MongoDB hacked and my project database got dropped!

Posted on by CStephens

Hi everyone, after taking most of the winter off my project Zzpace, I unfortunately noticed yesterday that my AWS/MongoDB got hacked and the hackers dropped a database that had some data relevant to my Zzpace project.

Unfortunately I had my bind_ip set to the default of 0.0.0.0, which allowed anyone to access my mongo database. I have changed that setting to 127.0.0.1, which going forward will only allow access from people who properly access the AWS / Mongo server via proper SSH access.

Below is the unfortunate logs of the hacker accessing my zzpace database, and unfortunately deleting the main database, and the backup.

2019-11-04T18:33:43.263+0000 I NETWORK  [conn541] received client metadata from 52.229.38.131:58767 conn541: { application: { name: “MongoDB Shell” }, driver: { name: “MongoDB Internal Client”, version: “4.2.1” }, os: { type: “Windows”, name: “Microsoft Windows Server 2016”, architecture: “x86_64”, version: “10.0 (build 14393)” } }

2019-11-04T18:33:43.477+0000 I COMMAND  [conn541] dropDatabase zzpace – starting

2019-11-04T18:33:43.477+0000 I COMMAND  [conn541] dropDatabase zzpace – dropping 0 collections

2019-11-04T18:33:43.479+0000 I COMMAND  [conn541] dropDatabase zzpace – finished


2019-11-20T03:42:02.607+0000 I COMMAND  [conn744] dropDatabase HOW_TO_RESTORE_zzpace – starting

2019-11-20T03:42:02.608+0000 I COMMAND  [conn744] dropDatabase HOW_TO_RESTORE_zzpace – dropping 0 collections

2019-11-20T03:42:02.609+0000 I NETWORK  [conn745] end connection 93.190.140.28:51292 (15 connections now open)

2019-11-20T03:42:02.609+0000 I COMMAND  [conn744] dropDatabase HOW_TO_RESTORE_zzpace – finished

2019-11-20T03:42:02.609+0000 I NETWORK  [conn746] end connection 93.190.140.28:51294 (14 connections now open)

Leave a Reply

Your email address will not be published. Required fields are marked *