A seemingly mundane web server hosting a WordPress site, a couple of custom backends, and a static page has revealed an unprecedented scanning phenomenon. Manuel Humberto Santander Peláez, a handler at the SANS Internet Storm Center, analyzed two weeks of Apache and ModSecurity logs from this small host, aiming to sample the background radiation of internet scanning in 2026. The results exceeded expectations: amidst the usual noise of xmlrpc floods and .env and git config probing, he discovered targeted requests for AI agent infrastructure, despite the host running none.
Scanners That Speak the MCP Protocol
The most striking finding is POST /mcp traffic. Every probe carried a valid JSON-RPC 2.0 body performing a Model Context Protocol (MCP) initialize call with a real protocol version. The scanner completed the handshake and waited for a response, as if searching for an actual MCP server. According to the report, this category alone came from 49 distinct source IPs, more widespread than any other threat in the dataset. This is not a single researcher: it is a broad, distributed scan.
Sponsored Protocol
The danger is tangible. An exposed MCP server without authentication allows an attacker to interact with the tools and data sources linked to the AI agent: databases, file systems, ticketing systems, internal APIs. Completing the handshake yields a machine-readable inventory of everything the agent can do. To understand the evolution of AI assistants, one can compare this new frontier with the origins of chatbots, as detailed in the article about the ELIZA source code emerging from MIT archives.
Fishing for AI Assistant Credentials
Alongside the handshakes, scanners requested configuration and credential files that AI coding assistants write to project and home directories, including .claude/mcp.json, .cursor/mcp.json, .vscode/mcp.json, .claude/settings.local.json, and .claude/.credentials.json. When developers accidentally deploy these to a web root, API keys leak. Two details suggest mature tooling: the paths reflect current knowledge of configuration locations, and the credential files were checked with HEAD requests, which return headers without body. This existence-check-first approach is optimized for scanning large numbers of hosts, not one-off curiosity. The AI assistant paths were in the same wordlist as generic cloud credential files for AWS, GCP, Azure, and Kubernetes, indicating that tool authors now treat assistant secrets as another credential worth harvesting.
Sponsored Protocol
Exposed LLM Endpoints and SSRF
A third strand probed unauthenticated LLM endpoints: /v1/models (the OpenAI-compatible model-listing path) and /api/tags (the Ollama endpoint listing installed models). Ollama binds to localhost by default but is often accidentally exposed. An open instance gives an attacker free compute and a potential pivot point. Riding along were classic SSRF probes against the GCP metadata service, rotating parameter names across url, uri, path, and dest to find any fetch-style endpoint that follows a supplied link. Agent and LLM tooling are full of these helpers.
Sponsored Protocol
Why It Matters
None of the targeted infrastructure existed on this host, and that is the point. Scanners have added MCP servers, assistant credentials, and local LLMs to their standard target lists before these deployments become common. Organizations adopting AI agents grow their attack surface, and those scanning the internet already know it. As recent trends show, Chinese open models overtaking US closed models on Hugging Face demonstrates how rapidly the AI ecosystem evolves.
Sponsored Protocol
What to Watch
The SANS report offers concrete checks. Grep access logs for POST /mcp and /sse; on a host with no MCP server, any hit is pure recon and a useful block indicator. Verify that no .claude/, .cursor/, or .vscode/mcp.json files are reachable in web roots. Test your own hosts externally on /v1/models and /api/tags. Ensure fetch-style endpoints block 169.254.169.254 and metadata.google.internal, and enforce IMDSv2 on AWS and header-enforced metadata on GCP. For technical details, refer to the original diary from the SANS Internet Storm Center.