{"id":773,"date":"2017-01-09T12:29:27","date_gmt":"2017-01-09T12:29:27","guid":{"rendered":"http:\/\/www.adlice.com\/?p=773\/"},"modified":"2022-12-21T10:35:33","modified_gmt":"2022-12-21T10:35:33","slug":"mongodb-ransomware-spreading","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/es\/mongodb-ransomware-spreading\/","title":{"rendered":"MongoDB Ransomware is spreading"},"content":{"rendered":"\n

Apocalypse now<\/h4>\n\n\n\n

Right now, bots are scanning the internet for mongodb database with no password, and open port.<\/strong> When they found some, they use that open access for saving all the data (somewhere), dropping everything<\/strong>, and leaving a ransom note (just like ransomware, yes) to get your data back after paying the price<\/strong>.<\/p>\n\n\n\n

If that happened to you, it’s mostly too late, but if not please read the following and secure your database NOW<\/strong>!<\/p>\n\n\n\n


Ransomware<\/h4>\n\n\n\n

Dropping a database and leaving a ransom note is somewhat new<\/strong>. Here’s some logs from our honeypot where the database was dropped by that bot:
\"\"<\/a><\/p>\n\n\n\n


Dockerized mongodb<\/h4>\n\n\n\n

If you use the dockerized version, it comes pre-configured with open access to the world, and no password<\/strong>. This is B.A.D! To secure a dockerized version of mongodb, restrict listening address to localhost<\/strong><\/a> like this (put the 127.0.0.1 address before the port):<\/p>\n\n\n\n

docker run --name db -p 127.0.0.1:27017:27017 -d mongo:3.0 --smallfiles<\/code><\/pre>\n\n\n\n

Regular Mongodb<\/h4>\n\n\n\n
If you don’t use docker, the best you can do is preventing the port from being accessible to the world with iptables<\/strong>. However, if you don’t have a firewall, or not familiar with, you can just use the bind_ip parameter to launch the mongodb instance<\/strong><\/a>:<\/p>\n\n\n\n
bind_ip = 127.0.0.1<\/code><\/pre>\n\n\n\n

Links<\/h4>\n\n\n\n