{"passed":{"dns":[{"id":"subdomain_takeover","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Subdomain Takeover","value":"[not vulnerable]"}],"actual":[{"property":"Subdomain Takeover","value":"[not vulnerable]"}],"severity":4,"cloudscanCategory":"dns","prevCloudscanCategory":"brand_protect","title":"No subdomain takeover vulnerability detected","description":"No dangling DNS records that could lead to subdomain takeover were detected.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn:1234","hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"When subdomains use CNAMEs in their DNS records to point to third party services, the third party addresses can become abandoned and available for registration by attackers. If an attacker registers that third party address and the subdomain continues to point to it, the attacker now controls the content of the subdomain.","riskDetails":"If an attacker registers the address used in the subdomain's CNAME, the attacker can use the subdomain for a number of attack methods. They may be able to control content on the page and use it as a phishing page. If other domains or applications route traffic through this page, they could collect any data (including credentials) sent to it. If other sites load script content from this subdomain, the attacker could inject malicious content.","recommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover.","knownExploitedVulnCount":0,"checkID":"subdomain_takeover","category":"domain","controlCheckID":"IM.DS.DA.UQ","passTitle":"No subdomain takeover vulnerability detected","passDescription":"No dangling DNS records that could lead to subdomain takeover were detected.","passGroupDescription":"No applicable sites show vulnerability to subdomain takeover.","failTitle":"Subdomain takeover vulnerability detected","failDescription":"This domain contains a DNS record that points to an unclaimed or decommissioned service. A bad actor could register the service and control the content distributed on the domain.","remediation":"Review the page and remove any dangling DNS records.","issue":"This domain contains a DNS record that points to an unclaimed or decommissioned service. A bad actor could register the service and control the content distributed on the domain.","recommendation":"Review the page and remove any dangling DNS records.","defaultSeverity":4,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"When subdomains use CNAMEs in their DNS records to point to third party services, the third party addresses can become abandoned and available for registration by attackers. If an attacker registers that third party address and the subdomain continues to point to it, the attacker now controls the content of the subdomain.","RiskDetails":"If an attacker registers the address used in the subdomain's CNAME, the attacker can use the subdomain for a number of attack methods. They may be able to control content on the page and use it as a phishing page. If other domains or applications route traffic through this page, they could collect any data (including credentials) sent to it. If other sites load script content from this subdomain, the attacker could inject malicious content.","RecommendedRemediation":"Removing the DNS record that links your subdomain to the third domain or IP address will resolve the ability of attackers to hijack the domain. Modifying these records can typically be done by logging into your domain registrar and deleting the appropriate line. If necessary, you can contact the third party service provider and attempt to regain control of the account used for the takeover."}],"ip_domain_reputation":[{"id":"suspected_malware_provider","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Malware","value":"false"}],"actual":[{"property":"Google Safe Browsing > Malware","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not a suspected malware provider","description":"This website does not appear to contain malicious code.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing malware. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for suspected malware distribution when other users report suspicious activity making use of the domain. In the case of malware pages, this indicates that either an attacker or insider are making use of the domain to distribute malware to other users. ","recommendedRemediation":"","knownExploitedVulnCount":0,"checkID":"suspected_malware_provider","category":"malware","controlCheckID":"IM.IP.MA.UQ","passTitle":"Not a suspected malware provider","passDescription":"This website does not appear to contain malicious code.","passGroupDescription":"No websites appear to contain malicious code.","failTitle":"Suspected malware provider","failDescription":"This website may contain malicious code. The website should be checked and any malicious code removed.","remediation":"Check sites and remove malicious code.","issue":"Websites may contain malicious code (malware). Malware is any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware.","recommendation":"The owner of the identified domains needs to check the website for malicious code. If any malicious code is found, it needs to be removed as soon as possible.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing malware. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for suspected malware distribution when other users report suspicious activity making use of the domain. In the case of malware pages, this indicates that either an attacker or insider are making use of the domain to distribute malware to other users. ","RecommendedRemediation":""},{"id":"botnet_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 30 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_active","category":"malware","controlCheckID":"IM.IP.MA.KA","passTitle":"No reports of botnet activity in the last 30 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 30 days.","failTitle":"Suspected of botnet activity","failDescription":"This IP/domain has been reported as a source of botnet activity in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 30 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_active","category":"malware","controlCheckID":"IM.IP.MA.VG","passTitle":"No reports of brute force login attempts in the last 30 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 30 days.","failTitle":"Suspected of brute force login attempt","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 30 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 30 days","description":"This IP/domain has been reported for distributing malware in the last 30 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_active","category":"malware","controlCheckID":"IM.IP.MA.KW","passTitle":"No reports of malware distribution in the last 30 days","passDescription":"This IP/domain has been reported for distributing malware in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 30 days.","failTitle":"Suspected of distributing malware","failDescription":"This IP/domain has been reported for distributing malware in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 30 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 30 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_active","category":"malware","controlCheckID":"IM.IP.MA.XG","passTitle":"No reports of unsolicited scanning in the last 30 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 30 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 30 days.","failTitle":"Suspected of unsolicited scanning","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 30 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 30 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. This scanning activity can be detected by patterns in the requests sent, and the host performing the unwanted scanning is then reported to shared blocklists.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"suspected_unwanted_software","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Unwanted Software","value":"false"}],"actual":[{"property":"Google Safe Browsing > Unwanted Software","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not suspected of unwanted software","description":"This website does not appear to be attempting to install unwanted software.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing unwanted software. Unwanted software is less malicious than malware but takes advantage of the end user's compute resources to launch unwanted advertisements and other nuisances. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for being suspected of unwanted software when other users report suspicious activity making use of the domain. In the case of unwanted software pages, this indicates that either an attacker or insider are making use of the domain to distribute such software to other users. ","recommendedRemediation":"","knownExploitedVulnCount":0,"checkID":"suspected_unwanted_software","category":"malware","controlCheckID":"IM.IP.MA.ZW","passTitle":"Not suspected of unwanted software","passDescription":"This website does not appear to be attempting to install unwanted software.","passGroupDescription":"No websites appear to attempt to install unwanted software.","failTitle":"Suspected of unwanted software","failDescription":"This website may be attempting to install unwanted software. The website should be checked and any offending code removed.","remediation":"Check sites and remove unwanted software.","issue":"Websites may be attempting to install unwanted software on the end-users computer. This is often referred to as grayware, unwanted applications or files that are not classified as malware.","recommendation":"The owner of the identified domains needs to check for any unwanted software and remove any offending code as required.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing unwanted software. Unwanted software is less malicious than malware but takes advantage of the end user's compute resources to launch unwanted advertisements and other nuisances. