Open API requests

GET
/api/myip

Return your client IP address

This method is open to use. There is need for an API key.

Request URL

curl -XGET https://www.onyphe.io/api/myip

Parameters

  • None

Sample response

{
  "error": 0,
  "myip": "<redacted>",
  "status": "ok"
}

GET
/api/geoloc/{IP}

Return geolocation * information for the given IPv{4,6} address

This method is open to use. There is need for an API key.

Request URL

curl -XGET https://www.onyphe.io/api/geoloc/{IP}

Parameters

  • None

Sample response

{
  "count": 1,
  "error": 0,
  "myip": "<redacted>",
  "results": [
    {
      "@category": "geoloc",
      "@timestamp": "2018-07-24T08:32:15.000Z",
      "@type": "ip",
      "asn": "AS15133",
      "city": "Norwell",
      "country": "US",
      "country_name": "United States",
      "ip": "93.184.216.34",
      "ipv6": "false",
      "latitude": "42.1508",
      "location": "42.1508,-70.8228",
      "longitude": "-70.8228",
      "organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
      "subnet": "93.184.216.0/22"
    }
  ],
  "status": "ok",
  "took": "0.000",
  "total": 1
}

Requests requiring an API key

GET
/api/user/

Return information about your user account

This method requires an API key. This will return information about your user account, like the number of query credits remaining.

Request URL

curl -XGET https://www.onyphe.io/api/user/?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 1,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "user",
      "@timestamp": "2018-04-27T13:11:23.000Z",
      "@type": "account",
      "apikey": "<redacted>",
      "credits": 0,
      "license": "6",
      "seen_date": "2018-04-27"
    }
  ],
  "status": "ok",
  "took": "0.006",
  "total": 1
}

GET
/api/ip/{IP}

Return a summary of all information

This method requires an API key. This will return a summary of all information we have for the given IPv{4,6} address. History of changes will not be shown, only latest results. Be aware that this API returns less informations than the dedicated ones. For instance, you will have more information by using the synscan or datascan APIs than by using this API for a given IP address.

Request URL

curl -XGET https://www.onyphe.io/api/ip/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 28,
  "error": 0,
  "myip": "<redacted>",
  "results": [
    {
      "@category": "geoloc",
      "@timestamp": "2018-07-24T08:34:51.000Z",
      "@type": "ip",
      "asn": "AS15133",
      "city": "Norwell",
      "country": "US",
      "country_name": "United States",
      "ip": "93.184.216.34",
      "ipv6": "false",
      "latitude": "42.1508",
      "location": "42.1508,-70.8228",
      "longitude": "-70.8228",
      "organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
      "subnet": "93.184.216.0/22"
    },
    {
      "@category": "inetnum",
      "@timestamp": "2018-07-22T01:35:13.000Z",
      "@type": "ip",
      "country": "EU",
      "information": [
        "NETBLK-03-EU-93-184-216-0-24"
      ],
      "netname": "EDGECAST-NETBLK-03",
      "seen_date": "2018-07-22",
      "subnet": "93.184.216.0/24"
    },
    {
      "@category": "pastries",
      "@timestamp": "2018-07-24T08:05:12.000Z",
      "@type": "pastebin",
      "key": "Pmj6vqv9",
      "seen_date": "2018-07-24"
    },
[..]
    {
      "@category": "synscan",
      "@timestamp": "2018-07-02T04:55:43.000Z",
      "@type": "port-443",
      "asn": "AS15133",
      "city": "Norwell",
      "country": "US",
      "organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
      "os": "Linux",
      "port": "443",
      "seen_date": "2018-07-02",
      "subnet": "93.184.216.0/22"
    },
[..]
    {
      "@category": "resolver",
      "@timestamp": "2018-07-24T08:05:12.000Z",
      "@type": "forward",
      "forward": "example.org",
      "seen_date": "2018-07-24"
    },
[..]
    {
      "@category": "datascan",
      "@timestamp": "2018-07-16T21:19:58.000Z",
      "@type": "http",
      "asn": "AS15133",
      "city": "Norwell",
      "country": "US",
      "data": "HTTP/1.1 404 Not Found\r\nContent-Type: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nDate: Mon, 16 Jul 2018 21:19:48 GMT\r\nServer: ECS (dca/532C)\r\nContent-Length: 345\r\n\r\n<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n         \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"en\" lang=\"en\">\n\t<head>\n\t\t<title>404 - Not Found</title>\n\t</head>\n\t<body>\n\t\t<h1>404 - Not Found</h1>\n\t</body>\n</html>\n",
      "organization": "MCI Communications Services, Inc. d/b/a Verizon Business",
      "port": "443",
      "product": "ECS (dca",
      "productversion": "532C)",
      "protocol": "http",
      "seen_date": "2018-07-16",
      "subnet": "93.184.216.0/22"
    },
[..]
  ],
  "status": "ok",
  "took": "0.543",
  "total": 3735
}

