MGLNDD_* Scans, (Sun, Mar 20th)

Reader Markus reported TCP connections on his servers with data that starts with MGLNDD_*.

Like MGLNDD_  and MGLNDD__.

I took a look at my server and honeypot logs, and I’m seeing this too.

It started on March 1st, with TCP data like this: MGLNDD_n

Where is the IPv4 address of my servers.

And starting March 9th, the TCP port was included in the data, like this: MGLNDD__n.

Where is the TCP port on my server.

I’m seeing these scans on the following TCP ports: 21, 22, 80, 2000, 2222, 3389, 8080

The source IPv4 addresses are from ranges owned by DigitalOcean: and

All the source IPv4 addresses I had scanning my servers, are from a scanner known as Stretchoid, according to this list.

I’ve seen Stretchoid scans before on my servers (and I still do), with a Zgrab User Agent String: User-Agent: Mozilla/5.0 zgrab/0.xrn

Please post a comment if you know more about these scans.



Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.