{"ip":"128.203.200.216","total_events":94,"verdict":{"verdict":"scanner","label":"Recognized scanner","detail":"strechoid","confidence":"high","network_type":"CDN","why":["Source IP is in a known scanner range (strechoid).","Known research and commercial scanners are labelled as such, not as threats."]},"first_seen":"2026-03-14T18:39:20","last_seen":"2026-07-03T19:27:31","events_24h":1,"events_7d":8,"geo":{"country_code":"US","country_name":"United States","region":"","city":"","lat":37.751,"lon":-97.822,"asn":8075,"org":"Microsoft Corporation"},"source_domain":"azpdcg90igxg.stretchoid.com","known_scanners":["strechoid","Stretchoid"],"scanner_tag":{"key":"stretchoid","label":"Stretchoid","category":"research","url":"https://www.stretchoid.com/"},"cve_matches":[{"cve_id":"CVE-2021-34473","title":"Exchange Server - Remote Code Execution","severity":"critical","actively_exploited":true,"match_field":"url_path","matched_pattern":"/autodiscover/autodiscover.json"}],"malware":[],"top_ports":[{"port":9200,"proto":"tcp","label":"Elastic","count":7},{"port":8083,"proto":"tcp","label":"","count":4},{"port":7001,"proto":"tcp","label":"WebLogic","count":4},{"port":8889,"proto":"tcp","label":"","count":4},{"port":8291,"proto":"tcp","label":"","count":3},{"port":8009,"proto":"tcp","label":"","count":3},{"port":69,"proto":"tcp","label":"","count":3},{"port":8192,"proto":"tcp","label":"","count":3},{"port":179,"proto":"tcp","label":"BGP","count":2},{"port":135,"proto":"tcp","label":"MSRPC","count":2},{"port":5692,"proto":"tcp","label":"","count":2},{"port":18480,"proto":"tcp","label":"","count":2},{"port":8001,"proto":"tcp","label":"","count":2},{"port":9999,"proto":"tcp","label":"","count":2},{"port":4040,"proto":"tcp","label":"","count":2}],"fingerprints":{"ssh_hassh":[],"tls_ja4":["t12i130500_2d7513195f68_e51b7354d87f"],"tls_ja3":["cba7f34191ef2379c1325641f6c6c4f4"],"ja4h":["ge11nn0400_88d30a62b7ad"]},"fingerprint_peers":{"t12i130500_2d7513195f68_e51b7354d87f":2402,"ge11nn0400_88d30a62b7ad":8010},"user_agents":["Mozilla/5.0 zgrab/0.x"],"timeline":[{"date":"2026-04-06","count":4},{"date":"2026-04-15","count":2},{"date":"2026-04-16","count":3},{"date":"2026-04-20","count":3},{"date":"2026-04-21","count":2},{"date":"2026-04-23","count":2},{"date":"2026-04-24","count":2},{"date":"2026-04-29","count":4},{"date":"2026-05-01","count":5},{"date":"2026-05-04","count":2},{"date":"2026-05-05","count":2},{"date":"2026-05-06","count":1},{"date":"2026-05-07","count":1},{"date":"2026-05-09","count":1},{"date":"2026-05-10","count":2},{"date":"2026-05-12","count":3},{"date":"2026-05-14","count":1},{"date":"2026-05-15","count":1},{"date":"2026-05-17","count":3},{"date":"2026-05-19","count":1},{"date":"2026-05-24","count":2},{"date":"2026-05-29","count":1},{"date":"2026-06-02","count":1},{"date":"2026-06-05","count":1},{"date":"2026-06-08","count":1},{"date":"2026-06-09","count":2},{"date":"2026-06-16","count":1},{"date":"2026-06-22","count":3},{"date":"2026-06-25","count":1},{"date":"2026-06-26","count":3},{"date":"2026-06-28","count":1},{"date":"2026-06-29","count":1},{"date":"2026-07-01","count":2},{"date":"2026-07-02","count":2},{"date":"2026-07-03","count":1}],"recent_events":[{"timestamp":"2026-07-03T19:27:31","port":9030,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"MGLNDD_<HONEYPOT>_9030\n","payload