background
Whenever I see news that someone's service has been hacked again, and someone's data has been leaked again, I basically feel "well, security is very important" in my mind for a moment. To be honest, MongoDBdata leakage is already a cliché. However, when this kind of thing happened to me, the feeling at this time was still very subtle (the years are quiet, suddenly! Your data is gone (╥╯^╰╥) seems to be calm, but in fact it is turbulent and undercurrent). .
The thing is this: It was installed on a cloud server two days ago MongoDB. For the convenience of testing, the default 27017port was opened, and it was configured to connect through a remote host, and no authentication authorization was set for any library. Then, it happens that someone deletes the database and creates a RREAD_ME_TO_RECOVER_YOUR_DATAnew database called with a name in READMEit Collection.
blackmail
Look at the means of hackers:
All your data is a backed up. You must pay 0.015 BTC to 1TvCTpihDcmEjs9weTeKyruYYEY6n5xCB 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: [email protected] and you will receive a link to download your database dump.
Pay BTCoin to the designated account to redeem the data, well, that’s basically it, now it seems that the previous operation is streaking on the Internet, but fortunately, this time it’s just test data (just one database, one table, three or five pieces of data), it doesn’t matter; but if the company’s commercial database is messed up like this, the loss will be huge, and it’s extremely scary to think about it. .
As of the time of publication: 2021-3-6 16:43:04, BTCoin real-time market:
analyze
In fact, the data loss/leakage this time does not mean that MongoDBthere is any problem in itself, but that the security awareness is weak (similarly, if Redis and ElasticSearch are exposed to the Internet with default configurations, they will also face the same problem), and there are no defense measures. Therefore, hackers here do not need to carry out complex attacks at all. They can directly scan the IP:27017 port, connect, query, and delete the database.
The following is MongoDBpart of the access information obtained by querying the logs afterwards:
{
"t":{
"$date":"2021-03-02T08:24:19.868+08:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{
"remote":"51.75.144.43:46064","connectionId":2480072,"connectionCount":9}}
{
"t":{
"$date":"2021-03-02T08:24:20.044+08:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn2480072","msg":"client metadata","attr":{
"remote":"51.75.144.43:46064","client":"conn2480072","doc":{
"driver":{
"name":"PyMongo","version":"3.11.2"},"os":{
"type":"Linux","name":"Linux","architecture":"x86_64","version":"5.4.0-66-generic"},"platform":"CPython 3.8.5.final.0"}}}
{
"t":{
"$date":"2021-03-02T08:24:20.557+08:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{
"remote":"51.75.144.43:46778","connectionId":2480073,"connectionCount":10}}
{
"t":{
"$date":"2021-03-02T08:24:20.699+08:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{
"remote":"51.75.144.43:46938","connectionId":2480074,"connectionCount":11}}
{
"t":{
"$date":"2021-03-02T08:24:20.732+08:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn2480073","msg":"client metadata","attr":{
"remote":"51.75.144.43:46778","client":"conn2480073","doc":{
"driver":{
"name":"PyMongo","version":"3.11.2"},"os":{
"type":"Linux","name":"Linux","architecture":"x86_64","version":"5.4.0-66-generic"},"platform":"CPython 3.8.5.final.0"}}}
{
"t":{
"$date":"2021-03-02T08:24:20.877+08:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn2480074","msg":"client metadata","attr":{
"remote":"51.75.144.43:46938","client":"conn2480074","doc":{
"driver":{
"name":"PyMongo","version":"3.11.2"},"os":{
