SANS ISC Finds Systematic Scans of MCP Servers and AI Credentials on Web Hosts
> cd .. / HUB_EDITORIALE
News

SANS ISC Finds Systematic Scans of MCP Servers and AI Credentials on Web Hosts

[2026-07-14] Author: Meteora Web Redazione
> share
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

A seemingly mundane web server hosting a WordPress site, a couple of custom backends, and a static page has revealed an unprecedented scanning phenomenon. Manuel Humberto Santander Peláez, a handler at the SANS Internet Storm Center, analyzed two weeks of Apache and ModSecurity logs from this small host, aiming to sample the background radiation of internet scanning in 2026. The results exceeded expectations: amidst the usual noise of xmlrpc floods and .env and git config probing, he discovered targeted requests for AI agent infrastructure, despite the host running none.

Scanners That Speak the MCP Protocol

The most striking finding is POST /mcp traffic. Every probe carried a valid JSON-RPC 2.0 body performing a Model Context Protocol (MCP) initialize call with a real protocol version. The scanner completed the handshake and waited for a response, as if searching for an actual MCP server. According to the report, this category alone came from 49 distinct source IPs, more widespread than any other threat in the dataset. This is not a single researcher: it is a broad, distributed scan.

Sponsored Protocol

The danger is tangible. An exposed MCP server without authentication allows an attacker to interact with the tools and data sources linked to the AI agent: databases, file systems, ticketing systems, internal APIs. Completing the handshake yields a machine-readable inventory of everything the agent can do. To understand the evolution of AI assistants, one can compare this new frontier with the origins of chatbots, as detailed in the article about the ELIZA source code emerging from MIT archives.

Fishing for AI Assistant Credentials

Alongside the handshakes, scanners requested configuration and credential files that AI coding assistants write to project and home directories, including .claude/mcp.json, .cursor/mcp.json, .vscode/mcp.json, .claude/settings.local.json, and .claude/.credentials.json. When developers accidentally deploy these to a web root, API keys leak. Two details suggest mature tooling: the paths reflect current knowledge of configuration locations, and the credential files were checked with HEAD requests, which return headers without body. This existence-check-first approach is optimized for scanning large numbers of hosts, not one-off curiosity. The AI assistant paths were in the same wordlist as generic cloud credential files for AWS, GCP, Azure, and Kubernetes, indicating that tool authors now treat assistant secrets as another credential worth harvesting.

Sponsored Protocol

Exposed LLM Endpoints and SSRF

A third strand probed unauthenticated LLM endpoints: /v1/models (the OpenAI-compatible model-listing path) and /api/tags (the Ollama endpoint listing installed models). Ollama binds to localhost by default but is often accidentally exposed. An open instance gives an attacker free compute and a potential pivot point. Riding along were classic SSRF probes against the GCP metadata service, rotating parameter names across url, uri, path, and dest to find any fetch-style endpoint that follows a supplied link. Agent and LLM tooling are full of these helpers.

Sponsored Protocol

Why It Matters

None of the targeted infrastructure existed on this host, and that is the point. Scanners have added MCP servers, assistant credentials, and local LLMs to their standard target lists before these deployments become common. Organizations adopting AI agents grow their attack surface, and those scanning the internet already know it. As recent trends show, Chinese open models overtaking US closed models on Hugging Face demonstrates how rapidly the AI ecosystem evolves.

Sponsored Protocol

What to Watch

The SANS report offers concrete checks. Grep access logs for POST /mcp and /sse; on a host with no MCP server, any hit is pure recon and a useful block indicator. Verify that no .claude/, .cursor/, or .vscode/mcp.json files are reachable in web roots. Test your own hosts externally on /v1/models and /api/tags. Ensure fetch-style endpoints block 169.254.169.254 and metadata.google.internal, and enforce IMDSv2 on AWS and header-enforced metadata on GCP. For technical details, refer to the original diary from the SANS Internet Storm Center.

Source: https://www.internationalcyberdigest.com/scanners-are-hunting-mcp-servers-and-ai-assistant-credentials

> share
Meteora Web Redazione

> AUTHOR_EXTRACTED

Meteora Web Redazione

La redazione di Meteora Web Agency: ingegneri informatici e professionisti del digitale che pubblicano ogni giorno news e approfondimenti su tecnologia, software, marketing e innovazione.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()