MGLNDD_* Scans

Published: 2022-03-20
Last Updated: 2022-03-20 08:23:38 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.

Like MGLNDD_<IP_ADDRESS_OF_TARGET>  and MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>.

I took a look at my server and honeypot logs, and I'm seeing this too.

It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>\n

Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers.

And starting March 9th, the TCP port was included in the data, like this: MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>\n.

Where <TARGET_PORT> is the TCP port on my server.

I'm seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080

The source IPv4 addresses are from ranges owned by DigitalOcean: 192.241.192.0/19 and 192.241.224.0/20.

All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.

I've seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.x\r\n

Please post a comment if you know more about these scans.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: scans tcp
1 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .

Diary Archives