服务器又一次被恶意攻击,MongoDB被删库

Posted 胡玉洋 

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了服务器又一次被恶意攻击,MongoDB被删库相关的知识,希望对你有一定的参考价值。

一台裸奔在云服务器上的MongoDB

前几天在自己个人的一台腾讯云服务器上安装了MongoDB,当时着急用,就用的默认配置,端口是默认端口,也没设置密码,还把bind_ip 设置成 0.0.0.0(允许所有ip远程连接)😅,后来就把这事抛到脑后了,也因为经常用无线网卡上网,ip经常是动态的,云服务器的安全组就放开了所有的ip。

完全就是一台裸奔在云上的数据库 😭 😭 😭

被攻击

下午忙完工作,为了方便学习,把MongoDB里的几条主要数据(json)都备份成.json文件了,然后就去吃饭。吃饭回来MongoDB客户端连接失效,重连了一下MongoDB,建的库不见了,留下了一个新库:READ_ME_TO_RECOVER_YOUR_DATA,里面只有一张表:README

不会被勒索了吧?还真是!数据库全部内容如下:

All your data is a backed up. You must pay 0.015 BTC to 15QSUeLd23GnUQqqndbwWR5UaPPqnwpSrc 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: r3covery_base@protonmail.com

看MongoDB日志,有个日本东京的IP【18.179.34.199】刚好在我吃饭这几分钟连接了数据库:

2020-06-07T01:02:40.397+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54840 #23 (7 connections now open)
2020-06-07T01:02:40.547+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54842 #24 (8 connections now open)
2020-06-07T01:02:40.781+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54844 #25 (9 connections now open)
2020-06-07T01:02:41.118+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54856 #26 (10 connections now open)
2020-06-07T01:02:41.118+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54846 #27 (11 connections now open)
2020-06-07T01:02:41.121+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54848 #28 (12 connections now open)
2020-06-07T01:02:42.127+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54854 #29 (13 connections now open)
2020-06-07T01:02:42.129+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54852 #30 (14 connections now open)
2020-06-07T01:02:42.433+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54858 #31 (15 connections now open)
2020-06-07T01:02:44.147+0800 I NETWORK  [initandlisten] connection accepted from 18.179.34.199:54850 #32 (16 connections now open)
2020-06-07T01:03:21.051+0800 I NETWORK  [conn24] end connection 18.179.34.199:54842 (15 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK  [conn31] end connection 18.179.34.199:54858 (14 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK  [conn29] end connection 18.179.34.199:54854 (13 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK  [conn27] end connection 18.179.34.199:54846 (12 connections now open)
2020-06-07T01:03:21.058+0800 I NETWORK  [conn30] end connection 18.179.34.199:54852 (11 connections now open)
2020-06-07T01:03:21.060+0800 I NETWORK  [conn28] end connection 18.179.34.199:54848 (10 connections now open)
2020-06-07T01:03:21.060+0800 I NETWORK  [conn32] end connection 18.179.34.199:54850 (9 connections now open)
2020-06-07T01:03:21.345+0800 I NETWORK  [conn25] end connection 18.179.34.199:54844 (8 connections now open)
2020-06-07T01:03:21.347+0800 I NETWORK  [conn23] end connection 18.179.34.199:54840 (7 connections now open)
2020-06-07T01:03:21.633+0800 I NETWORK  [conn26] end connection 18.179.34.199:54856 (6 connections now open)

就吃顿饭的功夫~ 呵呵呵呵呵~ 😓 😓 😓 幸亏劳资备份了,让黑客兄弟又少赚一千块。

网上一看,中招的还有不少,留言的模板还都是一毛一样的,被勒索的比特币从0.005到1个以上的都有。

在群里吐槽也被运维兄弟喷了😭

安全事故猛于虎

幸亏这次丢失的数据不多,也只是自己个人的测试数据,如果是公司的商用数据库数据,那被勒索多少BTC也得给啊 😁

这里给再次给自己也给大家提个醒,安全事故猛于虎,安全责任重于山。

  • 一定不要为了图方便,就忽略某些安全配置,平时做什么都要有安全意识。
  • 重要数据及时备份。
  • 服务器设置IP黑白名单,关闭一切可以关闭的端口
  • 如果跟我似的,访问服务的ip经常变,可以考虑修改一些服务的默认端口,增加被扫到的概率
  • 一定要设置密码,为了防止被爆,最好是无规则的强密码

以上是关于服务器又一次被恶意攻击,MongoDB被删库的主要内容,如果未能解决你的问题,请参考以下文章

应用内购买一次又一次被拒绝

数个机构 MongoDB 被攻击,数据库被删

我又一次被震惊了。。。

顺丰被删库?半个DBA的跑路经验总结

大型生产事故,开源项目蘑菇博客差点被删库

阿里云ECS后台利用“安全组”屏蔽恶意攻击ip地址