This has been going on for at least a couple of years. I ran into it with redis servers last year. They search for servers with simple/no passwords, lock up the data, and demand BTC to get it back.
You can search for Redis instances that have disabled authentication and have a "crackit" key stored in them which is created by one of those Redis malware bots:
I'll add that the vendors have actually gotten much better! Redis and MongoDB both now have good, secure defaults. And I believe both will throw you a huge warning if you're listening on 0.0.0.0 w/out authentication.
Something I didn't expect were the number of developers that hadn't heard of favicons before. Got quite a few people asking what those icons were. Btw there are security use-cases around them as well nowadays (ex. detecting phishing websites).
No, very often they do add the favicons! That makes it easier to locate websites that are outside of your expected IP space but are pretending to belong to you. For example:
It takes a bit more refining to get a good list of results; the general idea is to find websites that look like the real deal but are located somewhere on the Internet where you didn't expect to find them.
The amount of brute forcing attempts on servers of all and any kinds I run is absolutely nuts. But yes they are often trying only a small number of common accounts/passwords.
I keep meaning to sit down and do a bit of analysis on the source of the connections.
I got the same thing with Postgres. It was on a toy project learning Docker Compose, naively used PORTS instead of EXPOSE on the DB container. Also the CPU of the Postgres process was at 100% so maybe I got some crypto miner too.
https://blog.shodan.io/its-still-the-data-stupid/
You can search for Redis instances that have disabled authentication and have a "crackit" key stored in them which is created by one of those Redis malware bots:
https://beta.shodan.io/search?query=crackit
I'll add that the vendors have actually gotten much better! Redis and MongoDB both now have good, secure defaults. And I believe both will throw you a huge warning if you're listening on 0.0.0.0 w/out authentication.