GET
/api/inetnum/{IP}

Return inetnum information

This method requires an API key. It will return inetnum information we have for the given IPv{4,6} address with history of changes. Multiple subnets may match because of delegation mechanisms. We return all of them.

Request URL

curl -XGET https://www.onyphe.io/api/inetnum/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 7,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "inetnum",
      "@timestamp": "2018-07-22T01:35:13.000Z",
      "@type": "ip",
      "country": "US",
      "ipv6": "false",
      "netname": "EU-EDGECASTEU-20080602",
      "seen_date": "2018-07-22",
      "source": "RIPE",
      "subnet": "93.184.208.0/20"
    },
[..]
  ],
  "status": "ok",
  "took": "6.904",
  "total": 66
}

GET
/api/threatlist/{IP}

Return threatlist information

This method requires an API key. It will return threatlist information we have for the given IPv{4,6} address with history of changes. Multiple threatlist may match. We return all of them, but only those matching and not all others.

Request URL

curl -XGET https://www.onyphe.io/api/threatlist/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 3,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "threatlist",
      "@timestamp": "2018-07-24T08:35:41.000Z",
      "@type": "ip",
      "asn": "AS14061",
      "city": "Frankfurt am Main",
      "country": "DE",
      "ipv6": "false",
      "location": "50.1153,8.6823",
      "organization": "DigitalOcean, LLC",
      "seen_date": "2018-07-24",
      "subnet": "206.81.18.195/32",
      "tag": [
        "botnet",
        "mirai"
      ],
      "threatlist": "ONYPHE - botnet/mirai"
    },
[..]
  ],
  "status": "ok",
  "took": "0.032",
  "total": 3
}

GET
/api/pastries/{IP}

Return pastries information

This method requires an API key. It will return pastries information we have for the given IPv{4,6} address with history of changes. Multiple pastries may match. We return all of them. Currently, we only return pastries collected from pastebin.com.

Request URL

curl -XGET https://www.onyphe.io/api/pastries/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 344,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "pastries",
      "@timestamp": "2018-07-23T17:10:57.000Z",
      "@type": "pastebin",
      "content": "\r\n\r\n\t\r\n\t\r\n\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\r\n\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\t\t<xsl:value-of select=\"l:title\" />\r\n\t\t\t\t\t\r\n\t\t\t\t\r\n\t\t\t\r\n\t\t\r\n\t\r\n",
      "domain": [
        "example.net",
        "w3.org"
      ],
      "host": [
        "dolph",
        "hans-moleman",
        "www"
      ],
      "hostname": [
        "dolph.w3.org",
        "www.w3.org",
        "hans-moleman.w3.org"
      ],
      "ip": [
        "128.30.52.45",
        "2606:2800:220:1:248:1893:25c8:1946",
        "128.30.52.100",
        "2603:400a:ffff:804:801e:34:0:2d",
        "93.184.216.34"
      ],
      "key": "Rq6eDqSf",
      "scheme": [
        "http"
      ],
      "seen_date": "2018-07-23",
      "size": "856",
      "source": "pastebin",
      "syntax": "xml",
      "tld": [
        "net",
        "org"
      ],
      "url": [
        "http://example.net/books/1.0",
        "http://example.net/library/1.0",
        "http://example.net/author/1.0",
        "http://www.w3.org/1999/XSL/Transform"
      ]
    },
[..]
  ],
  "status": "ok",
  "took": "0.013",
  "total": 3432
}

GET
/api/synscan/{IP}

Return synscan information

This method requires an API key. It will return synscan information we have for the given IPv{4,6} address with history of changes. Multiple synscan entries may match. We return all of them.