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for being suspected of unwanted software when other users report suspicious activity making use of the domain. In the case of unwanted software pages, this indicates that either an attacker or insider are making use of the domain to distribute such software to other users. ","RecommendedRemediation":""},{"id":"suspected_phishing_page","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Phishing","value":"false"}],"actual":[{"property":"Google Safe Browsing > Phishing","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not a suspected phishing page","description":"This site does not appear to be a forgery or imitation of another website.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of being used for phishing. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for suspected phishing when other users report suspicious activity making use of the domain. In the case of phishing pages, this indicates that either an attacker or insider are making use of the domain to send emails that other users have marked as phishing attempts.","recommendedRemediation":"Access to the domain and its mail records should be reviewed to understand whether it has been compromised and used in phishing campaigns. If the site is not maintained, decommissioning it or its mail records may be the easiest way to prevent future abuse. If the site has been identified for phishing in error, the classification should be appealed with Google.","knownExploitedVulnCount":0,"checkID":"suspected_phishing_page","category":"malware","controlCheckID":"IM.IP.MA.PA","passTitle":"Not a suspected phishing page","passDescription":"This site does not appear to be a forgery or imitation of another website.","passGroupDescription":"No sites are suspected of forgery or imitating other websites.","failTitle":"Suspected phishing page","failDescription":"This site may be a forgery or imitation of another website. The site should be checked, and remediated if it is a phishing site.","remediation":"Check sites and remove phishing code.","issue":"Websites have been identified as potential phishing pages, which may be attempting to steal users' personal information or credit card details.","recommendation":"The owner of the identified domains needs to check the website for forgery or signs of imitation. If any issues are found, they will need to be remediated as soon as possible to mitigate this risk.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of being used for phishing. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for suspected phishing when other users report suspicious activity making use of the domain. In the case of phishing pages, this indicates that either an attacker or insider are making use of the domain to send emails that other users have marked as phishing attempts.","RecommendedRemediation":"Access to the domain and its mail records should be reviewed to understand whether it has been compromised and used in phishing campaigns. If the site is not maintained, decommissioning it or its mail records may be the easiest way to prevent future abuse. If the site has been identified for phishing in error, the classification should be appealed with Google."},{"id":"phishing_site_active","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 30 days","description":"This IP/domain has not been reported as a phishing site in the last 30 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_active","category":"malware","controlCheckID":"IM.IP.MA.EA","passTitle":"No reports of phishing activity in the last 30 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 30 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 30 days.","failTitle":"Suspected phishing site","failDescription":"This IP/domain has been reported as a phishing site in the last 30 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 30 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"botnet_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Botnet Activity","value":"false"}],"actual":[{"property":"Botnet Activity","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of botnet activity in the last 90 days","description":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","recommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"botnet_inactive","category":"malware","controlCheckID":"IM.IP.MA.TG","passTitle":"No reports of botnet activity in the last 90 days","passDescription":"This IP/domain has not been reported as a source of botnet activity in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a source of botnet activity in the last 90 days.","failTitle":"Suspected of botnet activity in last 90 days","failDescription":"This IP/domain appeared on a list of IPs and domains known as source botnet activity in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for botnet activity in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed communicating with botnet infrastructure may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that are infected with botnet malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation.","RecommendedRemediation":"If a host is suspected of botnet activity, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"brute_force_login_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":"false"}],"actual":[{"property":"Unsolicited Communication > Brute Force Login Attempt","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of brute force login attempts in the last 90 days","description":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","riskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","recommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"brute_force_login_inactive","category":"malware","controlCheckID":"IM.IP.MA.DQ","passTitle":"No reports of brute force login attempts in the last 90 days","passDescription":"This IP/domain did not appear on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","passGroupDescription":"No IPs/domains appeared on any list of IPs and domains known to perform brute force login attempts in the last 90 days.","failTitle":"Suspected of brute force login attempt in the last 90 days","failDescription":"This IP/domain has appeared on a list of IPs and domains reported for performing brute force login attempts in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for brute force login attempts in the last 90 days. These reports can affect the reputation of the IP/domain and may be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of gaininig initial access, attackers use compromised hosts to attempt brute force logins to other hosts. Using compromised hosts for this activity allows the attacker to disguise their presence. Hosts observed attempting logins in the last 90 days may be compromised or on blocklists.","RiskDetails":"A host that has been observed attempting brute force logins may be compromised by an attacker. Even if that is not the case, this behavior may cause the domain or IP to be added to a blocklist to prevent future login attempts.","RecommendedRemediation":"If a host has been reported for attempted brute force logins, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"malware_server_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Malware Server","value":"false"}],"actual":[{"property":"Malware Server","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of malware distribution in the last 90 days","description":"This IP/domain has been reported for distributing malware in the last 90 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"malware_server_inactive","category":"malware","controlCheckID":"IM.IP.MA.QG","passTitle":"No reports of malware distribution in the last 90 days","passDescription":"This IP/domain has been reported for distributing malware in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for distributing malware in the last 90 days.","failTitle":"Suspected of distributing malware in last 90 days","failDescription":"This IP/domain has been reported for distributing malware in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove offending software.","issue":"IPs/domains have been reported for distributing malware in the last 90 days. These reports may affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts observed distributing malware may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have recently been used for distributing malware may be used to further attack other infrastructure and/or collect sensitive information from an organization's systems. That information can in turn lead to further exploitation. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of distributing malware, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and its cause. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"unsolicited_scanning_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Unsolicited Communication > Scanning","value":"false"}],"actual":[{"property":"Unsolicited Communication > Scanning","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of unsolicited scanning in the last 90 days","description":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","riskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","recommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"unsolicited_scanning_inactive","category":"malware","controlCheckID":"IM.IP.MA.AA","passTitle":"No reports of unsolicited scanning in the last 90 days","passDescription":"This IP/domain has not been reported for performing unsolicited scanning in the last 90 days.","passGroupDescription":"No IPs/domains have been reported for performing unsolicited scanning in the last 90 days.","failTitle":"Suspected of unsolicited scanning in last 90 days","failDescription":"This IP/domain has been reported for performing unsolicited scanning in the last 90 days. The server should be checked to ensure this behavior is intentional and not the result of malware.","remediation":"Check IP/domain for offending software.","issue":"IPs/domains have have been reported for performing unsolicited scanning in the last 90 days. This behavior could affect the reputation of the IP/domain and be a symptom of unwanted software installed in the server.","recommendation":"The owner of the identified IPs/domains should check for and remove any offending software.