However, it is not yet clear whether the scanning efforts are benign or are the work of cyber-thieves keen to steal data, they say.
The news comes as some security professionals and developers advised people to change all their passwords.
But Google said that logins for its services did not need to be reset unless they were used on other sites.
That contradicted advice from Yahoo's blogging platform Tumblr and the developers of the app If This Then That who have told users they should change their passwords "everywhere".
The conflicting guidance is further complicated by the fact that experts say updating a password is useless unless a site has patched its servers - but it is not always obvious to the public when this is the case.Attack pattern
News about the Heartbleed bug broke on 8 April and has kicked off a frenzy of activity as web companies check to see if their systems are vulnerable.
The bug emerged in software that should have kept data passing between sites and users safe from scrutiny. Instead the bug meant that attackers could use specially crafted queries to slowly steal data from servers.
Ars Technica reported that some sites had seen evidence that networks of bots were probing them for the Heartbleed weakness long before the bug was publicised.