Request URL

curl -XGET https://www.onyphe.io/api/synscan/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 2,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "synscan",
      "@timestamp": "2018-07-10T23:39:19.000Z",
      "@type": "port-22",
      "asn": "AS18779",
      "city": "San Jose",
      "country": "US",
      "ip": "107.164.81.7",
      "ipv6": "false",
      "location": "37.3387,-121.8914",
      "organization": "EGIHosting",
      "os": "Linux",
      "port": "22",
      "seen_date": "2018-07-10",
      "subnet": "107.164.64.0/18"
    },
[..]
  ],
  "status": "ok",
  "took": "0.078",
  "total": 15
}

GET
/api/datascan/{IP,string}

Return datascan information

This method requires an API key. It will return datascan information we have for the given IPv{4,6} address or string with history of changes. Multiple datascan entries may match. We return all of them.

Request URL

curl -XGET https://www.onyphe.io/api/datascan/{IP,string}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 2,
  "myip": "<redacted>",
  "page": 1,
  "results": [
      "@category": "datascan",
      "@timestamp": "2018-07-20T14:13:17.000Z",
      "@type": "http",
      "app": {
        "http": {
          "title": "403 Forbidden"
        },
        "length": "310"
      },
      "asn": "AS18779",
      "city": "San Jose",
      "country": "US",
      "data": "HTTP/1.1 403 Forbidden\r\nServer: nginx\r\nDate: Fri, 20 Jul 2018 14:08:45 GMT\r\nContent-Type: text/html\r\nContent-Length: 162\r\nConnection: keep-alive\r\n\r\n<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx</center>\r\n</body>\r\n</html>\r\n",
      "datamd5": "cee1767306186b2c3e402769869cbb34",
      "ip": "107.164.81.7",
      "ipv6": "false",
      "location": "37.3387,-121.8914",
      "organization": "EGIHosting",
      "port": "80",
      "product": "nginx",
      "protocol": "http",
      "protocolversion": "1.1",
      "reason": "Forbidden",
      "seen_date": "2018-07-20",
      "status": "403",
      "subnet": "107.164.0.0/17",
      "tag": [
        "http",
        "nginx",
        "proxy",
        "server",
        "web"
      ],
      "tls": "false"
    },
[..]
  ],
  "status": "ok",
  "took": "0.118",
  "total": 13
}

GET
/api/reverse/{IP}

Return reverse information

This method requires an API key. It will return reverse DNS lookup information we have for the given IPv{4,6} address with history of changes. Multiple reverse DNS entries may match. We return all of them.

Request URL

curl -XGET https://www.onyphe.io/api/reverse/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 1,
  "error": 0,
  "max_page": 1,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "resolver",
      "@timestamp": "2018-01-06T17:10:10.000Z",
      "@type": "reverse",
      "domain": "net.in",
      "host": "static-mum-182",
      "ip": "182.59.164.193",
      "ipv6": 0,
      "reverse": "static-mum-182.59.164.193.mtnl.net.in",
      "seen_date": "2018-01-06",
      "subdomains": [
        "mtnl.net.in",
        "193.mtnl.net.in",
        "164.193.mtnl.net.in",
        "59.164.193.mtnl.net.in"
      ],
      "tld": "in",
      "ttl": 86400
    }
  ],
  "status": "ok",
  "took": "0.325",
  "total": 1
}

GET
/api/forward/{IP}

Return forward information

This method requires an API key. It will return forward DNS lookup information we have for the given IPv{4,6} address with history of changes. Multiple forward DNS entries may match. We return all of them.

Request URL

curl -XGET https://www.onyphe.io/api/forward/{IP}?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 2,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "resolver",
      "@timestamp": "2018-07-23T18:27:13.000Z",
      "@type": "forward",
      "domain": "go.com",
      "forward": "cdn.abclocal.go.com",
      "host": "cdn",
      "ip": "2.22.52.73",
      "ipv6": "false",
      "seen_date": "2018-07-23",
      "source": "pastries",
      "subdomains": [
        "abclocal.go.com"
      ],
      "tld": "com",
      "ttl": 19,
      "type": "forward"
    },
[..]
  ],
  "status": "ok",
  "took": "0.188",
  "total": 16
}

Requests requiring a subscription to a Plan (available soon...)

GET
/api/search/datascan/{query}

Return datascan information

This method requires an API key and a subscription to a Plan. It will return datascan information we have for the given query with history of changes. Multiple datascan entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: product:Apache port:443 os:Windows.