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"As part of reconnaissance activity, attackers will use compromised hosts to scan other hosts with the aim of discovering possible attack methods. Reports of unsolicited scanning in the last 90 days may indicate the host is infected or has been placed on blocklists that will affect availability.","RiskDetails":"There may be other reasons for a host to perform unsolicited scanning, but this behavior can indicate that the host is compromised and running malware responsible for the scanning. The presence of the host on blocklists for scanning may result in it being blocked by other users even if the activity is not the result of malware.","RecommendedRemediation":"If a host has been reported for unsolicited scanning, investigate the host to determine whether it has been compromised. That should include reviewing logs to identify the reported activity and the cause of it. If the host is behaving as expected, contact the blocklist owner to have the host removed."},{"id":"phishing_site_inactive","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Phishing Site","value":"false"}],"actual":[{"property":"Phishing Site","value":""}],"severity":1,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"No reports of phishing activity in the last 90 days","description":"This IP/domain has not been reported as a phishing site in the last 90 days.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","riskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","recommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed.","knownExploitedVulnCount":0,"checkID":"phishing_site_inactive","category":"malware","controlCheckID":"IM.IP.MA.LG","passTitle":"No reports of phishing activity in the last 90 days","passDescription":"This IP/domain has not been reported as a phishing site in the last 90 days.","passGroupDescription":"No IPs/domains have been reported as a phishing site in the last 90 days.","failTitle":"Suspected phishing site in last 90 days","failDescription":"This IP/domain has been reported as a phishing site in the last 90 days. The server should be checked and any offending software removed.","remediation":"Check IP/domain and remove phishing code.","issue":"IPs/domains have been reported for phishing sites in the last 90 days. These sites may be compromised and under the control of threat actors.","recommendation":"The owner of the identified IP/domains needs to check for any unwanted software and remove any phishing code.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Hosts suspected of phishing may be compromised by attackers. Those hosts are reported on shared blocklists that can affect the reputaton of the domain or IP, and interrupt availability when the hosts are blocked.","RiskDetails":"Hosts that have been reported as phishing sites may be compromised in whole or part. Ownership of the domain may have lapsed, allowing attackers to take it over. Hosts that have recently been on blocklists may also have availability issues even if the IP has changed owners.","RecommendedRemediation":"If a host is suspected of being a phishing site, investigate the host to determine whether it has been compromised. Reviewing the current and historical site content should help show whether it has been modified to operate as a phishing site. If the host is behaving as expected, contact the blocklist owner to have the host removed."}],"website_sec_v2":[{"id":"referrer_policy_header_v2","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > referrer-policy","value":"[not unsafe-url]"}],"actual":[{"property":"Headers > referrer-policy","value":"[not set]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"Referrer policy is not unsafe-url","description":"The website's Referrer Policy is not configured to allow unsafe information to be sent in the referrer header.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn:80","hekeda.cn:81","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":"referrer_policy_header","summary":"The Referrer header controls how much information is sent to another site owner when the website links to that site. Providing sufficiently sanitized information to other websites can be done safely, but the \"unsafe\" referrer policy allows excessive information to be passed that may affect the privacy and security of users of your site.","riskDetails":"W3.org writes: \"The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.\" The risk is that links to http origins will still include the full URL, potentially leaking data included in the URL to an insecure origin.","recommendedRemediation":"Remove the \"unsafe-url\" directive from the Referrer header.","knownExploitedVulnCount":0,"checkID":"referrer_policy_header_v2","category":"discovery","controlCheckID":"IM.WS.MI.ZW","passTitle":"Referrer policy is not unsafe-url","passDescription":"The website's Referrer Policy is not configured to allow unsafe information to be sent in the referrer header.","passGroupDescription":"No websites have an unsafe Referrer Policy.","failTitle":"Referrer Policy is unsafe-url","failDescription":"The full URL (stripped of parameters) is sent in the referrer header when performing same-origin or cross-origin requests. This can expose sensitive information.","remediation":"Set Referrer-Policy to a value other than unsafe-url.","issue":"Impacted domains send the full URL (stripped of parameters) in the referrer header when performing same-origin or cross-origin requests.","recommendation":"The website needs to set the Referrer Policy to a value other than unsafe-url. This will prevent potentially sensitive information from being sent in the referrer header.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The Referrer header controls how much information is sent to another site owner when the website links to that site. Providing sufficiently sanitized information to other websites can be done safely, but the \"unsafe\" referrer policy allows excessive information to be passed that may affect the privacy and security of users of your site.","RiskDetails":"W3.org writes: \"The policy’s name doesn’t lie; it is unsafe. This policy will leak origins and paths from TLS-protected resources to insecure origins. Carefully consider the impact of setting such a policy for potentially sensitive documents.\" The risk is that links to http origins will still include the full URL, potentially leaking data included in the URL to an insecure origin.","RecommendedRemediation":"Remove the \"unsafe-url\" directive from the Referrer header."},{"id":"asp_net_version_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-aspnet-version","value":"[not set]"}],"actual":[{"property":"Headers > x-aspnet-version","value":"[not set]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"ASP.NET version header not exposing specific ASP.net version","description":"Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn:1234","hekeda.cn:80","hekeda.cn:81","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","riskDetails":"An exposed ASP.NET version drastically narrows the attack vector for the server and allows malicious actors to immediately begin probing specific ASP.NET and IIS vulnerabilities for that version. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","recommendedRemediation":"The entire X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Just clearing the value of the header is not enough. Even the presence of the X-AspNet-Version header reveals that some version of ASP.NET and likely IIS is running on the server. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"asp_net_version_header","category":"discovery","controlCheckID":"IM.WS.MI.AA","passTitle":"ASP.NET version header not exposing specific ASP.net version","passDescription":"Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites detected to expose specific ASP.NET versions in headers.","failTitle":"Specific ASP.NET version exposed via header","failDescription":"Exposing a specific ASP.NET version in the ASP.NET version header makes it easier for attackers to exploit certain vulnerabilities. The website configuration should be changed to remove this header completely.","remediation":"Remove x-aspnet-version header.","issue":"The impacted websites are exposing the specific ASP.NET version they use in the ASP.NET version header. This makes it far easier for attackers to exploit certain vulnerabilities.","recommendation":"Configure the identified websites so they don’t expose the X-AspNet-Version header. This minimizes the risk of an attacker finding an exploit in the website.","defaultSeverity":2,"categoryTotalCost":3,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","RiskDetails":"An exposed ASP.NET version drastically narrows the attack vector for the server and allows malicious actors to immediately begin probing specific ASP.NET and IIS vulnerabilities for that version. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","RecommendedRemediation":"The entire X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Just clearing the value of the header is not enough. Even the presence of the X-AspNet-Version header reveals that some version of ASP.NET and likely IIS is running on the server. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"asp_net_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-aspnet-version present","value":"[not present]"}],"actual":[{"property":"Headers > x-aspnet-version present","value":"[not present]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"ASP.NET version header not exposed","description":"Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn:1234","hekeda.cn:80","hekeda.cn:81","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","riskDetails":"Even if it is not populated, the presence of the X-AspNet-Version header reveals that IIS is running on the system. This drastically narrows the attack vector for the server and allows malicious actors to begin probing known IIS vulnerabilities immediately. