MGLNDD_* Scans, (Sun, Mar 20th)

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.

Like MGLNDD_  and MGLNDD__.

I took a look at my server and honeypot logs, and I’m seeing this too.

It started on March 1st, with TCP data like this: MGLNDD_n

Where is the IPv4 address of my servers.

And starting March 9th, the TCP port was included in the data, like this: MGLNDD__n.

Where is the TCP port on my server.

I’m seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080

The source IPv4 addresses are from ranges owned by DigitalOcean: 192.241.192.0/19 and 192.241.224.0/20.

All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.

I’ve seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.xrn

Please post a comment if you know more about these scans.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

CyberSafe-WP-Admin