IP address investigation
Kaspersky Threat Intelligence Portal enables you to search for information about IP addresses.
For reserved IP addresses, only general and WHOIS information is displayed. Detailed reports are not provided.
General information about IP address
Kaspersky Threat Intelligence Portal provides the following general information about IP addresses:
General information about IP address
Field name |
Description |
|---|---|
Status |
Shows whether the requested IP address generates malicious activity. The IP address can have one of the following statuses: Good—IP address does not generate malicious activity. No threats detected—IP address was scanned and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section. Not trusted—IP address may host malicious objects. Its threat score is from 50 to 74. Adware and other—There are objects related to the IP address, which can be classified as Not-a-virus. Dangerous—IP address hosts malicious objects. Not categorized—No or not enough information about the IP address is available to define the category. |
Country flag |
Flag of the country that the requested IP address belongs to. When you hover your mouse over a flag, a tooltip with the country name appears. For IP addresses that do not belong to any country, the flag with a question mark ( |
Hits |
Hit number (popularity) of the requested IP address. Hit number is rounded to the nearest power of 10. |
First seen |
Date and time when the requested IP address first appeared in Kaspersky expert systems statistics, according to your computer local time zone. |
Threat score |
Probability that the requested IP address will appear dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as dangerous if its threat score is greater than 74. |
Owner name |
Name of the requested IP address owner. |
Owner ID |
ID of the requested IP address owner according to the register's base. |
Created |
Date when the requested IP address was registered. |
Updated |
Date when information about the requested IP address was last updated. |
Categories |
Categories of the requested IP address. If the IP address does not belong to any defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you have a valid commercial license for the corresponding service and the requested IP address is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested IP address. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
) and the tooltip If you want an IP address to be processed as a web address, run a request using Kaspersky Threat Intelligence Portal API.
Graphical information about IP address
A timeline shows detection statistics for certain historical periods. The changes in the zone of a categorized object are displayed for two months (by default) or two years. The timeline is generated only when the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
- Dangerous
- Not trusted
- Adware and other
- No threats detected
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about IP address
Kaspersky Threat Intelligence Portal provides additional information about the requested IP address displayed in separate tables. You can export data from these tables as separate archives.
Additional information about IP address
Table name |
Description |
Table fields |
Comments |
|---|---|---|---|
WHOIS |
WHOIS information for the requested IP address. |
IP range—Range of IP addresses in the network that the requested IP address belongs to. Net name—Name of the network that the requested IP address belongs to. Net description—Description of the network that the requested IP address belongs to. Created—Date when the requested IP address was registered. Changed—Date when information about the requested IP address was last updated. AS description—Autonomous system description. ASN—Autonomous system number according to RFC 1771 and RFC 4893. Contact—Contact type (person or organization). Name—Contact name. Role—Role of a contact (for example, owner). Address—Postal address that is registered for the IP address. Phone / Fax—Phone/fax number of a contact. Email—Email address of a contact. |
— |
DNS resolutions for IP address |
pDNS information for the requested IP address. |
Status—Status of domains. Hits—Number of times that the domain resolved to the requested IP address. Domain—Domain that resolves to the requested IP address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. First resolved—Date and time when the domain first resolved to the requested IP address, according to your computer local time zone. Last resolved—Date and time when the domain last resolved to the requested IP address, according to your computer local time zone. Peak date—Date of maximum number of domain resolutions to the requested IP address. Daily peak—Maximum number of domain resolutions to the requested IP address per day. |
Items in the table are grouped by status. Items in each group are sorted in descending order by the Last resolved field. |
Files related to IP address |
MD5 hashes of files that are related to web addresses containing domains that resolve to the requested IP address. Also, MD5 hashes of files that accessed the requested IP address are displayed. |
Status—Status of downloaded files. Hits—Number of times that a file was downloaded from the requested IP address as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). URL—Web addresses used to download the file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last seen—Date and time that the file was last downloaded from the requested IP address, according to your computer local time zone. First seen—Date and time the file was first downloaded from the requested IP address, according to your computer local time zone. |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field in descending order. |
Hosted URLs |
Web addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. |
Status—Status of web addresses and domains. Hits—Number of web address detections by Kaspersky expert systems. URL—Detected web address. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. First seen—Date and time when the web address was first detected, according to your computer local time zone. Last seen—Date and time when the web address was last detected, according to your computer local time zone. |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field in descending order. |
URL masks |
Masks detected by Kaspersky expert systems addresses that contain the requested IP address and web addresses of the domain that resolves to the requested IP address. If a mask is included in Threat Data Feeds, the feed names are also displayed. |
Status—Status of web addresses covered by the corresponding mask (Dangerous, Not trusted, or Adware and other). Type—Type of the mask. Mask—Web address mask. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the web address mask. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. Feeds—Threat Data Feeds that contain the web address mask. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data Feed, Botnet CC URL Data Feed, APT URL Data Feed, and APT IP Data Feed. If a mask is detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is displayed. Each item in this list is clickable—you can click it to navigate to the corresponding Threat Data Feed on the Data Feeds page. |
— |
Spam attacks |
Information about spam attacks associated with the requested IP address. |
Number of attacks—Number of spam attacks. Spam ratio—The ratio of spam to other content. Attack type—Types of attacks (Unknown, Phishing, Spoofing). |
— |
Spam attack statistics |
Graph showing the number of spam attacks in the last six months. |
— |
— |
Phishing attacks |
Information about phishing attacks associated with the requested IP address. |
Number of attacks—Number of phishing attacks. Phishing kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack. Stolen data type—Type of data stolen during phishing attack, for example, user names, passwords. Attacked industry—Target industry of a phishing attack. Attacked organization—Target organization of a phishing attack. |
— |
Phishing attack statistics |
Graph showing the number of phishing attacks in the last six months. |
— |
— |