"type":"Linux","name":"Linux","architecture":"x86_64","version":"5.4.0-66-generic"},"platform":"CPython 3.8.5.final.0"}}}
{
"t":{
"$date":"2021-03-02T08:24:21.420+08:00"},"s":"I", "c":"COMMAND", "id":20337, "ctx":"conn2480073","msg":"dropDatabase - starting","attr":{
"db":"RREAD_ME_TO_RECOVER_YOUR_DATA"}}
{
"t":{
"$date":"2021-03-02T08:24:21.420+08:00"},"s":"I", "c":"COMMAND", "id":20338, "ctx":"conn2480073","msg":"dropDatabase - dropping collection","attr":{
"db":"RREAD_ME_TO_RECOVER_YOUR_DATA","namespace":"RREAD_ME_TO_RECOVER_YOUR_DATA.RREADME"}}
{
"t":{
"$date":"2021-03-02T08:24:21.423+08:00"},"s":"I", "c":"COMMAND", "id":20336, "ctx":"conn2480073","msg":"dropDatabase","attr":{
"db":"RREAD_ME_TO_RECOVER_YOUR_DATA","numCollectionsDropped":1}}
{
"t":{
"$date":"2021-03-02T08:24:21.768+08:00"},"s":"I", "c":"COMMAND", "id":20337, "ctx":"conn2480073","msg":"dropDatabase - starting","attr":{
"db":"config"}}
{
"t":{
"$date":"2021-03-02T08:24:21.768+08:00"},"s":"I", "c":"COMMAND", "id":20338, "ctx":"conn2480073","msg":"dropDatabase - dropping collection","attr":{
"db":"config","namespace":"config.system.sessions"}}
{
"t":{
"$date":"2021-03-02T08:24:21.789+08:00"},"s":"I", "c":"COMMAND", "id":20336, "ctx":"conn2480073","msg":"dropDatabase","attr":{
"db":"config","numCollectionsDropped":1}}
{
"t":{
"$date":"2021-03-02T08:24:22.132+08:00"},"s":"I", "c":"STORAGE", "id":20320, "ctx":"conn2480073","msg":"createCollection","attr":{
"namespace":"RREAD_ME_TO_RECOVER_YOUR_DATA.RREADME","uuidDisposition":"generated","uuid":{
"uuid":{
"$uuid":"1f0b87f8-ba8f-476b-94cc-8d80796b64bc"}},"options":{
}}}
{
"t":{
"$date":"2021-03-02T08:24:22.147+08:00"},"s":"I", "c":"INDEX", "id":20345, "ctx":"conn2480073","msg":"Index build: done building","attr":{
"buildUUID":null,"namespace":"RREAD_ME_TO_RECOVER_YOUR_DATA.RREADME","index":"_id_","commitTimestamp":{
"$timestamp":{
"t":0,"i":0}}}}
{
"t":{
"$date":"2021-03-02T08:24:22.487+08:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn2480073","msg":"Connection ended","attr":{
"remote":"51.75.144.43:46778","connectionId":2480073,"connectionCount":10}}
{
"t":{
"$date":"2021-03-02T08:24:22.886+08:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn2480074","msg":"Connection ended","attr":{
"remote":"51.75.144.43:46938","connectionId":2480074,"connectionCount":9}}
{
"t":{
"$date":"2021-03-02T08:24:22.886+08:00"},"s":"I", "c":"-", "id":20883, "ctx":"conn2480072","msg":"Interrupted operation as its client disconnected","attr":{
"opId":42096260}}
{
"t":{
"$date":"2021-03-02T08:24:22.886+08:00"},"s":"I", "c":"NETWORK", "id":22944, "ctx":"conn2480072","msg":"Connection ended","attr":{
"remote":"51.75.144.43:46064","connectionId":2480072,"connectionCount":8}}
It can be seen that Pythonthe script is used for automatic scanning; it takes 3 seconds from connection establishment to disconnection; IP: 51.75.144.43, source: Roubaix, Haute-France, France.
measure
Although security protection is "one foot tall, the devil is one foot high", you must have security awareness to prevent problems before they happen, and don't wait until a data security accident happens to you before crying out for pain. Sometimes, this responsibility cannot be taken. Consider MongoDBthe following measures for basic protection:
- Shielded port (recommended in production environment, shielded port + permission control: only intranet access + access authentication);
- Replace the port;
- whitelist access;
- Turn on authentication authentication;
- Lastly, database backup is still necessary o(╯□╰)o
For MongoDBdata backup, enabling authentication, and permission control, please refer to this article .
Reference
Install and use MongoDB under Ubuntu
If you have any questions or any bugs are found, please feel free to contact me.
Your comments and suggestions are welcome!