Last Updated: 2022-03-20 08:23:38 UTC
by Didier Stevens (Version: 1)
Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.
Like MGLNDD_<IP_ADDRESS_OF_TARGET> and MGLNDD_<IP_ADDRESS_OF_TARGET>
I took a look at my server and honeypot logs, and I'm seeing this too.
It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>\n
Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers.
And starting March 9th, the TCP port was included in the data, like this: MGLNDD_<IP_ADDRESS_OF_TARGET>
Where <TARGET_PORT> is the TCP port on my server.
I'm seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080
The source IPv4 addresses are from ranges owned by DigitalOcean: 220.127.116.11/19 and 18.104.22.168/20.
All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.
I've seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.x\r\n
Please post a comment if you know more about these scans.
Nov 30th 2022
6 months ago
It claims to be legit but who knows.
I opted out just because.
May 13th 2023
2 weeks ago