#opendir

Open directories - publicly listable web roots hosting attacker payloads, kits and tools

Subscribe (RSS)


#opendir

Open directories hosting attacker payloads

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #opendir

Week

9

IOCs tagged #opendir

Month

45

IOCs tagged #opendir

Year

665

IOCs tagged #opendir

Counts as of 2026-06-29. Regenerated daily.

About #opendir

  • Definition: an HTTP server (often nginx / Apache / IIS) configured with directory autoindex enabled, exposing the contents of a folder. When the folder belongs to an attacker (staging server, kit drop, panel root) the listing reveals payloads, scripts and operator artefacts.
  • Why researchers track them: open directories are a high-yield source of fresh IOCs. A single opendir often hosts multiple loaders, second-stage payloads, exfiltrated-data archives and YARA-friendly scripts; researchers download, hash and tag each artefact in bulk.
  • Detection: for defenders, periodic scans of organisation egress for `Index of /` patterns; for hunters, services like ODIN by The DFIR Report, URLscan tag filters, and certificate-transparency-driven sweeps.
  • References: MITRE ATT&CK T1190 · The DFIR Report.

Recent IOCs tagged #opendir

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/opendir.

Date Type Value Source
Jun 25, 12:28 domain surgical-contacted-processor-raid.trycloudflare.com @smica83
Jun 25, 12:28 url https://surgical-contacted-processor-raid.trycloudflare.com @smica83
Jun 25, 12:24 domain montgomery-reflection-faqs-lee.trycloudflare.com @smica83
Jun 25, 12:24 url https://montgomery-reflection-faqs-lee.trycloudflare.com @smica83
Jun 24, 11:15 domain complicated-damaged-latitude-practice.trycloudflare.com @smica83
Jun 24, 11:15 url https://complicated-damaged-latitude-practice.trycloudflare.... @smica83
Jun 23, 11:02 url http://192.3.177.153:222 @smica83
Jun 23, 11:02 ip 192.3.177.153 @smica83
Jun 23, 11:02 sha256 7c113ba1463710d49641c140c5a40ea6bbaeb8e00f366dda40828c661b17... @smica83
Jun 18, 09:04 domain sunny-dynamic-clocks-sessions.trycloudflare.com @smica83

Related tags

Tags that frequently co-occur with #opendir.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is an opendir?

An opendir (open directory) is a web folder where directory autoindexing is enabled, exposing all files inside as a clickable listing. When attackers misconfigure their staging servers this way - which happens often - researchers can browse the listing, download every artefact and reverse-engineer the kit or payload set.

How do opendirs end up in this feed?

Public researchers post URLs to attacker opendirs they discover, tagged #opendir. The TweetFeed pipeline picks up these URLs (and the IPs/domains hosting them) and republishes them in CSV, JSON and RSS within 15 minutes. Many opendirs are short-lived: the operator notices the leak and locks down the directory or rotates infrastructure.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Opendir-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Opendir subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Opendir IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).