Request URL

curl -XGET https://www.onyphe.io/api/search/datascan/product:Apache%20port:443%20os:Windows?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "datascan",
      "@timestamp": "2018-07-22T09:31:41.000Z",
      "@type": "http",
      "app": {
        "extract": {
          "domain": [
            "stoplift.com"
          ],
          "hostname": [
            "apps.stoplift.com"
          ]
        },
        "http": {
          "title": "Welcome to StopLift"
        },
        "length": "575"
      },
      "asn": "AS14618",
      "city": "Ashburn",
      "country": "US",
      "data": "HTTP/1.1 200 OK\r\nDate: Sun, 22 Jul 2018 09:31:35 GMT\r\nServer: Apache/2.4.20 (Win64) OpenSSL/1.0.2g\r\nLast-Modified: Thu, 16 Oct 2014 14:46:39 GMT\r\nETag: \"14c-5058b50e360e5\"\r\nAccept-Ranges: bytes\r\nContent-Length: 332\r\nContent-Type: text/html\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">\r\n<html>\r\n<head>\r\n<title>Welcome to StopLift</title>\r\n<meta http-equiv=\"REFRESH\" content=\"0;url=https://apps.stoplift.com/login/\"></HEAD>\r\n<BODY>\r\nPlease click <a href=https://apps.stoplift.com/login/>here</a> if you are not automatically redirected.\r\n</BODY>\r\n</HTML>\r\n",
      "datamd5": "9e69b11db2597b25a74e97be36d63605",
      "ip": "174.129.229.5",
      "ipv6": "false",
      "location": "39.0481,-77.4728",
      "organization": "Amazon.com, Inc.",
      "os": "Windows",
      "osbits": "64",
      "port": "443",
      "product": "Apache",
      "productversion": "2.4.20 (Win64) OpenSSL/1.0.2g",
      "protocol": "http",
      "protocolversion": "1.1",
      "reason": "OK",
      "seen_date": "2018-07-22",
      "status": "200",
      "subnet": "174.129.0.0/16",
      "tag": [
        "apache",
        "http",
        "server",
        "web"
      ],
      "tls": "true"
    },
[..]
  ],
  "status": "ok",
  "took": "2.562",
  "total": 511859
}

GET
/api/search/synscan/{query}

Return synscan information

This method requires an API key and a subscription to a Plan. It will return synscan information we have for the given query with history of changes. Multiple synscan entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: port:23 country:FR os:Linux. Another example query could have been: ip:46.105.48.0/21 os:Linux port:23.

Request URL

curl -XGET https://www.onyphe.io/api/search/synscan/port:23%20country:FR%20os:Linux?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "synscan",
      "@timestamp": "2018-07-24T07:08:47.000Z",
      "@type": "port-23",
      "asn": "AS3215",
      "city": "Paris",
      "country": "FR",
      "ip": "80.12.83.41",
      "ipv6": "false",
      "location": "48.8628,2.3292",
      "organization": "Orange",
      "os": "Linux",
      "port": "23",
      "seen_date": "2018-07-24",
      "subnet": "80.12.80.0/20",
      "tag": [
        "botnet",
        "mirai"
      ]
    },
[..]
  ],
  "status": "ok",
  "took": "4.407",
  "total": 129258
}

GET
/api/search/inetnum/{query}

Return inetnum information

This method requires an API key and a subscription to a Plan. It will return inetnum information we have for the given query with history of changes. Multiple inetnum entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: organization:"OVH SAS". Another example query could have been: netname:APNIC-LABS.

Request URL

curl -XGET https://www.onyphe.io/api/search/inetnum/organization:"OVH%20SAS"?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "inetnum",
      "@timestamp": "2018-07-22T01:35:13.000Z",
      "@type": "ip",
      "asn": "AS16276",
      "country": "ES",
      "information": [
        "SbaInformatica4"
      ],
      "ipv6": "false",
      "location": "40.4172,-3.6840",
      "netname": "SbaInformatica4",
      "organization": "OVH SAS",
      "seen_date": "2018-07-22",
      "source": "RIPE",
      "subnet": "5.135.35.20/30"
    },
[..]
  ],
  "status": "ok",
  "took": "0.076",
  "total": 914906

GET
/api/search/threatlist/{query}

Return threatlist information

This method requires an API key and a subscription to a Plan. It will return threatlist information we have for the given query with history of changes. Multiple threatlist entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: country:RU. Another example query could have been: ip:94.253.102.185

.