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","recommendedRemediation":"The X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"asp_net_header","category":"discovery","controlCheckID":"IM.WS.MI.XG","passTitle":"ASP.NET version header not exposed","passDescription":"Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites detected to expose ASP.NET headers.","failTitle":"Use of ASP.NET exposed via header","failDescription":"Exposing the ASP.NET version header indicates that the site is built with ASP.NET, which makes it easier for attackers to exploit certain vulnerabilities. The website configuration should be changed to remove this header.","remediation":"Remove x-aspnet-version header.","issue":"We've found websites that expose the ASP.NET version header which indicates that the site is built with ASP.NET. This makes it easier for attackers to exploit certain vulnerabilities.","recommendation":"Configure the identified websites so they don’t expose the X-AspNet-Version header. This minimizes the risk of an attacker finding an exploit in the website.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","RiskDetails":"Even if it is not populated, the presence of the X-AspNet-Version header reveals that IIS is running on the system. This drastically narrows the attack vector for the server and allows malicious actors to begin probing known IIS vulnerabilities immediately. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","RecommendedRemediation":"The X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."}],"data_leakage":[{"id":"open_cloud_storage","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Open Cloud Storage","value":"[not detected]"}],"actual":[{"property":"Open Cloud Storage","value":"[not detected]"}],"severity":1,"cloudscanCategory":"data_leakage","prevCloudscanCategory":"website_sec","title":"No open cloud storage service detected","description":"No cloud storage service configured to allow anonymous file listing was detected.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn:1234","hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The index page of this domain is a cloud storage bucket that allows file listing. This configuration is a common cause of data leaks and can be avoided even for content intended to be shared publicly.","riskDetails":"Cloud storage configured to be listable at the bucket index provides unnecessary levels of reconnaissance to attackers and potentially exposes files that are meant to be confidential. The risk depends on what files are stored in the bucket but could lead to exposures of internal documents and PII.","recommendedRemediation":"If the bucket is hosting public content, the contents should be audited to ensure all files are intended to be public. Any private files should be moved to a separate bucket used only for private content. For public content, the bucket should be configured to disallow anonymous users to list the bucket contents, and only view resources when requested by the full path.","knownExploitedVulnCount":0,"checkID":"open_cloud_storage","category":"domain","controlCheckID":"IM.DL.FS.ZW","passTitle":"No open cloud storage service detected","passDescription":"No cloud storage service configured to allow anonymous file listing was detected.","passGroupDescription":"No applicable sites are cloud storage services configured to allow anonymous access.","failTitle":"Open cloud storage service detected","failDescription":"This domain contains a cloud storage service that allows anonymous access to its file listing. It may also allow anonymous access to its files.","remediation":"Review the cloud storage configuration and remove anonymous access where possible.","issue":"This domain contains a cloud storage service that allows anonymous access to its file listing. It may also allow anonymous access to its files.","recommendation":"Review the cloud storage configuration and remove anonymous access where possible.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":null,"ISO2022Controls":null,"NISTControls":null,"ExcludeFromHardcodedPassedRisks":false,"Summary":"The index page of this domain is a cloud storage bucket that allows file listing. This configuration is a common cause of data leaks and can be avoided even for content intended to be shared publicly.","RiskDetails":"Cloud storage configured to be listable at the bucket index provides unnecessary levels of reconnaissance to attackers and potentially exposes files that are meant to be confidential. The risk depends on what files are stored in the bucket but could lead to exposures of internal documents and PII.","RecommendedRemediation":"If the bucket is hosting public content, the contents should be audited to ensure all files are intended to be public. Any private files should be moved to a separate bucket used only for private content. For public content, the bucket should be configured to disallow anonymous users to list the bucket contents, and only view resources when requested by the full path."},{"id":"listable_dirs","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Domain Index","value":"[not a listable directory]"}],"actual":[{"property":"Domain Index","value":"[not a listable directory]"}],"severity":1,"cloudscanCategory":"data_leakage","prevCloudscanCategory":"website_sec","title":"Domain index is not a listable directory","description":"The domain index is not a listable directory.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":null,"sources":["hekeda.cn:1234","hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The page content from the domain's index indicates it is a web directory that provides direct access to the listing of hosted files.","riskDetails":"File hosting and sharing on the web is typically done through some kind of interface other than a raw web directory. The presence of an unstyled web directory may indicate that these files are not intended for public access. If any files are uploaded to this directory that are intended to be private, they would be immediately exposed to public access.","recommendedRemediation":"Review the file listing to ensure that all publicly accessible files have non-sensitive content. If the files are intended to be accessed through a website with styling, remove anonymous access to list the web directory and only allow access to the files via the full URL.","knownExploitedVulnCount":0,"checkID":"listable_dirs","category":"discovery","controlCheckID":"IM.DL.FS.UQ","passTitle":"Domain index is not a listable directory","passDescription":"The domain index is not a listable directory.","passGroupDescription":"No applicable sites have a listable directory as their index.","failTitle":"Domain index is a listable directory","failDescription":"The domain index was detected as a listable directory. This can allow attackers to find files that were assumed to be private.","remediation":"Disable directory browsing in your server configuration.","issue":"The domain index was detected as a listable directory. This can allow attackers to find files that were assumed to be private.","recommendation":"Disable directory browsing in the configuration of the identified servers.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The page content from the domain's index indicates it is a web directory that provides direct access to the listing of hosted files.","RiskDetails":"File hosting and sharing on the web is typically done through some kind of interface other than a raw web directory. The presence of an unstyled web directory may indicate that these files are not intended for public access. If any files are uploaded to this directory that are intended to be private, they would be immediately exposed to public access.","RecommendedRemediation":"Review the file listing to ensure that all publicly accessible files have non-sensitive content. If the files are intended to be accessed through a website with styling, remove anonymous access to list the web directory and only allow access to the files via the full URL."}]},"failed":{"encryption":[{"id":"ssl_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"SSL","value":"true"}],"actual":[{"property":"SSL","value":"false"}],"severity":5,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL not available","description":"SSL is the standard encryption method for browsing websites. Enabling SSL requires installing an SSL certificate on the site.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-03-09T20:55:24.642175Z","sources":["hekeda.cn:80","hekeda.cn:81","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary.","riskDetails":"Without SSL, all communications between systems are sent in plain text. This plain text can then be intercepted by a third party in what is called a man-in-the-middle (MITM) attack. These attacks target and harvest credentials and other sensitive information, which can in turn be used for further malicious activity. Improperly configured SSL/TLS and certificates that are out of date or encrypted with weak algorithms do not provide the necessary protection to prevent MITM attacks, and will make the site unreachable in most browsers.","recommendedRemediation":"Valid SSL/TLS certificates with strong encryption algorithms should be obtained from a trusted authority and properly installed and configured on all internet facing systems. Every system must have its name on the certificate to prevent mismatch errors in the browser. HTTPS should be made mandatory, with the necessary redirects and enforcement in place to ensure no plain text connections are possible. Processes should be established to ensure certificates are renewed before they expire.","knownExploitedVulnCount":0,"checkID":"ssl_enabled","category":"ssl","controlCheckID":"IM.EN.DT.PA","passTitle":"SSL available","passDescription":"SSL is supported for this site.","passGroupDescription":"SSL is supported on all sites.","failTitle":"SSL not available","failDescription":"SSL is the standard encryption method for browsing websites. Enabling SSL requires installing an SSL certificate on the site.","remediation":"Install SSL certificates.","issue":"We've detected websites that lack a valid SSL certificate. Without SSL, website visitors and customers are at higher risk of having their data stolen through man-in-the-middle and other cyber attacks.","recommendation":"Install valid SSL certificates on affected domains. Websites without valid SSL certificates are shown as 'non-secure' in modern browsers and will rank worse in Google and other search engines.","defaultSeverity":5,"categoryTotalCost":29,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary.","RiskDetails":"Without SSL, all communications between systems are sent in plain text. This plain text can then be intercepted by a third party in what is called a man-in-the-middle (MITM) attack. These attacks target and harvest credentials and other sensitive information, which can in turn be used for further malicious activity. Improperly configured SSL/TLS and certificates that are out of date or encrypted with weak algorithms do not provide the necessary protection to prevent MITM attacks, and will make the site unreachable in most browsers.","RecommendedRemediation":"Valid SSL/TLS certificates with strong encryption algorithms should be obtained from a trusted authority and properly installed and configured on all internet facing systems. Every system must have its name on the certificate to prevent mismatch errors in the browser. HTTPS should be made mandatory, with the necessary redirects and enforcement in place to ensure no plain text connections are possible. Processes should be established to ensure certificates are renewed before they expire."