 and CWMP. Many times this has been abused by bad guys to hack the router. In April 2017 it was reported that Shodan found over 41 million devices with port 7547 open.
Another port you do not want to find open is 4567. It seems that both CenturyLink and Verizon (and probably other ISPs) use this as a back door into the router. See here, here, here and here.
CENSYS: Censys.io competes with Shoda. Click the link below to see what Censys knows about your public IP address. The link opens in a new browser tab. The best response is "no publicly accessible services". Last reviewed Jan 12, 2026.
Your Customized Censys Query: platform.censys.io/search?q=host.ip "18.97.9.168"
KIMWOLF CHECKER: This article by Brian Krebs from January 2026: The Kimwolf Botnet is Stalking Your Local Network, talks about a huge botnet of infected devices. In response to this Kimwolf botnet, security firm Synthient, created a tester page that tells you if your public IP address has been detected as hosting a Kimwolf-infected system. Kimwolf creates a residential proxy network which typically does not open any TCP or UDP ports in the firewall in your router, so it is not something a port scan can detect. The malicious device is not your router, but a Brand X Android TV device, a picture frame or a cellphone running a malicous app. If all is well, the tester page says: "No Threats Detected. We did not find your IP address 1.2.3.4 in our database of compromised Kimwolf devices." (where 1.2.3.4 is your public IP address). Added January 2026.
Has the Kimwolf botnet been detected in your home: synthient.com/check
DNSCHECKER: Click the link below to see if DNSchecker.org finds your public IP address on any blacklists. This is their IP Blacklist & Email Blacklist Checker. It opens in a new browser tab. You will have to click on a blue button that says "Check in Blacklists" to run the checker. They check what appears to be 30 or 40 different blacklist databases and warn that it takes 20 to 40 seconds to check all the blacklists. Here is the top part of a good result (screen shot taken Dec. 2024) with the important part being "Blacklist sites" of zero. Last reviewed Jan 11, 2026
Your Customized DNSchecker Blacklist Query: dnschecker.org/ip-blacklist-checker.php?query=18.97.9.168
VIRUS TOTAL: Click the link below to see what Virus Total knows about your public IP address. It opens in a new browser window/tab. The best result is "No security vendor flagged this IP address as malicious". If you do this while connected to a VPN, it is likely that some vendors will consider the VPN server IP address to be malicious.
Your Customized VirusTotal query: www.virustotal.com/#/ip-address/18.97.9.168
ABUSEIPDB: In their own words: "AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. Our mission is to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online. Report abusive IPs engaging in hacking attempts or other malicious behavior and help fellow sysadmins!" A good result is when your public IP address is not found in their database. This is a screen shot of a bad result. Last reviewed Jan. 2026.
Your Customized AbuseIPDB for your public IP address: abuseipdb.com/check/18.97.9.168
URLSCAN: Click the link below to see what urlscan.io knows about your public IP address. It opens in a new browser tab. The best result is "Not observed on urlscan.io". If you use a VPN, this may confirm that the server is owned by the VPN provider. Last reviewed Jan 11, 2026.
Your Customized urlscan query: urlscan.io/ip/18.97.9.168
IPVOID, from the NoVirusThanks Company, offers an IP Blacklist Checker that checks an IP address against multiple DNS-based blackhole lists and IP reputation services, to facilitate the detection of IP addresses involved in malware incidents and spamming. The service checks in with more than 80 IP reputation and DNSBL services. It is built with the IP Reputation API by APIVoid. Added Jan 11, 2026.
The link to this service can not be customized. So go to the IP Blacklist Check page and enter your public IP address of 18.97.9.168.
URLVOID offers a Website Reputation Checker. Click the link below to see if any websites are hosted on your public IP address. There should not be, so a result of "Something Went Wrong" is good news. The link opens in a new browser window/tab.
Your Customized URLVoid query: www.urlvoid.com/ip/18.97.9.168
GREYNOISE: Click the link below to see what GreyNoise knows about your public IP address. It opens in a new browser window/tab.
Your Customized GreyNoise Query: viz.greynoise.io/ip/18.97.9.168
DOMAIN TOOLS: Click the link below to see information about the ISP assigned to your public IP address. It opens in a new browser window/tab. Note that if you are connected to a VPN, it is not going to show the VPN provider name.
Whois info from Domain Tools: whois.domaintools.com/18.97.9.168
SANS: Click the link below to see what SANS knows about your public IP address. Your public IP address is given a risk rating, among other things. Perhaps the most useful information reported here is whether the IP address was found in any Honeypot logs. The good result is: "no reports from web honeypots for this IP address". The link opens in a new browser tab. Added Feb 23, 2021. Last reviewed Jan 11, 2026.
SANS IP info: isc.sans.edu/ipinfo/18.97.9.168
SECURITY TRAILS: As of December 2024, the SecurityTrails service based on IP addresses is no longer available. They still offer a service based on either a domain name or a hostname. As noted above, a host name is the public name of your router, which was displayed earlier on this page. I don't know that this is of much use.
Click the link below to see what Security Trails knows about the name of your router
Your Customized SecurityTrails query: securitytrails.com/domain/18-97-9-168.crawl.commoncrawl.org
Both queries are keyed off your public IP address. If you load this page from a device connected to a VPN, then the public IP address is that of a VPN server, not your router. Hiding the public IP address of your router is a core function of a VPN. With that in mind, you could use this page as a poor man's VPN tester. You better, see a different public IP address with the VPN connected and disconnected.
Likewise, if this page is loaded from a computer connected to the TOR network, the public IP address will be that of the TOR exit node and not the router.
With billions of computers on the Internet, neither Shodan nor Censys can query each one every day. There is a chance the reports of your current public IP address may be for someone else's router. This can happen because your current public IP address may not have been your IP address yesterday or last week when it was scanned by Shodan. It is not yet clear to me if Censys is reporting real time information or not.
Most consumer Internet connections have dynamic (i.e. variable) IP addresses. When the IP address changes, is totally up to your Internet Service Provider. Most of the time, you could care less about your public IP address. But, for Shodan and Censys testing, it matters. They may have last checked the IP address you are currently assigned, a week or two ago. In Shodan, look for the "Last Update" field on the left side. Censys does not indicate when their data was collected. At the time these search engines last checked your current IP address, it may have been assigned to someone else. Thus, this could all be a waste of time.
The format of the Shodan Last Update timestamp can be confusing. In the example below
2017-03-08T03:21:44.262872
The date is March 8, 2017, not August 3, 2017. Everything after the T is a timestamp.
Finally, Shodan does not query every IP address. You may well get a Not Found error. That's fine. Note that the error message is wrong. What is not found, is an IP address, not a website.
The goal, for most people, with a Shodan Report is to have NO open TCP/IP ports. You are most secure with all ports closed. One reason that every article about router security says to disable Remote Administration, is that it opens a port.
The big upside to Shodan is that it can show ports that were opened by IoT devices using the miserably insecure UPnP and NAT-PMP protocols. It also shows ports that are open as backdoor into the router for an Internet Service Provider. There are two examples of this below. While I am no fan of consumer routers, at least they don't come with ISP backdoors built into them. Shodan also shows some information about the open port(s) and its report is a bit more approachable for non-techies.
A downside to Shodan is that it does not show anything about closed ports that it tested. Ports are not simply open or closed, they can be Open, Closed or Stealthed. For that level of detail, there are many other websites that report on TCP/IP ports listed on the Test Your Router page.
