Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.
Like MGLNDD_ and MGLNDD__.
I took a look at my server and honeypot logs, and I’m seeing this too.
It started on March 1st, with TCP data like this: MGLNDD_n
Where is the IPv4 address of my servers.
And starting March 9th, the TCP port was included in the data, like this: MGLNDD__n.
Where is the TCP port on my server.
I’m seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080
The source IPv4 addresses are from ranges owned by DigitalOcean: 192.241.192.0/19 and 192.241.224.0/20.
All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.
I’ve seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.xrn
Please post a comment if you know more about these scans.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
