My MongoDB got hacked!

 I was playing around with mongodb so I quickly spun up a server at my provider and installed the MERN stack. After some time I was testing an app that I was working on and I was getting mixed results. It would work the first time and then suddenly stop working. The data kept disappearing. 

Being new to mongodb I was thinking that maybe I was starting an initialisation script that was deleting the database. I looked everywhere: my code, online, under the rug... but still could not pin point the reason why the data would go missing. 

Then I thought, maybe my server instance was being shutdown and maybe when there was lack of activity my server was being put to sleep - I mean I went for the cheap option and got a shared instance. It was a ubuntu distro on my server, so I looked through the logs. All the logs that I could find. Still nothing. 

Then out of no where I noticed there was a DB saying README, I looked in there and found a collection, and in that collection was a document. I opened that document, not in the same suspense as what you might be thinking. I was opening that database because I was just clicking around in Compass not knowing what I was looking for. There, right in front of me peering through my screen was a note. 

When I read that note I was shocked. I was concerned. I felt like a rookie. How did this happen, my server wasn't online for that long. Who else knew what I was working on, who's watching me ? 

In that note was statement, that statement read that my data was backed up - phew that's where my data went, it was safe and sound... somewhere. Somewhere out there. Then I kept reading. It said I needed to send BTC to an address in order to recover the backedup data. Ok this sounds like it is from a data recovery service coming to my rescue. But wait, why would they want BTC. Wouldn't they just want a credit card payment ? So I kept reading, the tone of the note changed. The note went on to state that if I didn't send the BTC to the specified address then I would be reported since I have been compromised and something about GDPR, and I would be looking at jail term etc.... 

After reading this I sat there wondering how it all went wrong. How could I go to jail, I don't want to go to jail. I quickly snapped out of it, they had my test data. The test data that was basically "asdasd" as we all do. There was no Asdasd, and if there is a Asdasd out there somewhere then I have to apologise... I have to apologise on behalf of your parents for giving you a giberish name. 

So overall what has happened is that someone has found out that a mongodb instance has been brought up, and had connected into it. They then deleted the databases leaving in its place a new database with the readme threatening text. I did create a user for the database, however, I hadn't activated security to be enabled. I googled the text in the note and it appears this has been a common hack - or scam to be more precise. 


I had nothing to worry about, they had nothing. 

Wait, if they got access to my mongodb instance then did they also compromise my server. What if they stole my $$$ idea ? I need to know who has been accessing my server, my server that I was just startng a side project. To see this, I looked at /var/log/auth.log (sudo less /var/log/auth.log). When i opened the log I was once again stunned. The file was huge, and I notmally SSH'd a handful of times. It looks like a number of IPs are hammering my server and it looks like it is trying random users (possibly commong passwords). 


Overall to resolve this I did the following:

1 - Activated the security in mongodb. 

2. - Applied ssh keys 

3 - installed Fail2Ban

4 - remove/change common system users.


So to step through this, activating security in mongodb was trivial (just update the config file by removing a # in the file - then restarted mongodb service. I secured my ssh so that bruteforce was not possible, they need to try and break the key which is harder than password. Finally Fail2Ban was installed so that it can monitor the log files and if there are multiple failed attempts it would then temporarily "jail" the IP. Finally I looked at the users that I have on my server and renamed or removed if it is safe to do so of the common usernames. 

Comments

Post a Comment

Popular posts from this blog

The beginning

Image
If you have arrived to this page looking for solutions, unfortunately I cannot help. This is a rant page that I have paid and put up because of my sheer frustration with Apple. My only hope is someone senior will take note of this and try and help.   After two months of speaking with Apple, I'm still unable to create a Apple Developer ID via their Apple Developer program.  To date I have done the following :  - Attempted to sign up using my apple id which I had generated when the iPhone 3gs first came out.  -Attempted to sign up using new apple id -Attempted to get my partner to sign up  -Attempted to sign up using my work email address -Attempted to sign up using a windows machine -Attempted to sign up using a linux (Ubuntu) machine -Attempted to sign up using a new sim card for my phone number I've contacted Apple support several times, and the first support person said that the Apple uses a lot of data and they know something about you that they don't li...
Read more