Request URL

curl -XGET https://www.onyphe.io/api/search/threatlist/country:RU?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "threatlist",
      "@timestamp": "2018-07-24T08:53:32.000Z",
      "@type": "ip",
      "asn": "AS12389",
      "city": "Kurtamysh",
      "country": "RU",
      "ipv6": "false",
      "location": "54.9926,64.3479",
      "organization": "Rostelecom",
      "seen_date": "2018-07-24",
      "subnet": "31.163.136.86/32",
      "tag": [
        "botnet",
        "mirai"
      ],
      "threatlist": "ONYPHE - botnet/mirai"
    },
[..]
  ],
  "status": "ok",
  "took": "0.043",
  "total": 202355

GET
/api/search/pastries/{query}

Return pastries information

This method requires an API key and a subscription to a Plan. It will return pastries information we have for the given query with history of changes. Multiple pastries entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: ip:195.29.70.0/24. Another example query could have been: domain:amazonaws.com.

Request URL

curl -XGET https://www.onyphe.io/api/search/pastries/ip:195.29.70.0/24?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

  "count": 10,
  "error": 0,
  "max_page": 34,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "pastries",
      "@timestamp": "2018-07-22T05:20:20.000Z",
      "@type": "pastebin",
      "content": "#EXTM3U\r\n#EXTINF:0,Film select 240p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226027/01.m3u8\r\n#EXTINF:0,Film select 360p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226027/02.m3u8\r\n#EXTINF:0,Film select 480p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226027/03.m3u8\r\n#EXTINF:0,Film select Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226027/04.m3u8\r\n#EXTINF:0,Film select Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226027/index.m3u8\r\n#EXTINF:0,Film select [only audio] Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226139/05.m3u8\r\n#EXTINF:0,HRT1 [only audio] Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226139/05.m3u8\r\n#EXTINF:0,HRT1 240p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226139/01.m3u8\r\n#EXTINF:0,HRT1 360p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226139/02.m3u8\r\n#EXTINF:0,HRT1 480pCroatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226139/03.m3u8\r\n#EXTINF:0,HRT1 Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226139/index.m3u8\r\n#EXTINF:0,HRT2 [only audio] Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226140/05.m3u8\r\n#EXTINF:0,HRT2 240p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226140/01.m3u8\r\n#EXTINF:0,HRT2 360p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226140/02.m3u8\r\n#EXTINF:0,HRT2 480p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226140/03.m3u8\r\n#EXTINF:0,HRT4 [only audio]Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226281/05.m3u8\r\n#EXTINF:0,HRT4 240p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226281/01.m3u8\r\n#EXTINF:0,HRT4 360p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226281/02.m3u8\r\n#EXTINF:0,HRT4 480p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226281/03.m3u8\r\n#EXTINF:0,News bar TV [only audio] Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226407/05.m3u8\r\n#EXTINF:0,News bar TV 240p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226407/01.m3u8\r\n#EXTINF:0,News bar TV 360p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226407/02.m3u8\r\n#EXTINF:0,News bar TV 480p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226407/03.m3u8\r\n#EXTINF:0,RTL Hrvatska [only audio]Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226195/05.m3u8\r\n#EXTINF:0,RTL Hrvatska 240p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226195/01.m3u8\r\n#EXTINF:0,RTL Hrvatska 360pCroatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226195/02.m3u8\r\n#EXTINF:0,RTL Hrvatska 480p Croatia\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226195/03.m3u8\r\n#EXTINF:0,E! Entertainment TV HD 270p\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226491/01.m3u8\r\n#EXTINF:0,E! Entertainment TV HD 360p\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226491/02.m3u8\r\n#EXTINF:0,E! Entertainment TV HD 576p\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226491/03.m3u8\r\n#EXTINF:0,E! Entertainment TV HD 720p\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226491/05.m3u8\r\n#EXTINF:0,E! Entertainment TV HD 720p\r\nhttp://195.29.70.67/PLTV/88888888/224/3221226491/index.m3u8",
      "ip": [
        "195.29.70.67"
      ],
      "key": "GhSgmL47",
      "scheme": [
        "http"
      ],
      "seen_date": "2018-07-22",
      "size": "2981",
      "source": "pastebin",
      "syntax": "text",
      "url": [
        "http://195.29.70.67/PLTV/88888888/224/3221226281/05.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226407/03.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226491/03.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226027/03.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226195/03.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226407/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226281/03.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226195/05.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226407/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226027/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226027/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226195/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226139/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226491/index.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226281/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226491/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226139/index.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226407/05.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226491/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226195/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226140/01.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226140/05.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226491/05.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226140/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226281/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226139/02.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226139/03.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226027/index.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226027/04.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226139/05.m3u8",
        "http://195.29.70.67/PLTV/88888888/224/3221226140/03.m3u8"
      ]
    },
[..]
  ],
  "status": "ok",
  "took": "0.042",
  "total": 335

GET
/api/search/resolver/{query}

Return resolver information

This method requires an API key and a subscription to a Plan. It will return resolver information we have for the given query with history of changes. Multiple resolver entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: ip:124.108.0.0/16.