},{"id":"http_available","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"HTTP Accessible","value":"false"}],"actual":[{"property":"HTTP Accessible","value":"true"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"HTTP does not redirect to HTTPS","description":"The domain is still accessible over HTTP. All HTTP requests should be redirected to HTTPS.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-04-16T01:43:55.446567Z","sources":["hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The HTTP Still Available check is used to measure whether a server is allowing users to connect to it via HTTP rather than HTTPS. Connecting to a website via HTTPS is more secure as it involves a SSL/TLS-based connection, which encrypts data in transit. Many web browsers will try the HTTP version of a website first before trying the HTTPS version. If you have a proper redirect response on your HTTP port then you will pass this check. You should combine this with proper HSTS settings to ensure browsers always attempt a HTTPS-based connection from the beginning.","riskDetails":"Encrypting data using SSL/TLS prevents any attackers who intercept the data from reading it. If any part of the connection transmits data using HTTP, even if it later uses HTTPS, the data transmitted over HTTP is susceptible to man-in-the-middle attacks. For example, a user might attempt to visit your website and embed their username and password in the URL parameters or the request headers as part of the request. Even if that data is then redirected to an HTTPS connection, it was still transmitted via HTTP.","recommendedRemediation":"All HTTP connections should be redirected to HTTPS connections instead. The method for doing this differs by technology. For some websites, the .htaccess file can be modified to reroute requests to HTTPS. For Microsoft IIS, the URL Rewrite module for IIS will allow you to redirect HTTP requests to HTTPS. HTTPS redirects should always be paired with HTTP Strict Transport Security (HSTS). HSTS will ensure no HTTP connections are allowed.","knownExploitedVulnCount":0,"checkID":"http_available","category":"ssl","controlCheckID":"IM.EN.DT.ZW","passTitle":"HTTP requests are redirected to HTTPS","passDescription":"All HTTP requests are redirected to HTTPS.","passGroupDescription":"All HTTP requests are redirected to HTTPS.","failTitle":"HTTP does not redirect to HTTPS","failDescription":"The domain is still accessible over HTTP. All HTTP requests should be redirected to HTTPS.","remediation":"Redirect HTTP requests to HTTPS.","issue":"Websites are still accessible over HTTP. All HTTP requests should be redirected to HTTPS to ensure encrypted communications between the website and its visitors.","recommendation":"Redirect users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects. This ensures all communications are encrypted, preventing certain man-in-the-middle attacks.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The HTTP Still Available check is used to measure whether a server is allowing users to connect to it via HTTP rather than HTTPS. Connecting to a website via HTTPS is more secure as it involves a SSL/TLS-based connection, which encrypts data in transit. Many web browsers will try the HTTP version of a website first before trying the HTTPS version. If you have a proper redirect response on your HTTP port then you will pass this check. You should combine this with proper HSTS settings to ensure browsers always attempt a HTTPS-based connection from the beginning.","RiskDetails":"Encrypting data using SSL/TLS prevents any attackers who intercept the data from reading it. If any part of the connection transmits data using HTTP, even if it later uses HTTPS, the data transmitted over HTTP is susceptible to man-in-the-middle attacks. For example, a user might attempt to visit your website and embed their username and password in the URL parameters or the request headers as part of the request. Even if that data is then redirected to an HTTPS connection, it was still transmitted via HTTP.","RecommendedRemediation":"All HTTP connections should be redirected to HTTPS connections instead. The method for doing this differs by technology. For some websites, the .htaccess file can be modified to reroute requests to HTTPS. For Microsoft IIS, the URL Rewrite module for IIS will allow you to redirect HTTP requests to HTTPS. HTTPS redirects should always be paired with HTTP Strict Transport Security (HSTS). HSTS will ensure no HTTP connections are allowed."}],"network_sec_v2":[{"id":"exposed_service:Redis","pass":false,"meta":"'Redis': [listening on port 6379]","vendorOnly":false,"expected":[{"property":"Ports > 'Redis'","value":"[closed]"}],"actual":[{"property":"Ports > 'Redis'","value":"'Redis': [listening on port 6379]"}],"severity":5,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"'Redis' port open","description":"The 'Redis' service is running and exposed to the internet. The configuration of the server should be reviewed and unnecessary ports closed.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["208.98.40.80","208.98.43.17"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Redis is a NoSQL key-value database that utilizes in-memory data structures rather than operating directly from a hard disk. Redis is developer-friendly and is often integrated into the coding process. Redis uses 3 default ports: 6379 for communication, 16379 for intracluster node traffic and 26379 for Redis Sentinel.","riskDetails":"An internet-facing database of any type is under a constant barrage of attacks. Most installations of Redis will use the default port of 6379. This makes it easy to identify servers running this type of database and to try known exploits against them. Even when the port number is changed, the service can still be identified, so changing the port number is not sufficient protection. A compromised database is usually a very high risk event, due to the sensitive nature of most corporate database content.","recommendedRemediation":"All types of databases should be restricted to internal networks, VPNs or other solutions that stop internet-wide visibility. This prevents internet scans and other wide sweeping technologies from seeing the database server at all. If the Redis service is no longer being used, the port should be closed to the internet. If the server must be internet-facing, rigorous care should be taken to maintain patches and updates on the database and server to protect against known vulnerabilities.","knownExploitedVulnCount":0},{"id":"exposed_service:DNS","pass":false,"meta":"'DNS': [listening on port 53]","vendorOnly":false,"expected":[{"property":"Ports > 'DNS'","value":"[closed]"}],"actual":[{"property":"Ports > 'DNS'","value":"'DNS': [listening on port 53]"}],"severity":1,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"'DNS' port open","description":"The 'DNS' service is running and exposed to the internet. The configuration of the server should be reviewed and unnecessary ports closed.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["208.98.40.80","208.98.43.17"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"DNS (Domain Name System) is an essential component of the internet that translates human-readable domain names into machine-readable IP addresses. When a user requests to access a website, their computer sends a request to a DNS server to resolve the domain name to an IP address. The DNS server then returns the IP address for the requested domain, allowing the user's computer to connect to the correct server and access the desired website or resource.","riskDetails":"An open DNS port can pose several risks, including DNS cache poisoning, man-in-the-middle attacks, and amplification attacks. For example, an attacker could use a technique called DNS spoofing to redirect traffic from a legitimate website to a malicious website. This would allow the attacker to steal sensitive information such as passwords and financial information.","recommendedRemediation":"The DNS service should only be available to the internet when absolutely necessary, such as if you are hosting an authoritative domain zone on your servers. In this case, DNS should only be available to a limited number of edge servers that are hardened against attacks and misuse. Care should also be taken to ensure that only the proper DNS records are available to internet facing requesters, so as not to reveal the structure of the intranet to would-be attackers.","knownExploitedVulnCount":0},{"id":"exposed_service:HTTP","pass":false,"meta":"'HTTP': [listening on ports 81, 1234]","vendorOnly":false,"expected":[{"property":"Ports > 'HTTP'","value":"[closed]"}],"actual":[{"property":"Ports > 'HTTP'","value":"'HTTP': [listening on ports 81, 1234]"}],"severity":1,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"'HTTP' port open","description":"The 'HTTP' service is running and exposed to the internet. The configuration of the server should be reviewed and unnecessary ports closed.