MGLNDD_* Scans

Published: 2022-03-20
Last Updated: 2022-03-20 08:23:38 UTC
by Didier Stevens (Version: 1)
8 comment(s)

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.

Like MGLNDD_<IP_ADDRESS_OF_TARGET>  and MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>.

I took a look at my server and honeypot logs, and I'm seeing this too.

It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>\n

Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers.

And starting March 9th, the TCP port was included in the data, like this: MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>\n.

Where <TARGET_PORT> is the TCP port on my server.

I'm seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080

The source IPv4 addresses are from ranges owned by DigitalOcean: 192.241.192.0/19 and 192.241.224.0/20.

All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.

I've seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.x\r\n

Please post a comment if you know more about these scans.

 

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: scans tcp
8 comment(s)

Comments

I noticed this traffic hitting our firewall logs as well. Seems to have started around 11/3 and ended 11/22. I can't seem to find anybody else offering more details on what it is.
Hey, I saw this in my logs today and did a whois on the source IP and it points to https://stretchoid.com/
It claims to be legit but who knows.
I opted out just because.
I noticed this recently in logs on my Postfix mail server:

Jul 04 11:03:19 MX postfix/smtpd[3103]: improper command pipelining after CONNECT from unknown[162.243.146.16]: MGLNDD_50.252.78.1_25\n
Jul 04 15:11:52 MX postfix/submission/smtpd[3673]: improper command pipelining after CONNECT from unknown[45.55.0.20]: MGLNDD_50.252.78.1_587\n

Any idea what "MGLNDD" might mean?
198.199.111.117 > 98.My.Net.Here
05:18:05.775426 IP 198.199.111.117.57367 > 98.My.Net.Here.21: UDP, length 24

198.199.112.16 > 98.My.Net.Here
05:54:51.324175 IP 198.199.112.16.33411 > 98.My.Net.Here.53: 19783 updateA [b2&3=0x4c4e] [24377a] [17476q] [14382n] [12852au][|domain]

2023/07/09 05:54:51.324175 IP 198.199.112.16.33411 > 98.My.Net.Here.53: 19783 updateA [b2&3=0x4c4e] [24377a] [17476q] [14382n] [12852au][|domain]
0x0000: 4520 0034 d431 0000 e711 xxxx c6c7 7010 E..4.1....xx..p.
0x0010: 62f4 7b70 8283 0035 0020 0000 4d47 4c4e b.{p...5....MGLN
0x0020: 4444 5f39 382e xxxx xxxx xxxx xxxx xxxx DD_xxxxxxxxxxxxx
0x0030: xx5f 3533 x_53

Both have the same payload.
Google shut me off at two pages
Today I opened an UDP netcat listener for incoming NTP traffic, and received the following:

listening on [any] 123 ...
connect to [87.229.104.197] from (UNKNOWN) [198.199.112.86] 53383
MGLNDD_87.229.104.197_123
Well, I know this situation. and I know him perfectly.

here I tell you something. I have a server and have been looking at how. Stretchoid.com is an incurable pest. It took me 2 years of total tracking of all stretchoid.com IP addresses and it really is a plague. but i finally found the solution to mitigate the scans from stretchoid.com and other servers. Here I will leave a list to block stretchoid.com but still you will see more of Ocean-digital. estoy en telegram entra i pide tu lista para bloquear a stretchoid.com mi telegram es https://t.me/pentestingtest
hello all!
my answer to this is that, there can exists bad programs that accept X commands and well like this they can search for them for example. but is just thinking. love you all***

Diary Archives