Unauthenticated or opportunistic client performs broad MongoDB environment reconnaissance across multiple databases (admin, config, local, production, test) including handshake probing, database statistics gathering, collection enumeration, and bulk document listing of sensitive application datasets (users, sessions, api_keys, payments, orders, secrets, audit logs). Activity escalates to destructive actions via repeated dropDatabase commands and concludes with insertion of a ransom note database (READ_ME_TO_RECOVER_YOUR_DATA). This behavior pattern is characteristic of automated internet-wide MongoDB exploitation campaigns involving data wiping, extortion messaging, and opportunistic post-access reconnaissance.

Client performs structured MongoDB deployment reconnaissance by first initiating a standard driver handshake (ismaster / hello) disclosing client runtime and platform metadata (PyMongo, CPython, Linux x86_64), followed by an advanced topology-aware handshake request against the admin database including topologyVersion tracking and long-poll await semantics. This sequence reflects automated driver-level service validation and replica-set / cluster state discovery activity commonly associated with scanning frameworks, monitoring tooling, or pre-enumeration reconnaissance workflows preparing for deeper database interaction.

Remote client performs an initial MongoDB wire-protocol handshake using the ismaster / hello command while disclosing detailed driver and host fingerprint metadata (PyMongo driver, CPython runtime, Linux x86_64 kernel). This behavior reflects early-stage service discovery and environment profiling typically performed by automated scanners, exploitation frameworks, or reconnaissance tooling to validate MongoDB exposure, determine protocol compatibility, and prepare for subsequent enumeration or unauthorized database interaction.