Vulnerability Scanner
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
A vulnerability scanner systematically probes hosts and services for known security weaknesses — outdated software versions, misconfigurations, default credentials, and unpatched CVEs — to build an exploitation roadmap. Unlike simple port scanners, vulnerability scanners send crafted payloads to enumerate software banners and test specific exploits. Unsolicited vulnerability scans are a precursor to targeted attacks and indicate active adversarial reconnaissance.
🔍Indicators
- HTTP requests containing scanner user-agent strings (e.g.,
Nikto,Nessus,OpenVAS,Nuclei) - Rapid sequential requests to common vulnerability paths (
/wp-admin,/.env,/phpmyadmin,/cgi-bin/) - Banner-grabbing connections that immediately close after receiving the service response
- Requests for non-existent resources with exploit-like payloads (path traversal, SQLi probes)
- Unusual spikes in 400/404/500 HTTP errors from a single source IP
🛡Detection Methods
Detect scanner user-agents in web server logs
# Grep Nginx/Apache logs for common scanner signatures
grep -Ei "(nikto|nessus|openvas|nuclei|masscan|zgrab|sqlmap|dirbuster|gobuster)" \
/var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn
ModSecurity WAF rule (OWASP CRS)
# The OWASP Core Rule Set includes scanner detection out of the box
# Enable in Apache/Nginx with:
SecRuleEngine On
SecRule REQUEST_HEADERS:User-Agent \
"@pmFromFile scanners-user-agents.data" \
"id:913100,phase:1,deny,log,msg:'Scanner detected'"
Fail2ban — HTTP scanner jail
[scanner-detect]
enabled = true
filter = scanner-detect
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 30
bantime = 86400
# /etc/fail2ban/filter.d/scanner-detect.conf
[Definition]
failregex = ^<HOST> .* "(GET|POST|HEAD) /(\.env|\.git|wp-admin|phpmyadmin|admin|backup)
ignoreregex =
Suricata rule
alert http any any -> $HTTP_SERVERS any \
(msg:"SCAN Nikto web scanner"; content:"Nikto"; http_header; sid:2000001;)
✅Mitigation
- Deploy a Web Application Firewall (WAF) — Use OWASP ModSecurity Core Rule Set or a cloud WAF (Cloudflare, AWS WAF) to block scanner signatures automatically.
- Hide software version banners — Disable
Server:headers in Nginx/Apache, suppressX-Powered-By, and use generic error pages to deny banner-grabbing. - Apply patches promptly — Subscribe to CVE feeds for software you run; automate OS-level patches with
unattended-upgrades(Debian/Ubuntu). - Run your own scans first — Schedule weekly internal scans with Nessus Essentials, OpenVAS, or Nuclei so you discover vulnerabilities before attackers do.
- Rate-limit and challenge suspicious IPs — Return CAPTCHA or 429 responses to IPs triggering more than 20 404 errors per minute.
- Implement honeypot paths — Add fake
/phpmyadminor/.envroutes that immediately ban any IP that accesses them. - Review and restrict exposed services — Every exposed service is a scanner target; move admin interfaces behind VPN or IP allowlists.
📋Real-World Examples
2021 — Log4Shell mass scanning (CVE-2021-44228): Within hours of the Log4j vulnerability disclosure on December 9, 2021, threat actors deployed automated vulnerability scanners across the entire IPv4 internet probing for the ${jndi:ldap://} payload in HTTP headers. Researchers at Check Point observed over 840,000 exploit attempts within 72 hours.
2019 — Capital One breach (AWS misconfiguration scanner): The attacker used a custom vulnerability scanner to probe AWS EC2 metadata endpoints (169.254.169.254) across hundreds of misconfigured WAF instances, ultimately extracting IAM credentials that enabled exfiltration of 100 million customer records.