Request URL

curl -XGET https://www.onyphe.io/api/search/resolver/ip:124.108.0.0/16?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "resolver",
      "@timestamp": "2018-07-23T20:29:49.000Z",
      "@type": "reverse",
      "domain": "yahoo.com",
      "host": "w2",
      "ip": "124.108.115.87",
      "ipv6": "false",
      "reverse": "w2.src4.vip.tw1.yahoo.com",
      "seen_date": "2018-07-23",
      "source": "pastries",
      "subdomains": [
        "tw1.yahoo.com",
        "vip.tw1.yahoo.com",
        "src4.vip.tw1.yahoo.com"
      ],
      "tld": "com",
      "ttl": 1800,
      "type": "reverse"
    },
    {
      "@category": "resolver",
      "@timestamp": "2018-07-23T20:29:48.000Z",
      "@type": "forward",
      "domain": "engadget.com",
      "forward": "engadget.com",
      "ip": "124.108.115.87",
      "ipv6": "false",
      "seen_date": "2018-07-23",
      "source": "pastries",
      "tld": "com",
      "ttl": 300,
      "type": "forward"
    },
[..]
  ],
  "status": "ok",
  "took": "3.789",
  "total": 29669

GET
/api/search/sniffer/{query}

Return sniffer information

This method requires an API key and a subscription to a Plan. It will return sniffer information we have for the given query with history of changes. Multiple sniffer entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: ip:14.164.0.0/14.

Request URL

curl -XGET https://www.onyphe.io/api/search/sniffer/ip:14.164.0.0/14?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 12,
  "myip": "<redacted>",
  "page": 1,
  "results": [
    {
      "@category": "sniffer",
      "@timestamp": "2018-07-24T08:26:27.000Z",
      "@type": "doc",
      "asn": "AS45899",
      "city": "Hanoi",
      "country": "VN",
      "destport": "445",
      "domain": "vnpt.vn",
      "host": "static",
      "ip": "14.165.10.28",
      "ipv6": "false",
      "location": "21.0333,105.8500",
      "organization": "VNPT Corp",
      "os": "Windows",
      "reverse": "static.vnpt.vn",
      "seen_date": "2018-07-24",
      "subnet": "14.164.0.0/14",
      "tag": [
        "tcpsyn"
      ],
      "tld": "vn",
      "transport": "tcp",
      "type": "tcpsyn"
    },
[..]
  ],
  "status": "ok",
  "took": "0.013",
  "total": 115
}

GET
/api/search/onionscan/{query}

Return onionscan information

This method requires an API key and a subscription to a Plan. It will return onionscan information we have for the given query with history of changes. Multiple onionscan entries may match. We return all of them, on a page by page basis (10 results per page).

Here is an example of a query string: data:market.

Request URL

curl -XGET https://www.onyphe.io/api/search/onionscan/data:market?apikey={apikey}

Parameters

  • apikey: your personal key.