_hex":"4d474c4e44445f<HONEYPOT>5f393033300a","method":"","user_agent":"","community_id":"1:j6utBPcroekobwXmElhoobL08gQ=","ja3":"","session":"d2999945-14b2-41f9-8b42-1693c9184512","seq":1,"duration_ms":100,"bytes_in":25,"bytes_out":15,"enriched":{"digest":"4739aa2c1d3651c1","strings":["MGLNDD_<HONEYPOT>_9030"]}},{"timestamp":"2026-07-02T12:01:08","port":8333,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"MGLNDD_<HONEYPOT>_8333\n","payload_hex":"4d474c4e44445f<HONEYPOT>5f383333330a","method":"","user_agent":"","community_id":"1:NDJu1PYTo3NEWH+Nr68RFLRCSIE=","ja3":"","session":"3b42c8b9-f2f0-4975-b566-b7fb07c2de6f","seq":1,"duration_ms":101,"bytes_in":25,"bytes_out":15,"enriched":{"digest":"0c8f3d85c9b5f804","strings":["MGLNDD_<HONEYPOT>_8333"]}},{"timestamp":"2026-07-02T12:01:03","port":8333,"proto":"tcp","app_proto":"tls","app_protocol":"http","host":"<HONEYPOT>","headers":"{\"accept\":\"*/*\",\"accept-encoding\":\"gzip\",\"host\":\"<HONEYPOT>:8333\",\"user-agent\":\"Mozilla/5.0 zgrab/0.x\"}","body":"","sni":"","tls_cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","tls_version":"TLSv1.2","alpn":[],"url_path":"/","summary":"","payload_hex":"474554202f20485454502f312e310d0a486f73743a20<HONEYPOT>3a383333330d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a","method":"GET","user_agent":"Mozilla/5.0 zgrab/0.x","community_id":"1:/QZJH8tGi40wm/8As4NfKOlJTOo=","ja3":"cba7f34191ef2379c1325641f6c6c4f4","session":"bd23c3b4-c42b-4661-9a7c-9c0bb659cff2","seq":1,"duration_ms":142,"bytes_in":114,"bytes_out":80},{"timestamp":"2026-07-01T09:34:24","port":5692,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"MGLNDD_<HONEYPOT>_5692\n","payload_hex":"4d474c4e44445f<HONEYPOT>5f353639320a","method":"","user_agent":"","community_id":"1:O9As9IdMTL+q9Iq/ve50sDcQk8s=","ja3":"","session":"fe645e40-5359-46fa-bc71-ec41ce79f66f","seq":1,"duration_ms":100,"bytes_in":25,"bytes_out":15,"enriched":{"digest":"5acb30d252b03ec3","strings":["MGLNDD_<HONEYPOT>_5692"]}},{"timestamp":"2026-07-01T09:34:24","port":5692,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"\n","payload_hex":"0a","method":"","user_agent":"","community_id":"1:JjMKMDuJ6SaXyhnr7SxcqlpgLBA=","ja3":"","session":"a9002141-09f0-4cbd-bc29-ad484fd150c4","seq":1,"duration_ms":101,"bytes_in":1,"bytes_out":15},{"timestamp":"2026-06-29T17:24:28","port":9200,"proto":"tcp","app_proto":"tls","app_protocol":"http","host":"<HONEYPOT>","headers":"{\"accept\":\"*/*\",\"accept-encoding\":\"gzip\",\"host\":\"<HONEYPOT>:9200\",\"user-agent\":\"Mozilla/5.0 zgrab/0.x\"}","body":"","sni":"","tls_cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","tls_version":"TLSv1.2","alpn":[],"url_path":"/_status","summary":"","payload_hex":"474554202f5f73746174757320485454502f312e310d0a486f73743a20<HONEYPOT>3a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a","method":"GET","user_agent":"Mozilla/5.0 