前些日子看阿里云便宜,买了一个,安装了一个mongodb,自己连着做调试。
好久没用了,今天突然惊喜的发现被黑客登录了。没想到居然还有人靠这么低级的漏洞混饭吃。
被黑的表现如下:
> show dis
HOW_TO_RESTORE_mydb1 0.078GB
HOW_TO_RESTORE_mydb2 0.078GB
README 0.078GB
local 0.078GB
mydb1 0.453GB
mydb2 0.453GB
其中mydb1的数据和mydb2的数据都被清空了。
从mongodb的直连地址来自美国(当然也有可能是用的美国服务器做的代理,但是事发之后并不能ping通那个ip,应该对方水平也并不高,可能真是用的自己的PC):
删除数据库的时间是:4:27
其中HOW_TO_RESTORE_mydb1、HOW_TO_RESTORE_mydb2、README存储的是勒索信息。勒索信息如下:
> use HOW_TO_RESTORE_mydb1
switched to db HOW_TO_RESTORE_mydb1
> show tables;
HOW_TO_RESTORE
system.indexes
> db.HOW_TO_RESTORE.findOne();
{
"_id" : ObjectId("5d95544778e531762eb557c2"),
"What_happend" : "Your DB was saved and archived, you have 7 days to restore it.",
"___" : "",
"How_to_restore" : "Send 0.125 Bitcoin to address bellow",
"pay_to_btc_address" : "19Ng6XNfCo9pdzDred8ztgWf9BbpTiBr6M",
"email_to" : "Send email to baseshaver@criptext.com OR baseshaver@elude.in with your ID-code and transaction link! More info on links below!",
"YOUR_ID_CODE" : "5c487d7b3cce97442e95825b5c487d7b3cce9744",
"get_db_back" : "You will get your db archive back immediately right after we receive an email and check payment.",
"TIME" : "you have 7 days to pay, then DB will be published on private hack forum and deleted from our HDDs.",
"contact_problems" : "If you not get answer in 12 hours or get errors when sending letters use reserve emails or check MORE_INFO for another contacts:",
"reserve_emails" : "baseshaver@protonmail.com | baseshaver@keemail.me | baseshaver@inbox.lv | baseshaver@yandex.com | baseshaver@secmail.pro | baseshaver@lycos.com",
"MORE_INFO" : "You can find more information here: https://anotepad.com/note/read/53sex69b OR https://onlinenotepad.us/LAeK8dBJc8 ",
"____" : "",
"Where_to_buy_btc" : "List below of exchanges where you can buy BTC in next collection!",
"BTC_Exchanges" : " localbitcoins.com | paxful.com | payments.changelly.com | wirex.com | abra.com | coinmama.com ",
"BTC_Guides" : " https://www.buybitcoinworldwide.com/ | https://en.bitcoin.it/wiki/Main_Page "
}
> use README
switched to db README
> show tables;
README
system.indexes
> db.README.findOne();
{
"_id" : ObjectId("5a460f404186ec47a8181643"),
"Bitcoin" : "16NHQZe81LqTPfekW3VXvnyZcFLR37VyHi",
"Email" : "4b4340f8c832472e902b5482bcfdedfa@protonmail.com",
"Exchange" : "https://localbitcoins.com",
"Solution" : "Your database has been downloaded and backed up on our secured servers. To recover your lost data: Send 0.1 BTC to our Bitcoin address and contact us by email with your MongoDB server IP address and proof of payment."
}
解决方法大家都应该知道,设置密码,改端口,新建用户跑mongodb,只监听127.0.0.1,设置防火墙等。就不多说了。