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["208.98.40.80","208.98.43.17"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP (Hypertext Transfer Protocol) is a protocol used for transmitting data over the internet, specifically for delivering web pages and other web-based content. A HTTP port is a network communication port that allows Hypertext Transfer Protocol (HTTP) traffic to be transmitted between a client and a server. The most commonly used HTTP port is 80.","riskDetails":"An open HTTP port creates the possibility of an unencrypted connection being made between the server and a client. Any information passed across this unencrypted channel is vulnerable to a man-in-the-middle attack where sensitive information, including usernames and passwords, can be read in transit by a malicious third party.","recommendedRemediation":"All web traffic should be conducted over an HTTPS connection, typically using port 443. By proactively redirecting or blocking the unencrypted HTTP port, the risk of data interception is greatly reduced.","knownExploitedVulnCount":0},{"id":"unknown_open_port:6380","pass":false,"meta":"Port 6380: [open]","vendorOnly":false,"expected":[{"property":"Ports > Port 6380","value":"[closed]"}],"actual":[{"property":"Ports > Port 6380","value":"Port 6380: [open]"}],"severity":1,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"Port 6380 is open","description":"Port 6380 is open on this server, however no service was detected listening on this port. The configuration of the server should be reviewed and unnecessary ports closed.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["208.98.40.80","208.98.43.17"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0}],"patch_management":[{"id":"end_of_life_product:cpe:/a:f5:nginx","pass":false,"meta":"NGINX: 1.18.0: 2021-04-20","vendorOnly":false,"expected":[{"property":"End-of-life versions","value":"[none detected]"}],"actual":[{"property":"End-of-life versions","value":"NGINX: 1.18.0: 2021-04-20"}],"severity":4,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"End-of-life version of NGINX detected","description":"The detected version of NGINX is end of life. The product will likely not receive security updates from the vendor moving forward.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":"end_of_life_product_provisional:cpe:/a:f5:nginx","summary":"The software product used on this site is advertising a version that is past it's end of life (EOL) date. EOL software is at higher risk of having unpatched vulnerabilities leading to exploitation.","riskDetails":"End of life software no longer receives security updates, meaning that any newly discovered vulnerabilities will have no fix. The use of EOL software also indicates poor patching cadence, as the software has not be maintained at level close to the current version.","recommendedRemediation":"The software should be updated to a currently maintained version so that any new security updates can be applied quickly. If the software is running a different version than what is advertised in its server header, updating the server header to the current version can also remediate the detection of an EOL software product.","knownExploitedVulnCount":0},{"id":"end_of_life_product:cpe:/a:php:php","pass":false,"meta":"PHP: 7.3.33: 2021-12-06","vendorOnly":false,"expected":[{"property":"End-of-life versions","value":"[none detected]"}],"actual":[{"property":"End-of-life versions","value":"PHP: 7.3.33: 2021-12-06"}],"severity":4,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"End-of-life version of PHP detected","description":"The detected version of PHP is end of life. The product will likely not receive security updates from the vendor moving forward.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-03-16T10:33:46.048556Z","sources":null,"none":false,"noneReason":null,"prevProvisionalID":"end_of_life_product_provisional:cpe:/a:php:php","summary":"The software product used on this site is advertising a version that is past it's end of life (EOL) date. EOL software is at higher risk of having unpatched vulnerabilities leading to exploitation.","riskDetails":"End of life software no longer receives security updates, meaning that any newly discovered vulnerabilities will have no fix. The use of EOL software also indicates poor patching cadence, as the software has not be maintained at level close to the current version.","recommendedRemediation":"The software should be updated to a currently maintained version so that any new security updates can be applied quickly. If the software is running a different version than what is advertised in its server header, updating the server header to the current version can also remediate the detection of an EOL software product.","knownExploitedVulnCount":0},{"id":"vulnerable_software_version:cpe:/a:jquery:jquery:1.9.0","pass":false,"meta":"CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023","vendorOnly":false,"expected":[{"property":"Vulnerabilities > Jquery 1.9.0","value":"[none found]"}],"actual":[{"property":"Vulnerabilities > Jquery 1.9.0","value":"CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023"}],"severity":1,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Jquery 1.9.0 has potential vulnerabilities","description":"Jquery 1.9.0 has vulnerabilities which might be exploitable under certain conditions. Affected domains should be checked to determine which vulnerabilities might pose a risk.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-04-16T01:43:55.446567Z","sources":["hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":1},{"id":"vulnerable_software_version:cpe:/a:nginx:nginx:1.18.0","pass":false,"meta":"CVE-2021-3618, CVE-2021-23017, CVE-2022-41741, CVE-2022-41742, CVE-2023-44487, CVE-2025-23419","vendorOnly":false,"expected":[{"property":"Vulnerabilities > NGINX 1.18.0","value":"[none found]"}],"actual":[{"property":"Vulnerabilities > NGINX 1.18.0","value":"CVE-2021-3618, CVE-2021-23017, CVE-2022-41741, CVE-2022-41742, CVE-2023-44487, CVE-2025-23419"}],"severity":1,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"NGINX 1.18.0 has potential vulnerabilities","description":"NGINX 1.18.0 has vulnerabilities which might be exploitable under certain conditions. Affected domains should be checked to determine which vulnerabilities might pose a risk.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["208.98.43.17"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":1},{"id":"vulnerable_software_version:cpe:/a:php:php:7.3.33","pass":false,"meta":"CVE-2017-8923, CVE-2022-4900, CVE-2022-31628, CVE-2022-31629, CVE-2022-37454, CVE-2024-5458","vendorOnly":false,"expected":[{"property":"Vulnerabilities > PHP 7.3.33","value":"[none found]"}],"actual":[{"property":"Vulnerabilities > PHP 7.3.33","value":"CVE-2017-8923, CVE-2022-4900, CVE-2022-31628, CVE-2022-31629, CVE-2022-37454, CVE-2024-5458"}],"severity":1,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"PHP 7.3.33 has potential vulnerabilities","description":"PHP 7.3.33 has vulnerabilities which might be exploitable under certain conditions. Affected domains should be checked to determine which vulnerabilities might pose a risk.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-03-16T10:33:46.048556Z","sources":["208.98.43.17"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0}],"website_sec_v2":[{"id":"server_information_header","pass":false,"meta":"nginx/1.18.0","vendorOnly":false,"expected":[{"property":"Headers > server","value":"[does not contain version number]"}],"actual":[{"property":"Headers > server","value":"nginx/1.18.0"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"Server information header exposed","description":"Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["hekeda.cn:81"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The Server header is specifically used to describe the type and version of web server software, e.g. Server: Apache/2.4.1 (Unix).","riskDetails":"Some technologies populate the Server header by default. If the Server header is exposed, the risk of an attack on the system is increased. The exposed information specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","recommendedRemediation":"The Server header should be removed, blanked out or minimized. The method for doing so differs based on technology. In IIS, a URL rewrite rule can be used to replace the server header with a blank string. In Apache, however, the Server header cannot be blanked out, but can be configured to display only “Apache” by setting “ServerTokens Prod” in the Apache config file. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"server_information_header","category":"discovery","controlCheckID":"IM.WS.MI.VG","passTitle":"Server information header not exposed","passDescription":"Ensuring the server information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites are exposing unnecessary server header information.","failTitle":"Server information header exposed","failDescription":"Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.","remediation":"Remove 'server' header.","issue":"The web server information of the impacted websites is exposed. Exposing information about the server version increases the ability of attackers to exploit known vulnerabilities.","recommendation":"Configure these websites to prevent version information from being revealed by removing the 'Server' header. This reduces the chance of attackers successfully exploiting known vulnerabilities.","defaultSeverity":3,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The Server header is specifically used to describe the type and version of web server software, e.g. Server: Apache/2.4.1 (Unix).","RiskDetails":"Some technologies populate the Server header by default. If the Server header is exposed, the risk of an attack on the system is increased. The exposed information specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","RecommendedRemediation":"The Server header should be removed, blanked out or minimized. The method for doing so differs based on technology. In IIS, a URL rewrite rule can be used to replace the server header with a blank string. In Apache, however, the Server header cannot be blanked out, but can be configured to display only “Apache” by setting “ServerTokens Prod” in the Apache config file. