MGLNDD_* Scans

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.


I took a look at my server and honeypot logs, and I'm seeing this too.

It started on March 1st, with TCP data like this: MGLNDD_<IP_ADDRESS_OF_TARGET>\n

Where <IP_ADDRESS_OF_TARGET> is the IPv4 address of my servers.

And starting March 9th, the TCP port was included in the data, like this: MGLNDD_<IP_ADDRESS_OF_TARGET>_<TARGET_PORT>\n.

Where <TARGET_PORT> is the TCP port on my server.

I'm seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080

The source IPv4 addresses are from ranges owned by DigitalOcean: and

All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.

I've seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.x\r\n

Please post a comment if you know more about these scans.



Didier Stevens
Senior handler
Microsoft MVP


677 Posts
ISC Handler
Mar 20th 2022

Sign Up for Free or Log In to start participating in the conversation!