Unnamed Web Host: Hackers Scan for Exposed MCP Servers, AI Assistant Credentials, and Unauthenticated LLM Endpoints

Unnamed Web Host: Hackers Scan for Exposed MCP Servers, AI Assistant Credentials, and Unauthenticated LLM Endpoints

Hackers Ramp Up Scans for Exposed AI and LLM Infrastructure

Over a two-week period, security researchers analyzing Apache and ModSecurity logs from a small web host detected a surge in scans targeting exposed AI-related services, including Model Context Protocol (MCP) servers, AI assistant configuration files, and unauthenticated local large language model (LLM) endpoints. Despite the host lacking any such infrastructure running only low-traffic WordPress sites, custom backends, and static pages attackers persistently probed for vulnerabilities, signaling a growing trend in AI-focused reconnaissance.

The scans revealed 200,200,200 requests aimed at AI-agent infrastructure, alongside traditional targets like WordPress XML-RPC, exposed .env files, and Git repositories. MCP servers, which enable AI agents to interact with external tools (databases, APIs, cloud services), were a key focus. Unauthenticated access to these servers could allow attackers to enumerate connected resources, abuse server capabilities, or exfiltrate sensitive data. Probes also targeted /sse endpoints, linked to older MCP implementations, suggesting scanners are hunting for both current and legacy deployments.

Attackers employed HTTP HEAD requests to check for credential files (e.g., .claude, .cursor) without downloading them, reducing bandwidth during mass scans. If such files containing API keys, tokens, or internal URLs are accidentally exposed in web-accessible directories, they could grant attackers access to cloud services, internal tools, or LLM inference endpoints. Additionally, unauthenticated LLM servers were probed for free compute resources, model enumeration, or lateral movement opportunities.

The scans included Server-Side Request Forgery (SSRF) attempts against Google Cloud metadata services, using parameters like url, uri, and dest to test if applications would fetch attacker-controlled URLs. Successful exploitation could expose cloud service-account tokens, enabling further compromise.

While the host in question was not running the targeted services, the findings underscore the expanding attack surface of AI infrastructure. Organizations are advised to enforce authentication for MCP services, restrict public LLM server exposure, block cloud metadata access from fetch endpoints, and prevent AI-related directories from being deployed in web roots. Indicators of compromise (IOCs) include /mcp POST requests (JSON-RPC handshakes) and /sse GET probes, which defenders should monitor and block if unauthenticated.

Source: https://cyberpress.org/hackers-scan-exposed-ai/

Unnamed Web Host TPRM report: https://www.rankiteo.com/company/unnamed-labs

"id": "unn1783945432",
"linkid": "unnamed-labs",
"type": "Cyber Attack",
"date": "7/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'size': 'Small', 'type': 'Web Host'}],
 'attack_vector': ['HTTP HEAD requests',
                   'SSRF attempts',
                   'Unauthenticated access probes'],
 'data_breach': {'file_types_exposed': ['.claude', '.cursor', '.env']},
 'description': 'Over a two-week period, security researchers detected a surge '
                'in scans targeting exposed AI-related services, including '
                'Model Context Protocol (MCP) servers, AI assistant '
                'configuration files, and unauthenticated local large language '
                'model (LLM) endpoints. The scans revealed 200,200,200 '
                'requests aimed at AI-agent infrastructure, alongside '
                'traditional targets like WordPress XML-RPC, exposed .env '
                'files, and Git repositories. Attackers employed HTTP HEAD '
                'requests to check for credential files and probed for SSRF '
                'vulnerabilities against cloud metadata services.',
 'initial_access_broker': {'high_value_targets': ['MCP servers',
                                                  'LLM endpoints',
                                                  'Cloud metadata services'],
                           'reconnaissance_period': 'Two weeks'},
 'lessons_learned': 'The incident underscores the expanding attack surface of '
                    'AI infrastructure and the need for proactive security '
                    'measures to protect against reconnaissance and '
                    'exploitation.',
 'motivation': ['Enumeration of connected resources',
                'Abuse of server capabilities',
                'Data exfiltration',
                'Free compute resource exploitation',
                'Lateral movement'],
 'post_incident_analysis': {'corrective_actions': ['Enforce authentication',
                                                   'Restrict public exposure',
                                                   'Enhance monitoring for '
                                                   'AI-related probes'],
                            'root_causes': ['Exposed AI-related infrastructure',
                                            'Unauthenticated access to '
                                            'sensitive endpoints',
                                            'Legacy system vulnerabilities']},
 'recommendations': ['Enforce authentication for MCP services',
                     'Restrict public LLM server exposure',
                     'Block cloud metadata access from fetch endpoints',
                     'Prevent AI-related directories from being deployed in '
                     'web roots',
                     'Monitor and block suspicious AI-related probes'],
 'references': [{'source': 'Security Research Analysis'}],
 'response': {'enhanced_monitoring': ['Monitor and block /mcp POST requests '
                                      '(JSON-RPC handshakes)',
                                      'Monitor and block /sse GET probes'],
              'remediation_measures': ['Enforce authentication for MCP '
                                       'services',
                                       'Restrict public LLM server exposure',
                                       'Block cloud metadata access from fetch '
                                       'endpoints',
                                       'Prevent AI-related directories from '
                                       'being deployed in web roots']},
 'title': 'Hackers Ramp Up Scans for Exposed AI and LLM Infrastructure',
 'type': 'Reconnaissance Scanning',
 'vulnerability_exploited': ['Exposed MCP servers',
                             'Unauthenticated LLM endpoints',
                             'Exposed .env files',
                             'Legacy /sse endpoints',
                             'AI assistant configuration files']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.