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"x_powered_by_header","pass":false,"meta":"PHP/7.3.33","vendorOnly":false,"expected":[{"property":"Headers > x-powered-by","value":"[not set]"}],"actual":[{"property":"Headers > x-powered-by","value":"PHP/7.3.33"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"X-Powered-By header exposed","description":"The X-Powered-By header reveals information about specific technology used on the server. This information can be used to exploit vulnerabilities. The server configuration should be changed to remove this header.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-03-16T10:33:46.048556Z","sources":["hekeda.cn:81"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The X-Powered-By header is specifically used to describe technologies in use on the server, such as the type and version of web server software or PHP.","riskDetails":"Some technologies populate the X-Powered-By header by default. If the X-Powered-By header is exposed, the risk of an attack on the server is increased. The exposed information often specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","recommendedRemediation":"The X-Powered-By header should be removed. The specific process for this varies by technology. PHP versions can often be found in the X-Powered-By field. This can be disabled by switching “expose_php” to OFF in php.ini. In Microsoft IIS, the header can be removed under HTTP Response Headers in the GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"x_powered_by_header","category":"discovery","controlCheckID":"IM.WS.MI.PA","passTitle":"X-Powered-By header not exposed","passDescription":"Information about specific technology used on the server is obscured.","passGroupDescription":"No sites are exposing the X-Powered-By header.","failTitle":"X-Powered-By header exposed","failDescription":"The X-Powered-By header reveals information about specific technology used on the server. This information can be used to exploit vulnerabilities. The server configuration should be changed to remove this header.","remediation":"Remove X-Powered-By header.","issue":"We've found websites that have their X-Powered-By header exposed. This header reveals information about the specific technology used to run the website which could be used to find known vulnerabilities that can be exploited.","recommendation":"The website needs to stop exposing the X-Powered-By header. This reduces the risk that an attacker will be able to find an exploitable vulnerability in the software running the website.","defaultSeverity":3,"categoryTotalCost":4,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The X-Powered-By header is specifically used to describe technologies in use on the server, such as the type and version of web server software or PHP.","RiskDetails":"Some technologies populate the X-Powered-By header by default. If the X-Powered-By header is exposed, the risk of an attack on the server is increased. The exposed information often specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","RecommendedRemediation":"The X-Powered-By header should be removed. The specific process for this varies by technology. PHP versions can often be found in the X-Powered-By field. This can be disabled by switching “expose_php” to OFF in php.ini. In Microsoft IIS, the header can be removed under HTTP Response Headers in the GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"x_frame_options_header_v2","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-frame-options","value":"[deny or sameorigin]"}],"actual":[{"property":"Headers > x-frame-options","value":"[not set]"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"X-Frame-Options is not deny or sameorigin","description":"Browsers may display this website's content in frames. This can lead to clickjacking attacks.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-04-16T01:43:55.446567Z","sources":["hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":"x_frame_options_header","summary":"X-Frame-Options is a server header that dictates whether a page is allowed to be rendered using the  <frame>, <iframe>, <embed> or <object> tags. This measure prevents attackers from rendering a page within a frame they control, where they can then gather inputs to the page like login credentials.","riskDetails":"The deny and sameorigin options control if or when a page is allowed to be rendered in a frame. The \"deny\" option prevents the page from being rendered in a frame and provides blanket protection if there is never a need for the page to be in a frame. The \"sameorigin\" option specifies that the page can only be rendered in a frame on the same domain, preventing attacker-controlled domains from presenting the page. Missing these directives enables click-jacking attacks where the user interacts with the page without knowing that the attacker can intercept any inputs or actions they take.","recommendedRemediation":"Add a server header for X-Frame-Options with an option of \"deny\" if there is no need for the site to appear in a frame, or \"sameorigin\" to restrict this option to other pages on the same domain.","knownExploitedVulnCount":0,"checkID":"x_frame_options_header_v2","category":"clickjacking","controlCheckID":"IM.WS.CJ.PA","passTitle":"X-Frame-Options is not deny or sameorigin","passDescription":"Browsers are prevented from displaying this website's content in frames. This helps mitigate clickjacking attacks.","passGroupDescription":"All websites have safely implemented the X-Frame-Options header.","failTitle":"X-Frame-Options is not deny or sameorigin","failDescription":"Browsers may display this website's content in frames. This can lead to clickjacking attacks.","remediation":"Set X-Frame-Options to deny or sameorigin.","issue":"Impacted domains allow browsers to display their content in frames. This can lead to clickjacking attacks.","recommendation":"The website needs to set the X-Frame-Options header to deny or sameorigin. Alternatively, configure a Content Security Policy with the frame-ancestors directive. This will prevent browsers from displaying the website's content in frames.","defaultSeverity":3,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"X-Frame-Options is a server header that dictates whether a page is allowed to be rendered using the  <frame>, <iframe>, <embed> or <object> tags. This measure prevents attackers from rendering a page within a frame they control, where they can then gather inputs to the page like login credentials.","RiskDetails":"The deny and sameorigin options control if or when a page is allowed to be rendered in a frame. The \"deny\" option prevents the page from being rendered in a frame and provides blanket protection if there is never a need for the page to be in a frame. The \"sameorigin\" option specifies that the page can only be rendered in a frame on the same domain, preventing attacker-controlled domains from presenting the page. Missing these directives enables click-jacking attacks where the user interacts with the page without knowing that the attacker can intercept any inputs or actions they take.","RecommendedRemediation":"Add a server header for X-Frame-Options with an option of \"deny\" if there is no need for the site to appear in a frame, or \"sameorigin\" to restrict this option to other pages on the same domain."},{"id":"content_security_policy_header_v2","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > content-security-policy","value":"[valid policy]"}],"actual":[{"property":"Headers > content-security-policy","value":"[not set]"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"CSP is not implemented","description":"No valid Content Security Policy is implemented. This increases the risk of XSS and clickjacking attacks.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-04-16T01:43:55.446567Z","sources":["hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":"content_security_policy_header","summary":"A Content-Security-Policy header defines directives for server governance on website behaviors through the HTTP header, though you can also supply HTML meta tags with a string-matching attribute that sets a CSP for the page. With your CSP, you define the approved origins for content that browsers will load on your website, such as JavaScript, CSS stylesheets, images, and more.","riskDetails":"Without a CSP, malicious actors can inject their preferred content into your website, such as injecting a malicious script in a cross-site scripting attack or manipulating user behavior through a clickjacking attack. XSS attacks and UI redress are two attack vulnerabilities that could be exploited without a Content Security Policy that defines authorized content sources.","recommendedRemediation":"To create the Content Security Policy for your website, you will need to update the configuration file containing your HTTP Response header. Different server setups and hosting platforms require different approaches to your configuration files. For example, you update the .htaccess or .httpd.conf files for Apache web servers, whereas NGINX servers require modification in the server block.","knownExploitedVulnCount":0,"checkID":"content_security_policy_header_v2","category":"xss","controlCheckID":"IM.WS.CJ.UQ","passTitle":"CSP implemented","passDescription":"A Content Security Policy is implemented to help protect against XSS and clickjacking attacks.","passGroupDescription":"All websites have a Content Security Policy implemented.","failTitle":"CSP is not