zgrab/0.x","community_id":"1:IBYshjoJ0aErHulG26x2eEiGd1g=","ja3":"cba7f34191ef2379c1325641f6c6c4f4","session":"c05540ef-b7d7-4613-88db-2899b27daaeb","seq":1,"duration_ms":225,"bytes_in":123,"bytes_out":80},{"timestamp":"2026-06-28T10:08:10","port":1527,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"MGLNDD_<HONEYPOT>_1527\n","payload_hex":"4d474c4e44445f<HONEYPOT>5f313532370a","method":"","user_agent":"","community_id":"1:ISVtSrE2cgU7/vjatCb4Y5PvhmE=","ja3":"","session":"bc8db1f3-e4be-4d6c-b5f8-098f769819d9","seq":1,"duration_ms":101,"bytes_in":25,"bytes_out":15,"enriched":{"digest":"062f4f2cc369f41a","strings":["MGLNDD_<HONEYPOT>_1527"]}},{"timestamp":"2026-06-26T22:47:10","port":20,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"MGLNDD_<HONEYPOT>_20\n","payload_hex":"4d474c4e44445f<HONEYPOT>5f32300a","method":"","user_agent":"","community_id":"1:/DZOcO/+xhRLgjGoSR+xU0+6dl8=","ja3":"","session":"85c5cdc7-f351-4216-b5c0-58640e39fa32","seq":1,"duration_ms":100,"bytes_in":24,"bytes_out":15,"enriched":{"digest":"40b085a52b2d8565","strings":["MGLNDD_<HONEYPOT>_20"]}},{"timestamp":"2026-06-26T11:49:43","port":9200,"proto":"tcp","app_proto":"","app_protocol":"","host":"","headers":"","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"","summary":"MGLNDD_<HONEYPOT>_9200\n","payload_hex":"4d474c4e44445f<HONEYPOT>5f393230300a","method":"","user_agent":"","community_id":"1:BnSB1PpcDL1Wip9QVR5cX7fVG9o=","ja3":"","session":"cd5de76c-ecd7-4747-af1a-a015d8b3024c","seq":1,"duration_ms":100,"bytes_in":25,"bytes_out":15,"enriched":{"digest":"1082049adc72cf4b","strings":["MGLNDD_<HONEYPOT>_9200"]}},{"timestamp":"2026-06-26T11:49:38","port":9200,"proto":"tcp","app_proto":"","app_protocol":"http","host":"<HONEYPOT>","headers":"{\"accept\":\"*/*\",\"accept-encoding\":\"gzip\",\"host\":\"<HONEYPOT>:9200\",\"user-agent\":\"Mozilla/5.0 zgrab/0.x\"}","body":"","sni":"","tls_cipher":"","tls_version":"","alpn":[],"url_path":"/","summary":"","payload_hex":"474554202f20485454502f312e310d0a486f73743a20<HONEYPOT>3a393230300d0a557365722d4167656e743a204d6f7a696c6c612f352e30207a677261622f302e780d0a4163636570743a202a2f2a0d0a4163636570742d456e636f64696e673a20677a69700d0a0d0a","method":"GET","user_agent":"Mozilla/5.0 zgrab/0.x","community_id":"1:QBaX/WoR7dMiHlznrIU0hOkLkRU=","ja3":"","session":"48425b2f-c0f6-4ce6-8fd1-1af002dc3505","seq":1,"duration_ms":100,"bytes_in":114,"bytes_out":80}],"http_methods":[{"method":"GET","count":12}],"distinct_ports_total":49,"top_paths":[{"path":"/","count":8,"ports":7},{"path":"/_status","count":1,"ports":1},{"path":"/_search","count":1,"ports":1},{"path":"/actuator/health","count":1,"ports":1},{"path":"/autodiscover/autodiscover.json?@zdi/Powershell","count":1,"ports":1}],"distinct_paths_total":5,"top_snis":[],"top_hosts":[],"top_alpns":[],"banners":[],"credentials":[],"header_profile":{"signature":["Accept","Accept-Encoding","Host","User-Agent"],"representative":[{"name":"Accept","value":"*/*","notable":false},{"name":"Accept-Encoding","value":"gzip","notable":false},{"name":"Host","value":"<HONEYPOT>:8333","notable":false},{"name":"User-Agent","value":"Mozilla/5.0 zgrab/0.x","notable":false}],"distinct_sets":1,"events_with_headers":3},"tags":[{"tag_id":"CVE-2021-34473","tag_type":"cve","title":"Exchange Server - Remote Code Execution","severity":"critical","actively_exploited":true,"match_field":"url_path","matched_pattern":"/autodiscover/autodiscover.json","reference_urls":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473","https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html","https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1","https://nvd.nist.gov/vuln/detail/CVE-2021-34473","https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473"]}],"data_as_of":"2026-07-03T21:15:41.000722+00:00"}