Hi everyone, after taking most of the winter off my project Zzpace, I unfortunately noticed yesterday that my AWS/MongoDB got hacked and the hackers dropped a database that had some data relevant to my Zzpace project.
Unfortunately I had my bind_ip set to the default of 0.0.0.0, which allowed anyone to access my mongo database. I have changed that setting to 127.0.0.1, which going forward will only allow access from people who properly access the AWS / Mongo server via proper SSH access.
Below is the unfortunate logs of the hacker accessing my zzpace database, and unfortunately deleting the main database, and the backup.
2019-11-04T18:33:43.263+0000 I NETWORK [conn541] received client metadata from 52.229.38.131:58767 conn541: { application: { name: “MongoDB Shell” }, driver: { name: “MongoDB Internal Client”, version: “4.2.1” }, os: { type: “Windows”, name: “Microsoft Windows Server 2016”, architecture: “x86_64”, version: “10.0 (build 14393)” } }
2019-11-04T18:33:43.477+0000 I COMMAND [conn541] dropDatabase zzpace – starting
2019-11-04T18:33:43.477+0000 I COMMAND [conn541] dropDatabase zzpace – dropping 0 collections
2019-11-04T18:33:43.479+0000 I COMMAND [conn541] dropDatabase zzpace – finished
2019-11-20T03:42:02.607+0000 I COMMAND [conn744] dropDatabase HOW_TO_RESTORE_zzpace – starting
2019-11-20T03:42:02.608+0000 I COMMAND [conn744] dropDatabase HOW_TO_RESTORE_zzpace – dropping 0 collections
2019-11-20T03:42:02.609+0000 I NETWORK [conn745] end connection 93.190.140.28:51292 (15 connections now open)
2019-11-20T03:42:02.609+0000 I COMMAND [conn744] dropDatabase HOW_TO_RESTORE_zzpace – finished
2019-11-20T03:42:02.609+0000 I NETWORK [conn746] end connection 93.190.140.28:51294 (14 connections now open)