What is going on in my Mongodb?
Unanswered
Australian Freshwater Crocodile posted this in #help-forum
Australian Freshwater CrocodileOP
So 2 days ago I installed mongodb on my VPS for using in my projects
I don't have any special info in it yet because I didn't use it in this 2 days
But now I opened my compass and I see the db as you see in the image
and there is a content in it :
All your data is backed up. You must pay 0.0045 BTC to bc1qt3zrm0va2g5adut9pem790hsmtnwka76yrzwjp In 48 hours, your data will be publicly disclosed and deleted. (more information: go to http://(removedformemberscuriousity).win/mdb) After paying send mail to us: againremoved@onionmail.org and we will provide a link for you to download your data. Your DBCODE is: 184INW
I don't have any special info in it yet because I didn't use it in this 2 days
But now I opened my compass and I see the db as you see in the image
and there is a content in it :
All your data is backed up. You must pay 0.0045 BTC to bc1qt3zrm0va2g5adut9pem790hsmtnwka76yrzwjp In 48 hours, your data will be publicly disclosed and deleted. (more information: go to http://(removedformemberscuriousity).win/mdb) After paying send mail to us: againremoved@onionmail.org and we will provide a link for you to download your data. Your DBCODE is: 184INW
50 Replies
Australian Freshwater CrocodileOP
I have nothing on my db and I checked my vps and its just fine (last login was me 2 days ago)
Should I open that url myself?
someone hacked into your mongo instance
@Yi Lon Ma someone hacked into your mongo instance
Australian Freshwater CrocodileOP
How???????? in 2 days??? with what?
How did they manage to find my IP and username and pass?
maybe you didn't set a password, or weak password
Australian Freshwater CrocodileOP
Do they have access to my vps's data?
@Yi Lon Ma maybe you didn't set a password, or weak password
Australian Freshwater CrocodileOP
It's not that strong but not that weak tho
this also happened with me when I didn't set password on my mongo and it had the same message
@Yi Lon Ma this also happened with me when I didn't set password on my mongo and it had the same message
Australian Freshwater CrocodileOP
Should I be worried about my data on my vps?
or just changing the pass is enough?
disable password login and use ssh keys
@Yi Lon Ma disable password login and use ssh keys
Australian Freshwater CrocodileOP
I sometimes need to login to my vps from another device
Australian Freshwater CrocodileOP
@Yi Lon Ma I've changed my mongodb pass
and still it keeps recreating that
I delete that db and it comes back
what should I do??
monitor the connections to your mongo
@Australian Freshwater Crocodile what should I do??
Just delete your VPS and start a new one maybe?
and this time set a good password
if you're just hosting your app on the server and not using for development, don't expose your db to internet
use docker network to connect to your db
@adam.birds Just delete your VPS and start a new one maybe?
Australian Freshwater CrocodileOP
No bro I will have to put like 2 days of work for this lol
I guess it got fixed
I changed the user too
@Australian Freshwater Crocodile No bro I will have to put like 2 days of work for this lol
Just save your code to git, move it over and install mongodb again, it shouldn't take 2 days to set mongodb up gaain.
I host a load of servers, and if they ever did get compromised I'd be destroying it and remaking it as you just don't know what else they did on it. Let alone that destroying and start again gets you a new IP too.
@adam.birds Just save your code to git, move it over and install mongodb again, it shouldn't take 2 days to set mongodb up gaain.
Australian Freshwater CrocodileOP
Bruhhhhhhhhh again I got thissss cmonnnnnnnnn
You think they hacked into my vps?
I really don't want to rebuild my vps
cuz I have my VPN servers on it (I'm from a heavily censored country)
And some big and large files (video files) which I don't think I could upload to anywhere unless its my pc
and If I erase everything this means I'll have to use some public VPN and they are super slow (my normal network speed is barely 1mb/s and with public VPNs you know ...)
first of all, disable password login for VPS
setup SSH keys
Its up to you @Australian Freshwater Crocodile I'm just saying what I'd do. And its maybe also a chance to maybe get a second VPS, one for personal use and one for your web app stuff. And also disable password login and setup SSH as @Yi Lon Ma said or it will just happen again.
@adam.birds Its up to you <@442728361970892801> I'm just saying what I'd do. And its maybe also a chance to maybe get a second VPS, one for personal use and one for your web app stuff. And also disable password login and setup SSH as <@510480545160101898> said or it will just happen again.
Australian Freshwater CrocodileOP
I guess I need to do this
You think there is something wrong with my mongodb or the server?
I made it to use ssh keys
and still I got that message
If they got access to the server itself, thgey could have installed malware meaning they still have access. Or if your mongo is open to the world and not protected, they could have got straight in there.
@adam.birds If they got access to the server itself, thgey could have installed malware meaning they still have access. Or if your mongo is open to the world and not protected, they could have got straight in there.
Australian Freshwater CrocodileOP
It is protected and I've changed the user and pass for like 10 times
but why do attack mongo when I have some really more valuable things in my server?
And I couldn't find any accesspoints in my vps
Then likely the VPS and they have installed some sort of malware, it will likely some bot that has managed to get in, rather than someone sat there hacking you.
Australian Freshwater CrocodileOP
Yeah its a bot obv
Can you get into mongo and see the data etc that are being created?
Australian Freshwater CrocodileOP
idk lemme see
Australian Freshwater CrocodileOP
No I couldn't find anything
bruhhhh