服务器又一次被恶意攻击,MongoDB被删库
一台裸奔在云服务器上的MongoDB
前几天在自己个人的一台腾讯云服务器上安装了MongoDB,当时着急用,就用的默认配置(端口是默认端口,也没设置密码),后来就把这事抛到脑后了,也因为经常用无线网卡上网,ip经常是动态的,云服务器的安全组就放开了所有的ip。
完全就是一台裸奔在云上的数据库 ? ? ?
被攻击
下午忙完工作,为了方便学习,把MongoDB里的几条主要数据(json)都备份成.json文件了,然后就去吃饭。吃饭回来MongoDB客户端连接失效,重连了一下MongoDB,建的库不见了,留下了一个新库:READ_ME_TO_RECOVER_YOUR_DATA,里面只有一张表:README:
不会被勒索了吧?还真是!数据库全部内容如下:
All your data is a backed up. You must pay 0.015 BTC to 15QSUeLd23GnUQqqndbwWR5UaPPqnwpSrc 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: r3covery_base@protonmail.com
看MongoDB日志,有个日本东京的IP【18.179.34.199】刚好在我吃饭这几分钟连接了数据库:
2020-06-07T01:02:40.397+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54840 #23 (7 connections now open)
2020-06-07T01:02:40.547+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54842 #24 (8 connections now open)
2020-06-07T01:02:40.781+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54844 #25 (9 connections now open)
2020-06-07T01:02:41.118+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54856 #26 (10 connections now open)
2020-06-07T01:02:41.118+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54846 #27 (11 connections now open)
2020-06-07T01:02:41.121+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54848 #28 (12 connections now open)
2020-06-07T01:02:42.127+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54854 #29 (13 connections now open)
2020-06-07T01:02:42.129+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54852 #30 (14 connections now open)
2020-06-07T01:02:42.433+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54858 #31 (15 connections now open)
2020-06-07T01:02:44.147+0800 I NETWORK [initandlisten] connection accepted from 18.179.34.199:54850 #32 (16 connections now open)
2020-06-07T01:03:21.051+0800 I NETWORK [conn24] end connection 18.179.34.199:54842 (15 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK [conn31] end connection 18.179.34.199:54858 (14 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK [conn29] end connection 18.179.34.199:54854 (13 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK [conn27] end connection 18.179.34.199:54846 (12 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK [conn30] end connection 18.179.34.199:54852 (11 connections now open)
2020-06-07T01:03:21.060+0800 I NETWORK [conn28] end connection 18.179.34.199:54848 (10 connections now open)
2020-06-07T01:03:21.060+0800 I NETWORK [conn32] end connection 18.179.34.199:54850 (9 connections now open)
2020-06-07T01:03:21.345+0800 I NETWORK [conn25] end connection 18.179.34.199:54844 (8 connections now open)
2020-06-07T01:03:21.347+0800 I NETWORK [conn23] end connection 18.179.34.199:54840 (7 connections now open)
2020-06-07T01:03:21.633+0800 I NETWORK [conn26] end connection 18.179.34.199:54856 (6 connections now open)就吃顿饭的功夫~ 呵呵呵呵呵~ ? ? ? 幸亏劳资备份了,让黑客兄弟又少赚一千块。
网上一看,中招的还有不少,留言的模板还都是一毛一样的,被勒索的比特币从0.005到1个以上的都有。
在群里吐槽也被运维兄弟喷了?
安全事故猛于虎
这里给再次给自己也给大家提个醒,安全事故猛于虎,安全责任重于山。一定不要为了图方便,就忽略某些安全配置,平时做什么都要有安全意识。幸亏这次丢失的数据不多,也只是自己个人的测试数据,如果是公司的商用数据库数据,那被勒索多少BTC也得给啊 ?
腾讯云开发者