implemented","failDescription":"No valid Content Security Policy is implemented. This increases the risk of XSS and clickjacking attacks.","remediation":"Design and implement a Content Security Policy.","issue":"Impacted domains do not have a valid Content Security Policy implemented. This increases the risk of XSS and clickjacking attacks.","recommendation":"A Content Security Policy for this website should be designed and implemented.","defaultSeverity":3,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"A Content-Security-Policy header defines directives for server governance on website behaviors through the HTTP header, though you can also supply HTML meta tags with a string-matching attribute that sets a CSP for the page. With your CSP, you define the approved origins for content that browsers will load on your website, such as JavaScript, CSS stylesheets, images, and more.","RiskDetails":"Without a CSP, malicious actors can inject their preferred content into your website, such as injecting a malicious script in a cross-site scripting attack or manipulating user behavior through a clickjacking attack. XSS attacks and UI redress are two attack vulnerabilities that could be exploited without a Content Security Policy that defines authorized content sources.","RecommendedRemediation":"To create the Content Security Policy for your website, you will need to update the configuration file containing your HTTP Response header. Different server setups and hosting platforms require different approaches to your configuration files. For example, you update the .htaccess or .httpd.conf files for Apache web servers, whereas NGINX servers require modification in the server block."},{"id":"x_content_type_options_header_v2","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-content-type-options","value":"nosniff"}],"actual":[{"property":"Headers > x-content-type-options","value":"[not set]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"X-Content-Type-Options is not nosniff","description":"Browsers may interpret files as a different MIME type than what is specified in the Content-Type HTTP header. This can lead to MIME confusion attacks.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-04-16T01:43:55.446567Z","sources":["hekeda.cn:80","www.hekeda.cn:80"],"none":false,"noneReason":null,"prevProvisionalID":"x_content_type_options_header","summary":"The X-Content-Type-Options header is not set to \"nosniff,\" an option that prevents MIME type sniffing. This header ensures that the content types defined in the Content-Type header are used and not changed.","riskDetails":"Multipurpose Internet Mail Extension (MIME) content types are subject to content sniffing attacks, in which the attacker turns non-executable MIME types into executable MIME types. Without this option, an attacker may attempt cross-site scripting by uploading a non-executable content type (like an image) that contains script content that would be executed when another user accesses the file. The \"nosniff\" option ensures that content is only treated as an image and not script.","recommendedRemediation":"In the file that configures your server headers, add the header X-Content-Type-Options: nosniff. You should also ensure that the Content-Type is set correctly for the content you are expecting to server, and test that the site renders as desired after the change.","knownExploitedVulnCount":0,"checkID":"x_content_type_options_header_v2","category":"xss","controlCheckID":"IM.WS.MI.UQ","passTitle":"X-Content-Type-Options is not nosniff","passDescription":"Browsers are prevented from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header. This helps mitigate MIME confusion attacks.","passGroupDescription":"All sites have set X-Content-Type-Options to nosniff","failTitle":"X-Content-Type-Options is not nosniff","failDescription":"Browsers may interpret files as a different MIME type than what is specified in the Content-Type HTTP header. This can lead to MIME confusion attacks.","remediation":"Set X-Content-Type-Options to nosniff","issue":"Impacted domains are not preventing MIME sniffing by setting the X-Content-Type-Options header to nosniff. This can lead to MIME confusion attacks.","recommendation":"The website needs to set the X-Content-Type-Options header to nosniff. This will prevent browsers from interpreting files as a different MIME type than what is specified in the Content-Type HTTP Header.","defaultSeverity":2,"categoryTotalCost":1,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The X-Content-Type-Options header is not set to \"nosniff,\" an option that prevents MIME type sniffing. This header ensures that the content types defined in the Content-Type header are used and not changed.","RiskDetails":"Multipurpose Internet Mail Extension (MIME) content types are subject to content sniffing attacks, in which the attacker turns non-executable MIME types into executable MIME types. Without this option, an attacker may attempt cross-site scripting by uploading a non-executable content type (like an image) that contains script content that would be executed when another user accesses the file. The \"nosniff\" option ensures that content is only treated as an image and not script.","RecommendedRemediation":"In the file that configures your server headers, add the header X-Content-Type-Options: nosniff. You should also ensure that the Content-Type is set correctly for the content you are expecting to server, and test that the site renders as desired after the change."},{"id":"unmaintained_page","pass":false,"meta":"Status Code: 404","vendorOnly":false,"expected":[{"property":"Unmaintained Page","value":"[not detected]"}],"actual":[{"property":"Unmaintained Page","value":"Status Code: 404"}],"severity":1,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"Unmaintained page detected","description":"This domain appears to be unmaintained based on indicators like page content or status code. Unmaintained pages expand the attack surface for malicious actors.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2025-12-15T01:28:23.905624Z","sources":["hekeda.cn:1234"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The response from the page indicates that it is a default server page or otherwise not configured and maintained for use.","riskDetails":"Unmaintained assets increase the size of the attack surface and are more likely not to be continuously monitored and updated. These additional points on the attack surface give attackers more potential areas to target.","recommendedRemediation":"Sites that are not used should be decommisioned to reduce the attack surface. If the domain is hosting pages that are in use on some other URL and the index of the domain is not intended for the public, access should be removed.","knownExploitedVulnCount":0,"checkID":"unmaintained_page","category":"discovery","controlCheckID":"IM.WS.MI.DQ","passTitle":"No unmaintained page detected","passDescription":"The page appears to be maintained.","passGroupDescription":"All applicable sites appear to be maintained.","failTitle":"Unmaintained page detected","failDescription":"This domain appears to be unmaintained based on indicators like page content or status code. Unmaintained pages expand the attack surface for malicious actors.","remediation":"Review the page and decomission it if it is not active or maintained.","issue":"This domain appears to be unmaintained based on indicators like page content or status code. Unmaintained pages expand the attack surface for malicious actors.","recommendation":"Review the page and decomission it if it is not active or maintained.","defaultSeverity":1,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The response from the page indicates that it is a default server page or otherwise not configured and maintained for use.","RiskDetails":"Unmaintained assets increase the size of the attack surface and are more likely not to be continuously monitored and updated. These additional points on the attack surface give attackers more potential areas to target.","RecommendedRemediation":"Sites that are not used should be decommisioned to reduce the attack surface. If the domain is hosting pages that are in use on some other URL and the index of the domain is not intended for the public, access should be removed."}],"dns":[{"id":"dnssec_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNSSEC enabled","value":"true"}],"actual":[{"property":"DNSSEC enabled","value":"false"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"network_sec","title":"DNSSEC not enabled","description":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","checkedAt":"2026-04-16T01:43:55.446567Z","dateDetected":"2026-04-14T06:20:49.88824Z","sources":["hekeda.cn"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","riskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","recommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play.","knownExploitedVulnCount":0,"checkID":"dnssec_enabled","category":"dns","controlCheckID":"IM.DS.DA.PA","passTitle":"DNSSEC enabled","passDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity.","passGroupDescription":"All applicable sites have DNSSEC enabled.","failTitle":"DNSSEC not enabled","failDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","remediation":"Configure DNSSEC for domain.","issue":"We've detected that DNSSEC is missing from some domains. DNSSEC provides DNS resolvers origin authentication of DNS data, authenticated denial of existence and data integrity but not availability or confidentiality.","recommendation":"The domain owner should turn on DNSSEC for all domains. This can generally be done at their domain name registrar.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.2"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","RiskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","RecommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play."}]},"cstarScore":0,"publicScore":186,"vendorName":"Hekeda.cn","name":"Hekeda.cn","display_name":"Hekeda.cn","vendorId":4580900304257024,"business":{},"address":{},"ceo":{},"primaryHostname":"hekeda.cn"}