Identifies a MongoDB reconnaissance sequence where an actor initiates legacy authentication negotiation using the getnonce command followed by an isMaster topology discovery request that discloses client metadata for the mgo Go driver on a Linux amd64 system. This pattern reflects automated tooling or scripted clients performing server capability validation, authentication workflow testing, and environment fingerprinting prior to further database interaction.

Client first performs a generic request to the Elasticsearch root endpoint to verify service availability, then proceeds to request /_cat/indices. This sequence reflects staged Elasticsearch reconnaissance where the actor validates that the cluster is reachable before attempting index enumeration and data exposure assessment. Compared to direct index enumeration behaviors, the interaction begins with a service-validation step, suggesting adaptive probing rather than immediate Elasticsearch-specific targeting.

FTP session where the client negotiates binary transfer mode, enters extended passive mode (EPSV), and issues an MLSD command to retrieve a machine-readable directory listing.

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.