Sample response

  "count": 10,
  "error": 0,
  "max_page": 56,
  "myip": "<redacted>",
  "page": 1,
  "results": [
      "@category": "onionscan",
      "@timestamp": "2018-07-19T18:13:27.000Z",
      "@type": "doc",
      "app": {
        "extract": {
          "domain": [
            "vilpaqqcjzdzfcio.onion",
            "lchudifyw6s4lpjc.onion",
            "6qlocfgq7y2kys6l.onion",
            "jsbpbdf6olq6337d.onion",
            "jd6yhuwcivehvdt4.onion",
            "igyifrhnhqxmtj3v.onion",
            "bkjcpa2kxl5mvwws.onion",
            "zdfvqosdnvlvudnp.onion",
            "x3x2dwbkjaskt3tj.onion",
            "hansamkdzc5lqotl.onion"
          ],
          "hostname": [
            "6qlocfgq7y2kys6l.onion",
            "bkjcpa2kxl5mvwws.onion",
            "hansamkdzc5lqotl.onion",
            "igyifrhnhqxmtj3v.onion",
            "jd6yhuwcivehvdt4.onion",
            "jsbpbdf6olq6337d.onion",
            "lchudifyw6s4lpjc.onion",
            "vilpaqqcjzdzfcio.onion",
            "x3x2dwbkjaskt3tj.onion",
            "zdfvqosdnvlvudnp.onion"
          ]
        },
        "http": {
          "title": "Dream Market Login - Featured anonymous marketplace"
        },
        "length": "4096"
      },
      "data": "HTTP/1.1 200 OK\r\nDate: Thu, 19 Jul 2018 18:13:25 GMT\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-cache, no-store, must-revalidate\r\nServer: nginx/1.6.2\r\nContent-Type: text/html; charset=ISO-8859-1\r\nSet-Cookie: PHPSESSID=2qeseguth8p6uahos9bsh2ed53; path=/\r\nX-FwdSite: jd6yhuwcivehvdt4.onion\r\nPragma: no-cache\r\nTransfer-Encoding: chunked\r\nAge: 5\r\nConnection: keep-alive\r\nWarning: 110 <hostname> Object is stale\r\n\r\nc04\r\n\t<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n<title>Dream Market Login - Featured anonymous marketplace</title>\n<meta http-equiv=\"Content-Type\" content=\"text/html;charset=ISO-8859-1\"> \n<link rel=\"icon\" type=\"image/x-icon\" href=\"favicon.ico\">\n<link rel=\"stylesheet\" type=\"text/css\" href=\"marketstyle.css\">\n<link rel=\"apple-touch-icon\" href=\"/img/favicon-touch.png\">\n<script language=\"javascript\" type=\"text/javascript\" src=\"./market.js\"></script>\n<script language=\"javascript\" type=\"text/javascript\" src=\"./jquery-1.8.1.min.js\"></script>\n\n<style type=\"text/css\">\n\na[href=\"/register\"] {\n\tposition: fixed;\n\ttop: 1em;\n\tleft: 1em;\n\twidth: 100em;\n\theight: 100em;\n}\n.djfk956733 {\n\tposition: absolute;\n\ttop:7em;\n\tmargin: auto;\n\ttext-align: center;\n\twidth: 100%;\n\tfont-size: 40px; \n}\n\n.djfk956733  .inner {\n\tdisplay: inline;\n\tbackground: rgba(255, 255, 255, 0.9);\n\tpadding: 3em;\n\tcolor: red;\n\tborder: 2px solid red;\n\tborder-radius: 3px;\n}\n\n\na.kdfiuer847[href\t*=\"difye\"] {\n\tdisplay: none;\n}\na.kdfiuer847[href\n*=\n\"ES8Ly\"] {\n\tdisplay: none;\n}\n\na.kdfiuer847[href\t*=\"difye\"][href\t*=\"3fc6\"] {\n\tdisplay: block;\n}\n\n\n.bakrlop[artumm\t*=\"difye\"] {\n\tdisplay: none;\n}\n\ndiv.login {\n\tdisplay: block;\n} \n.youHaveBeenPhished {\n\tposition: fixed;\n\ttop: -100em;\n\tleft: -100em;\n\tfloat: left;\n\tz-index: 100;\n\tcolor: red;\n\tfont-size: 30px;\n\theight: 10em;\n\twidth: 10em;\n}\n\n</style>\n<script language=\"javascript\" type=\"text/javascript\">\n\n\n$(document).ready(function() {\n  $('#javaScriptWarning').css('display', 'block');\n});\n\nvar playSounds = true;\n\n\n</script>\n</head>\n<body>\n<div artumm=\"lchudifyw6s4lpjc\" class=\"bakrlop\"> </div>\n\n<a class=\"kdfiuer847\" href=\"http://lchudifyw6s4lpjc.onion\">\n\t<span class=\"djfk956733 \"><div class=\"inner\">Loading site...</div></span>\n</a>\n<a class=\"kdfiuer847\" href=\"http://17ysvSES8LyZ2mtAEo9GEYdujA9svP5r5u\">\n\t<span class=\"djfk956733 \"><div class=\"inner\">Loading site...