MGLNDD_* Scans
Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.
Like MGLNDD_<IP_ADDRESS_OF_TARGET> and MGLNDD_<IP_ADDRESS_OF_TARGET>
I took a look at my server and honeypot logs, and I'm seeing this too.
It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>\n
Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers.
And starting March 9th, the TCP port was included in the data, like this: MGLNDD_<IP_ADDRESS_OF_TARGET>
Where <TARGET_PORT> is the TCP port on my server.
I'm seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080
The source IPv4 addresses are from ranges owned by DigitalOcean: 192.241.192.0/19 and 192.241.224.0/20.
All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.
I've seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.x\r\n
Please post a comment if you know more about these scans.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com
Comments
mcox00941
Nov 30th 2022
2 years ago
It claims to be legit but who knows.
I opted out just because.
Wehrmont
May 13th 2023
1 year ago
Jul 04 11:03:19 MX postfix/smtpd[3103]: improper command pipelining after CONNECT from unknown[162.243.146.16]: MGLNDD_50.252.78.1_25\n
Jul 04 15:11:52 MX postfix/submission/smtpd[3673]: improper command pipelining after CONNECT from unknown[45.55.0.20]: MGLNDD_50.252.78.1_587\n
Any idea what "MGLNDD" might mean?
train_wreck
Jul 5th 2023
1 year ago
05:18:05.775426 IP 198.199.111.117.57367 > 98.My.Net.Here.21: UDP, length 24
198.199.112.16 > 98.My.Net.Here
05:54:51.324175 IP 198.199.112.16.33411 > 98.My.Net.Here.53: 19783 updateA [b2&3=0x4c4e] [24377a] [17476q] [14382n] [12852au][|domain]
2023/07/09 05:54:51.324175 IP 198.199.112.16.33411 > 98.My.Net.Here.53: 19783 updateA [b2&3=0x4c4e] [24377a] [17476q] [14382n] [12852au][|domain]
0x0000: 4520 0034 d431 0000 e711 xxxx c6c7 7010 E..4.1....xx..p.
0x0010: 62f4 7b70 8283 0035 0020 0000 4d47 4c4e b.{p...5....MGLN
0x0020: 4444 5f39 382e xxxx xxxx xxxx xxxx xxxx DD_xxxxxxxxxxxxx
0x0030: xx5f 3533 x_53
Both have the same payload.
Google shut me off at two pages
Schnitzle
Jul 10th 2023
1 year ago
listening on [any] 123 ...
connect to [87.229.104.197] from (UNKNOWN) [198.199.112.86] 53383
MGLNDD_87.229.104.197_123
plendvai
Aug 30th 2023
1 year ago
here I tell you something. I have a server and have been looking at how. Stretchoid.com is an incurable pest. It took me 2 years of total tracking of all stretchoid.com IP addresses and it really is a plague. but i finally found the solution to mitigate the scans from stretchoid.com and other servers. Here I will leave a list to block stretchoid.com but still you will see more of Ocean-digital. estoy en telegram entra i pide tu lista para bloquear a stretchoid.com mi telegram es https://t.me/pentestingtest
LaMosca
Sep 2nd 2023
1 year ago
my answer to this is that, there can exists bad programs that accept X commands and well like this they can search for them for example. but is just thinking. love you all***
t3ch
Sep 4th 2023
1 year ago