[achillean]

I've stopped writing blog posts on it because it's still going on and there's not much new to add:

https://blog.shodan.io/its-still-the-data-stupid/

You can search for Redis instances that have disabled authentication and have a "crackit" key stored in them which is created by one of those Redis malware bots:

https://beta.shodan.io/search?query=crackit

I'll add that the vendors have actually gotten much better! Redis and MongoDB both now have good, secure defaults. And I believe both will throw you a huge warning if you're listening on 0.0.0.0 w/out authentication.

[1cvmask]

I love the favicon map:

https://faviconmap.shodan.io/

[achillean]

Something I didn't expect were the number of developers that hadn't heard of favicons before. Got quite a few people asking what those icons were. Btw there are security use-cases around them as well nowadays (ex. detecting phishing websites).

[1cvmask]

Do the crooks forget to add favicons to their phishing sites?

Favicons can be a single image or multiple images.

Here is a good recent thread on it on HN. Will put the map there as well come to think of it.

https://news.ycombinator.com/item?id=25520655

[achillean]

No, very often they do add the favicons! That makes it easier to locate websites that are outside of your expected IP space but are pretending to belong to you. For example:

https://beta.shodan.io/search?query=http.favicon.hash%3A7085...

It takes a bit more refining to get a good list of results; the general idea is to find websites that look like the real deal but are located somewhere on the Internet where you didn't expect to find them.

[yread]

Wow i wouldn't have expected so many (700k) fortigates