Am I part of a Botnet? GreyNoise launches free scanner to check for malicious IP address activity

Cybersecurity firm GreyNoise Labs has released a new, free web-based tool called GreyNoise IP Check that allows any user to instantly determine if their home or business Internet Protocol (IP) address has been observed participating in global malicious scanning activity.

The launch addresses a growing problem: the silent compromise of residential networks, turning everyday home computers, routers, and IoT devices into nodes for large-scale cybercrime operations, such as botnets and residential proxy networks.

The hidden threat of residential botnets

GreyNoise, a threat monitoring company specializing in tracking "internet background noise," explained that over the past year, the number of compromised residential IPs has exploded. Often, users unknowingly install malware via shady apps or browser extensions, which then quietly convert their internet connection into an exit point for a criminal organization's traffic.

Unlike loud ransomware attacks, this passive misuse is invisible to the user but can damage the IP address's reputation, potentially leading to blocked emails, failed logins, and security alerts.

How the IP check works

The GreyNoise IP Check tool operates by cross-referencing the user's IP address with data collected by the company’s extensive global sensor network. This network constantly observes and catalogs internet-wide probing and scanning activity.

Users visiting the tool's webpage receive one of three simple verdicts:

• Clean: No malicious scanning activity detected. (The desired result for most home users.)

• Malicious/Suspicious: The IP has been observed engaging in scanning behavior (e.g., probing for open ports or vulnerable services).

• Common Business Service: The IP belongs to a recognized infrastructure like a VPN, corporate network, or cloud provider, where some scanning activity is expected and benign.

For users flagged as Malicious/Suspicious, the platform also provides a 90-day historical timeline of the observed activity, including tags that identify the type of behavior (e.g., "SSH Probing" or "Web Vulnerability Scans").

This history can help users pinpoint when a device on their network may have been compromised.

Recommendations for compromised users

If the tool returns a Malicious/Suspicious verdict, GreyNoise and other security experts recommend the following immediate steps:

Run comprehensive malware scans on all devices connected to the network, focusing especially on often-overlooked devices like routers and smart TVs.

Update all device firmware to the latest versions.

Change all default admin credentials for routers and other smart devices.

Disable remote access features on the router if they are not strictly necessary.

For more technically inclined users, GreyNoise is also offering a rate-limit-free, unauthenticated JSON API endpoint, allowing for the integration of IP reputation checks into custom security scripts and workflows.