一次被删库的事故记录

今天早上打算完善一下任务调度管理器的 README.md 文档时,发现管理后台登录不上去,以为是 JWT 令牌过期,但是尝试重新登录几次,还是登不上。登录服务器一看,几个数据表全部不见了!

我都蒙了,数据怎么突然就没了呢。MongoDB 的服务还是正常运行的,没看到有崩溃,真是奇了个怪的。不过在 show dbs; 时,发现多了一个 db : 

HOW_TO_RECOVERY_BASE  0.000GB

跟进去那个 db ,发现有一个名叫 README 的集合, db.README.find() 看到有一条记录:

{
       "_id" : ObjectId("5e94c8b2d2be92596522c194"),
       "content" : "All your data is a backed up. You must pay 0.015 BTC to 1jAzyxPREckuUPwifEbiUKgDfE5racmph 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. Also do not forget about GDPR. You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP : g3t_base@protonmail.com"
}

我 xxx !被清空数据勒索了!!

检查了MongoDB 服务日记,发现了一个外网的客户端连接,因为我自己的程序都是用环回地址连接数据库的,所以这个外网的连接很明显是搞事情的。

2020-04-13T16:50:26.350+0800 I  NETWORK  [listener] connection accepted from 45.227.255.190:42350 #6921 (13 connections now open)
2020-04-13T16:50:26.351+0800 I  NETWORK  [conn6921] received client metadata from 45.227.255.190:42350 conn6921: { driver: { name: "PyMongo", version: "3.10.1" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "4.15.18-9-pve" }, platform: "CPython 3.5.3.final.0" }
2020-04-13T16:50:26.779+0800 I  NETWORK  [listener] connection accepted from 45.227.255.190:42404 #6922 (14 connections now open)
2020-04-13T16:50:26.780+0800 I  NETWORK  [conn6922] received client metadata from 45.227.255.190:42404 conn6922: { driver: { name: "PyMongo", version: "3.10.1" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "4.15.18-9-pve" }, platform: "CPython 3.5.3.final.0" }
2020-04-13T16:50:29.529+0800 I  NETWORK  [conn6922] end connection 45.227.255.190:42404 (13 connections now open)
2020-04-13T16:50:30.192+0800 I  NETWORK  [conn6921] end connection 45.227.255.190:42350 (12 connections now open)
2020-04-14T04:16:48.437+0800 I  NETWORK  [listener] connection accepted from 45.227.255.190:57032 #7172 (12 connections now open)
2020-04-14T04:16:48.438+0800 I  NETWORK  [conn7172] received client metadata from 45.227.255.190:57032 conn7172: { driver: { name: "PyMongo", version: "3.10.1" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "4.15.18-9-pve" }, platform: "CPython 3.5.3.final.0" }
2020-04-14T04:16:48.879+0800 I  NETWORK  [listener] connection accepted from 45.227.255.190:57118 #7173 (13 connections now open)
2020-04-14T04:16:48.879+0800 I  NETWORK  [conn7173] received client metadata from 45.227.255.190:57118 conn7173: { driver: { name: "PyMongo", version: "3.10.1" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "4.15.18-9-pve" }, platform: "CPython 3.5.3.final.0" }
2020-04-14T04:16:50.485+0800 I  NETWORK  [conn7172] end connection 45.227.255.190:57032 (12 connections now open)
2020-04-14T04:16:50.490+0800 I  NETWORK  [conn7173] end connection 45.227.255.190:57118 (11 connections now open)

查了下 IP 的信息

IP地址: 45.227.255.190荷兰阿姆斯特丹

从日志可以看出,在 13 号下午和 14 四号凌晨,有个使用 CPython 做的程序两次连接到了MongoDB服务,在第二次的时候把我的整个数据库的数据都清了,然后留下一个指引我上交比特币恢复数据的信息。

跟到这里已经很明显了,有人利用端口扫描之类的工具,找到了我的没有限制 IP、使用默认端口、没有密码的MongoDB 服务,然后删把数据删了,留个比特币账号和邮箱,让我给他比特币再给我回复数据。

万幸的是,被清空的只是测试数据。被删掉的是定时任务管理器上线一周多的测试任务数据,对我来说不是很重要,没有花钱恢复的必要。

这个事故提醒了我,数据安全不可忽视!

在此,我的 MongoDB 服务器可以做的至少有以下几件事:

  • 只允许内网访问
  • 更改服务默认端口
  • 设置数据库密码
  • 定时备份数据

最后,我有点想感谢那个删我数据库的家伙,是他用实际行动提醒了我,别再大意了,注意数据安全!

嗯,比特币是没有了,还是给他回一封邮件吧。

本文作者: chenishr

本文标题:《一次被删库的事故记录》

本文地址: https://blog.chenishr.com/?p=828

©版权所有,除非注明, 永在路上文章均为原创,转载请以链接形式注明出处和作者细信息。