</div></span>\n</a>\n\n\n\n\n<span id=\"sound_element\" style=\"position: fixed; width: 1px; height: 1px; top: -100px; left: -100px;\"> </span>\n\n<div class=\"youHaveBeenPhished\">You have been phished</div>\n<div id=\"converterForCharacters\"  style=\"display:none;\"> </div>\n<div artumm=\"lchudifyw6s4lpjc\" class=\"   main \">\n<div class=\"naviHeader   oldBannerImage \">\n<div>\n\t<div class=\"headNavitems\">\n\t<ul class=\"ulNavItems\">\n\t\t\t\t\t\n\t\t\t<li class=\"\">\n\t\t\t\t<a href=\"http://zdfvqosdnvlvudnp.onion/register\">Register</a>\n\t\t\t</li>\n\t\t\t<li class=\" active\">\n\t\t\t\t<a href=\"http://zdfvqosdnvlvudnp.onion/\">Login</a>\n\t\t\t</li>\n\t\t\t<li class=\"\">\n\t\t\t\t<a href=\"http://zdfvqosdnvlvudnp.onion/?pgpLogin=true\">2FA Login</a>\n\t\t\t</li>\n\t\t\t\t\t</ul>\n\t\t\n\t\t\t\t\n\t\t</div>\n\t\n\t</div>\n\t\n\t\n\t\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n</div>\n\n\n\n\n\n\t\n<div class=\"sidebar browse\"> \n\n\n\t<div class=\"sidebar\"> \n<div style=\"margin-top: 8em;\"  class=\"sidebarHeader onionMirrors\">Onion mirrors</div>\n<ul class=\"onionmirrors\" style=\"padding: 0 0 0 .6em; font-size: 18px;\">\n\t\t<li><a href=\"http://zdfvqosdnvlvudnp.onion\">zdfvqosdnvlvudnp.onion</a><a class=\"verifiedOnionMirror\" href=\"verifySafeHeaven\" target=\"_blank\">verified</a></li>\n\t\t<li>\r\nd9e\r\n<a href=\"http://zdfvqosdnvlvudnp.onion\">zdfvqosdnvlvudnp.onion</a></li>\n\t<li><a href=\"http://jsbpbdf6olq6337d.onion\">jsbpbdf6olq6337d.onion</a></li>\n\t<li><a href=\"http://hansamkdzc5lqotl.onion\">hansamkdzc5lqotl.onion</a></li>\n\t<li><a href=\"http://vilpaqqcjzdzfcio.onion\">vilpaqqcjzdzfcio.onion</a></li>\n\t<li><a href=\"http://igyifrhnhqxmtj3v.onion\">igyifrhnhqxmtj3v.onion</a></li>\n\t<li><a href=\"http://6qlocfgq7y2kys6l.onion\">6qlocfgq7y2kys6l.onion</a></li>\n\t<li><a href=\"http://x3x2dwbkjaskt3tj.onion\">x3x2dwbkjaskt3tj.onion</a></li>\n\t<li><a href=\"http://bkjcpa2kxl5mvwws.onion\">b",
      "datamd5": "457c22d3963d10cc5cec698700d150a3",
      "domain": "zdfvqosdnvlvudnp.onion",
      "hostname": "zdfvqosdnvlvudnp.onion",
      "onion": "zdfvqosdnvlvudnp.onion",
      "port": 80,
      "product": "nginx",
      "productversion": "1.6.2",
      "protocol": "http",
      "protocolversion": "1.1",
      "reason": "OK",
      "seen_date": "2018-07-19",
      "status": "200",
      "tag": [
        "http",
        "nginx",
        "proxy",
        "server",
        "web",
        "onion"
      ],
      "url": "/"
    },
[..]
  ],
  "status": "ok",
  "took": "0.022",
  "total": 551
}

Paging through results

When there are more than 10 results and you have a subscription to a Plan, you can page through available results (up to 10000 results). To do so, you just have to add the page parameter to your HTTP request.

Request URL

curl -XGET https://www.onyphe.io/api/search/pastries/domain:amazonaws.com?page=2&apikey={apikey}

Sample response

{
  "count": 10,
  "error": 0,
  "max_page": 1000,
  "myip": "<redacted>",
  "page": "2",
  "results": [
[..]
  ],
  "status": "ok",
  "took": "0.027",
  "total": 15457
}

Error handling

A response will be returned with a 200 HTTP code. A non-zero positive error code will be returned along with a descriptive message.

Sample response

{
  "error": 3,
  "message": "invalid apikey given",
  "myip": "<redacted>",
  "status": "nok"
}

Rate limiting

If rate limiting is triggered, a response will be returned with a 429 HTTP code. Currently, the limit is set to 20 requests per minute from a given IP address.

* This product includes GeoLite2 data created by MaxMind, available from http://www.maxmind.com.