是不是有人故意在我的 mongo shell 上运行了 db.dropDatabase()?你能远程访问 mongo 并绕过 ssh 密码吗?

是不是有人故意在我的 mongo shell 上运行了 db.dropDatabase()?你能远程访问 mongo 并绕过 ssh 密码吗?

令我惊讶的是,一周没看数据库后,数据库就空了。里面有集合和几行数据。它运行在 digital ocean 14.04 Ubuntu droplet 上。Mongod 在默认端口上运行,没有密码或绑定 ip(不过我现在已经启用了绑定 ip)

无论如何,我检查了logpath /var/log/mongodb/mongodb.log发生了什么。我看到了dropDatabase DB_DROPPED starting。 和 ,185.129.62.63:41783它来自法国巴黎。我在香港!所以......我访问我的 mongo shell 的唯一方法是通过 ssh 使用我的用户名和密码。

有人找出了我的 ssh 用户名和密码,然后去运行usr/bin了吗?或者还有其他方法可以破解我的 mongo shell?mongodb.dropDatabase()

只是想知道这是否会再次发生(有人删除我的数据)或者也许我有一些自动db.dropDatabase()设置正在运行(我怀疑后者)。

以下是日志。

Tue Apr 18 05:36:39.251 [conn894] end connection 216.218.206.66:30916 (4 connections now open)
Tue Apr 18 05:36:52.241 [initandlisten] connection accepted from 216.218.206.66:35132 #895 (5 $
Tue Apr 18 05:36:52.430 [conn895] end connection 216.218.206.66:35132 (4 connections now open)
Tue Apr 18 16:44:55.121 [initandlisten] connection accepted from 185.129.62.63:41448 #896 (5 c$
Tue Apr 18 16:44:56.052 [initandlisten] connection accepted from 185.129.62.63:41783 #897 (6 c$
Tue Apr 18 16:44:57.426 [conn896] end connection 185.129.62.63:41448 (5 connections now open)
Tue Apr 18 16:44:57.522 [conn897] end connection 185.129.62.63:41783 (4 connections now open)
Tue Apr 18 16:44:59.409 [initandlisten] connection accepted from 185.129.62.63:42904 #898 (5 c$
Tue Apr 18 16:45:00.580 [conn898] dropDatabase DB_DROPPED starting
Tue Apr 18 16:45:00.580 [conn898] removeJournalFiles
Tue Apr 18 16:45:00.585 [conn898] dropDatabase DB_DROPPED finished
Tue Apr 18 16:45:01.208 [conn898] dropDatabase easysmile starting
Tue Apr 18 16:45:01.208 [conn898] removeJournalFiles
Tue Apr 18 16:45:01.211 [conn898] dropDatabase easysmile finished
Tue Apr 18 16:45:01.756 [conn898] dropDatabase admin starting
Tue Apr 18 16:45:01.756 [conn898] removeJournalFiles
Tue Apr 18 16:45:01.758 [conn898] dropDatabase admin finished
Tue Apr 18 16:45:02.361 [conn898] dropDatabase cool_db starting
Tue Apr 18 16:45:02.361 [conn898] removeJournalFiles
Tue Apr 18 16:45:02.362 [conn898] dropDatabase cool_db finished
Tue Apr 18 16:45:03.579 [FileAllocator] allocating new datafile /data/db/DB_DELETED.ns, fillin$
Tue Apr 18 16:45:03.585 [FileAllocator] done allocating datafile /data/db/DB_DELETED.ns, size:$
Tue Apr 18 16:45:03.585 [FileAllocator] allocating new datafile /data/db/DB_DELETED.0, filling$

Tue Apr 18 16:45:03.587 [FileAllocator] done allocating datafile /data/db/DB_DELETED.0, size: $
Tue Apr 18 16:45:03.588 [FileAllocator] allocating new datafile /data/db/DB_DELETED.1, filling$
Tue Apr 18 16:45:03.589 [FileAllocator] done allocating datafile /data/db/DB_DELETED.1, size: $
Tue Apr 18 16:45:03.596 [conn898] build index DB_DELETED.DB_DELETED { _id: 1 }
Tue Apr 18 16:45:03.601 [conn898] build index done.  scanned 0 total records. 0.005 secs
Tue Apr 18 16:45:04.274 [conn898] end connection 185.129.62.63:42904 (4 connections now open)
Wed Apr 19 02:37:33.739 [FileAllocator] allocating new datafile /data/db/easysmile.ns, filling$
Wed Apr 19 02:37:33.746 [FileAllocator] done allocating datafile /data/db/easysmile.ns, size: $
Wed Apr 19 02:37:33.746 [FileAllocator] allocating new datafile /data/db/easysmile.0, filling $
Wed Apr 19 02:37:33.748 [FileAllocator] done allocating datafile /data/db/easysmile.0, size: 6$
Wed Apr 19 02:37:33.752 [FileAllocator] allocating new datafile /data/db/easysmile.1, filling $
Wed Apr 19 02:37:33.754 [FileAllocator] done allocating datafile /data/db/easysmile.1, size: 1$
Wed Apr 19 02:37:33.755 [conn863] build index easysmile._SCHEMA { _id: 1 }

答案1

日志非常清楚——你的数据库服务器对互联网开放——不是一个好主意

当它说“从 185.129.62.63 接受连接”时,这意味着在 185.129.62.63 上运行(或通过那里建立隧道)的客户端程序(可能是 mongo shell,也可能是不同的应用程序)与您的 DB 服务器建立了连接,并且被接受;进一步的日志条目显示入侵者正在删除您的数据。

不清楚你是否曾验证您的 MongoDB 服务器上是否启用了该功能;考虑到发生的情况,可能没有。

无论如何,你需要吸取教训,应用MongoDB 安全检查表紧急处理,然后从备份中恢复数据(您确实有备份,不是吗?),不要再犯同样的错误。

相关内容