MGLNDD_* Scans

Published: 2022-03-20
Last Updated: 2022-03-20 08:23:38 UTC
by Didier Stevens (Version: 1)
8 comment(s)

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.


I took a look at my server and honeypot logs, and I'm seeing this too.

It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>\n

Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers.

And starting March 9th, the TCP port was included in the data, like this: MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>\n.

Where <TARGET_PORT> is the TCP port on my server.

I'm seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080

The source IPv4 addresses are from ranges owned by DigitalOcean: and

All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.

I've seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.x\r\n

Please post a comment if you know more about these scans.



Didier Stevens
Senior handler
Microsoft MVP

Keywords: scans tcp
8 comment(s)


I noticed this traffic hitting our firewall logs as well. Seems to have started around 11/3 and ended 11/22. I can't seem to find anybody else offering more details on what it is.
Hey, I saw this in my logs today and did a whois on the source IP and it points to
It claims to be legit but who knows.
I opted out just because.
I noticed this recently in logs on my Postfix mail server:

Jul 04 11:03:19 MX postfix/smtpd[3103]: improper command pipelining after CONNECT from unknown[]: MGLNDD_50.252.78.1_25\n
Jul 04 15:11:52 MX postfix/submission/smtpd[3673]: improper command pipelining after CONNECT from unknown[]: MGLNDD_50.252.78.1_587\n

Any idea what "MGLNDD" might mean? > 98.My.Net.Here
05:18:05.775426 IP > 98.My.Net.Here.21: UDP, length 24 > 98.My.Net.Here
05:54:51.324175 IP > 98.My.Net.Here.53: 19783 updateA [b2&3=0x4c4e] [24377a] [17476q] [14382n] [12852au][|domain]

2023/07/09 05:54:51.324175 IP > 98.My.Net.Here.53: 19783 updateA [b2&3=0x4c4e] [24377a] [17476q] [14382n] [12852au][|domain]
0x0000: 4520 0034 d431 0000 e711 xxxx c6c7 7010 E..4.1....xx..p.
0x0010: 62f4 7b70 8283 0035 0020 0000 4d47 4c4e b.{p...5....MGLN
0x0020: 4444 5f39 382e xxxx xxxx xxxx xxxx xxxx DD_xxxxxxxxxxxxx
0x0030: xx5f 3533 x_53

Both have the same payload.
Google shut me off at two pages
Today I opened an UDP netcat listener for incoming NTP traffic, and received the following:

listening on [any] 123 ...
connect to [] from (UNKNOWN) [] 53383
Well, I know this situation. and I know him perfectly.

here I tell you something. I have a server and have been looking at how. is an incurable pest. It took me 2 years of total tracking of all IP addresses and it really is a plague. but i finally found the solution to mitigate the scans from and other servers. Here I will leave a list to block but still you will see more of Ocean-digital. estoy en telegram entra i pide tu lista para bloquear a mi telegram es
hello all!
my answer to this is that, there can exists bad programs that accept X commands and well like this they can search for them for example. but is just thinking. love you all***

Diary Archives