Critical : mongodb hacked

[jigneshk]

Hello team,

After migrated my database to AWS ec2 server, it was working fine from last few weeks. But today I can see that all the data are deleted.

May be it is attacked by malware or hacked by someone.

Can anyone please help me out? my app is live and people lost their data.

This is really serious problem and I am in a serious pressure.

Please Please Please help me out.

Thanks
Jignesh

[flovilmart]

I believe this may be related to: http://arstechnica.com/security/2017/01/more-than-10000-online-databases-taken-hostage-by-ransomware-attackers/

[flovilmart]

I'm not sure how we can help there. Did you have any backup? Hosted on a provider like mlab?

[emkman]

It's still not clear to me from the Ars article or the MongoDB blog post if there is a vulnerability or if these were just unsecured DBs, with weak or no credentials

@jigneshk did you not have a strong password for your db user or do you know what happened?

[flovilmart]

Probably unprotected / no auth DB's that were deployed on a public port.

[ajamaica]

You can block the remote access in the with iptables and use mongo on localhost and use user/password protection. It is recomended to use ssl too

iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 27017 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
iptables-save

[skinp]

relevant response from Mongo https://www.mongodb.com/blog/post/how-to-avoid-a-malicious-attack-that-ransoms-your-data

[srameshr]

@ajamaica Setting that or also using bindIp blocks the connection even from my mobile app. How do I fix that?

[ajamaica]

Be sure your Parse instance is set to localhost if your server is in another add user base accsess El 08/01/2017 11:39 a.m., "Siddharth Ramesh" <[email protected]> escribió:

…

@ajamaica <https://github.com/ajamaica> Setting that or also using bindIp blocks the connection even from my mobile app. How do I fix that? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3334 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AATVFthnIvTnZGgV1kxiNG-A1Ue_1CIrks5rQR9cgaJpZM4LdPJJ> .

[srameshr]

@ajamaica Ok. Got it. Works fine now.

[kosumi]

My server was also hacked.
I know its security was poor because port 27017 was opened to public and bind_ip was not set.
But, why mongodb was hacked so easily?
It was protected by username and password that were not able to be guessed by the server address.

[skinp]

One thought I had about the data, maybe the hackers didn't drop the oplog? If it's the case, you might be able to get some data back. Have a look in local.oplog.rs...
Even if the oplog hasn't been cleared, it won't be easy to recover from it (it's pretty technical and I can't help with that) but at least it's something that might be useful...

[JonyMateos]

Same problem here, in my case the server is hosted in DO. At least my mongodb only had tests at the moment. It would be nice to have a brief and understandable list of steps to make this safe.
I'm really sorry for those who have been damaged in their app.

[natanrolnik]

Closing this issue as there is nothing that can be done by Parse Server itself.
Feel free to continue the discussion and bring relevant suggestions and links.

[yorkwang]

Same problem here, about 20k users data were lost.

[srameshr]

Some basic things to setup:

// In you mongod.conf file

# network interfaces
net:
  port: 27017
  bindIp: 127.0.0.1

setParameter:
  failIndexKeyTooLong: false

#processManagement:

security:
  authorization: "enabled"

Start mongod with these options:

mongod --auth --bind_ip 127.0.0.1 --fork --logpath /data/db/mongod.log --config /etc/mongod.conf 

// In index.js file in your parse server root folder
 databaseURI: 'mongodb://dbUsername:dbPassword@localhost:27017/dbName'

Backup your db daily. Hook up with a provider or use this simple script to backup your db locally everyday.

#!/bin/bash
 
MONGO_DATABASE="yourDbName"
MONGO_USER="yourDbbUser"
MONGO_PASS="yourDbUserPass"
APP_NAME="yourAppName"

MONGO_HOST="127.0.0.1"
MONGO_PORT="27017"
TIMESTAMP=`date +%F-%H%M`
# Cross check your path to mongo and mongodump
MONGODUMP_PATH="/usr/bin/mongodump"
BACKUPS_DIR="/home/backups/$APP_NAME"
BACKUP_NAME="$APP_NAME-$TIMESTAMP"
 
mongo admin --eval "printjson(db.fsyncLock())"
$MONGODUMP_PATH -h $MONGO_HOST:$MONGO_PORT -u $MONGO_USER -p $MONGO_PASS -d $MONGO_DATABASE
mongo admin --eval "printjson(db.fsyncUnlock())"
 
mkdir -p $BACKUPS_DIR
mv dump $BACKUP_NAME
tar -zcvf $BACKUPS_DIR/$BACKUP_NAME.tgz $BACKUP_NAME
rm -rf $BACKUP_NAME

Next, save the above script and mark it as executable:

chmod +x backup_script.sh
bash backup_script.sh

Next, configure a cron job to run this everyday at your desired time.

sudo su
crontab -e

This will create a new Cron file if you haven’t already created one and open it. Enter this in a new line:

00 00 * * * /path/to/your/backup_script/backup_script.sh

If the data you are sending over the wire is sensitive then use ssl

Please keep adding more stuff so that the whole parse community is protected.

[tran-huy-phuc]

For me, my mongo database was hacked early this month. I tried to restore the database from my backup (Thanks God, I had a backup on Digital Ocean). But the data was hacked again 3-4 times.
Then I decided to install and enable firewall and setup the firewall to allow only 2 ports: port for client app (default: 1337) and port for dashboard (default: 4040). And the data has not been hacked till now.
I hope firewall is the solution for this kind of ransom hack, but I still wait and see. Hope this gives you an idea to protect your database. Thanks!