Here is the attack that happened to Neomad in May 2017.
The database was cleared out with a message similar to:
harak1r1 … SEND 0.25 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !"
(The space before the exclamation point make me think he's French)
The Neomad project was an early beta testing stage. Therefore no big data nor users. Though I had to restore some of the data I had and investitage to secure a little more for the next releases.
MongoDB came out with a vulnerability setup to hardening security.
The core functionality I noted is not to run the Mongo Database with a simple mongod
but instead run it with mongod --auth
, which requires authentication for managing the database. Doh!
You should do that when initialising your database.
In short, here are the steps:
mongod
db.createUser({user: '<MyAdminUsername>', pwd: '<My4dm1nP455w0rD>', roles:[{role: "userAdminAnyDatabase",db: "admin"}]});
mongod --shutdown
mongod --auth
mongo -u "<MyAdminUsername>" -p "<My4dm1nP455w0rD>" --authenticationDatabase "admin"
db.createUser({user: '<MyUser>', password: '<MyU53rPwd>', roles: [ { role: "readWrite", db: "<MyDBName>" }})
You could also change your port from 27017 to something more random.
By vinyll on May 11, 2017