0

My MongoDB is hacked and all data is wiped, the attacker left this note:

{ "_id" : ObjectId([REDACTED]), "email" : "mongodb@tfwno.gf", "btc_wallet" : "1JFit9663zGV6v2Mb9cSUpRm2dVptvqfPZ", "note" : "Don't panic. Your DB is in safety and backed up (check logs). To restore send 0.2 BTC and email with your server ip or domain name. Each 24 hours we erase all data." }

Checking the log, I saw there were a lot of dropDatabase actions from this IP 149.202.98.161, but other than that there's nothing else between the session of this IP. I think Mongo only logs dropDatabase, because there was no log where they added/changed the DB's name to WE_HAVE_YOUR_DATA.

Is there anyway I could check if there's any action like createDatabase or copyDatabase ... performed on Mongo server?

Casper
  • 1,663
  • 7
  • 35
  • 62
  • Bottom line here is that you likely left an accessible instance open with authentication. Without authentication enabled any errant code that can reach the server on the network can basically do whatever it wants. This varies from real malicious code to "workplace pranks" where your colleagues want to teach you a lesson. Being "secure your data". – Neil Lunn May 23 '17 at 00:32
  • @NeilLunn it was a mistake from dev team, I'm just cleaning up after them smh. – Casper May 23 '17 at 00:36
  • See also [MongoDB database deleted automatically](https://stackoverflow.com/q/41587274/2313887) – Neil Lunn May 23 '17 at 00:36
  • @NeilLunn yeah I'm aware of the security hole, this server is hosted on AWS and protected by a Security Group. It's not the data loss I'm worried about, just want to know if the data is really backup by them. – Casper May 23 '17 at 00:45
  • 1
    How we would know if you or anyone else has a backup? That's what this comes down to. The server was unsecured and the data is gone. Since the server was unsecured you can even delete traces of operations performed ( which seems pretty likely from any competent process ). Are you actually asking *"Should I pay the ransom if I know they actually have the data?"* The **only** sane thing to do is 1.) Secure the database 2.) Restore from "your" backup if you have one or live with staring again. Or pay the ransom and see what happens. But I'm betting no good from the last. – Neil Lunn May 23 '17 at 00:51
  • @NeilLunn That's what I'm asking, is there any log or query to find out if there's copyDatabase action performed on the server. – Casper May 23 '17 at 00:54
  • Since reading data is pretty much the #1 thing you do on a database all day, if Mongo were to log all data reads, that'd be a *very* long and dense log. I don't know exactly, but I'll say that the answer is probably *No* unless you have verbose diagnostic logging activated. – deceze May 23 '17 at 01:11

0 Answers0