MongoDb Hacked !!!

pablodonayre

Today, i was testing my current project, and realized that there was a problem with my database. After reviewing it, i found a message asking me to send some bitcoins !!!

Your Database is downloaded and backed up on our secured servers. To recover your lost data: Send 0.6 BTC to our BitCoin Address and Contact us by eMail with your server IP Address and a Proof of Payment. Any eMail without your server IP Address and a Proof of Payment together will be ignored. We will drop the backup after 24 hours. You are welcome!

Hahaha, that was found in my database, but it is funny, because:

  1. I knew that my database was opened to everybody. I had a manual solution, but i was looking for an automated one.
  2. I had no sensitive data inside the database, only “test data” (i can restore the main db structure with a json file, and also i can send more data to the Db with some arduinos connected to the ethernet)
  3. I knew that this will happen. But, i was especting this happens within a few months, not weeks !
  4. Since my database is served by a Docker Container, i can restart it and create a new database with “test” data using a json file (within seconds).

I had found several web pages explaining how to achieve this SECURE MongoDb, but they explain how to do it manually after creating the database.

https://medium.com/@raj_adroit/mongodb-enable-authentication-enable-access-control-e8a75a26d332

https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-mongodb-on-ubuntu-16-04

Don’t think i don’t look for secure systems, don’t misunderstand me, this was more about having fast achievements and lefting known issues for later. Now, i needed to stop the development and improve this security issue.

Also, Digital Ocean sent me a Warning a couple of weeks ago, when the Container was started.

I have a docker container, so i wanted the secure authentication be ready and configured after creating the container (That was the main reason why i was delaying the authentication improvement)

After a couple of hours i found the automated solution that i needed:

https://stackoverflow.com/questions/34559557/how-to-enable-authentication-on-mongodb-through-docker/42973849#42973849

So, my docker-compose.yml file has the following code …

mongodb:
  image: mongo:4.1.1-xenial
  restart: always
  env_file:
    - .env
  # Ports for mongdb must not be exposed in Production (only for testing purposes)
  ports:
    - "27017:27017"
  volumes:
    - "./data/mongodb:/data/db"
    - "./fixtures/mongodb:/docker-entrypoint-initdb.d"

And my .env file looks like:

# MongoDB part
MONGO_INITDB_ROOT_USERNAME=username
MONGO_INITDB_ROOT_PASSWORD=XxxxxxxxX

Since my database was empty, only with the message asking for bitcoins, i destroyed the container and created a new one with a new database.

Also, i needed to update the Class used to connect to the database (adding new auth credentials)

by: Juan Pablo Donayre

Leave a Reply

Your email address will not be published. Required fields are marked *