Related

Problem installing mongod on centos Question Question
GUI for MongoDB needed to mange Meteor app Question Question

Question

My MongoDB has been extorted by a kraken ransomware virus

Posted January 8, 2017 19.1k views
MongoDBCentOS

Hello,

Yesterday my database (MongoDB) had been deleted with a message:

{
“_id” : ObjectId(“5871ed160c474c47dc9f3e80”),
“Info” : “Your DB is Backed up at our servers, to restore send 0.1 BTC to the Bitcoin Address then send an email with your server ip”,
“Bitcoin Address” : “1J5ADzFv1gx3fsUPUY1AWktuJ6DF9P6hiF”,
“Email” : “kraken0@india.com
}

And this morning, my restored database has been deleted one again. What can I do now? Please give some advice for this case.

Thanks!

Add a comment
violetzs
By:
violetzs

Related

Problem installing mongod on centos Question Question
GUI for MongoDB needed to mange Meteor app Question Question
Add a comment
1 comment
  • raistlin2015 January 10, 2018
    Reply Report

    How are they able to access mongo if I have my server setup using ssh keys? This post says that it is a virus. How did this virus get installed on my server and how do I remove it?

    I have a firewall and it is active: 

    
● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2017-12-29 01:23:34 UTC; 1 weeks 4 days ago
 Main PID: ************** (code=exited, status=0/SUCCESS)
    Tasks: 0
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/ufw.service

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
10 answers
linuxydave January 8, 2017

They are able to access your MongoDB because it is exposed to the internet, ie anyone can access it. I assume that you don’t have a firewall in place to block these connections, if so then you’ll need to remedy this else it’ll continue to happen.

Mongo has some information on how to do this.

Reply Report
knelson January 8, 2017

Same thing has happened to my system here. Let me know if you find any valuable solutions, and I’ll do same if I do, although the scum who did the hacking might be looking at conversation. Unlikely but possible.

Reply Report
matysanchez January 9, 2017

I have the same problem.

I pay 2 days ago, but they don’t answer anymore. So don’t waste your money!

Reply Report
violetzs January 9, 2017

I use RoboMongo app on Mac to login with SSH permission to manage databases. This is only way my login information was stolen.

Anyone else?

Reply Report
  • matysanchez January 9, 2017

    That is your security problem. You have to add auth to your mongodb. That happens to us too :(, we lost 4 days of information, last backup was on January 2nd. And at the same time we lost 100 USD paying for something that dosn’t exist, they don’t have a backup of your database.

    We learned a important lesson for 100 USD, thats the only positive thing.

    Reply Report
    • violetzs January 9, 2017

      That’s my security problem for sure. just trying to know how they can do that. I’m newbie in MongoDB. So please share anything that helpful to me :)

      Reply Report
sohailykhan94 January 9, 2017

Had the same issue. SSH’d into the server and noticed a folder called dump was created in the home folder. I was able to restore it and setup authentication. Might help someone else

Reply Report
hemalsharma January 9, 2017

Hello ,

I have also this problem on my server. and i have no backup from my server. any one please give me solution for backup my data from server.

Thanks in advance.

Reply Report
droganaida January 9, 2017

Hello! I had the same problem on my server. The hole in sequrity is open connection to MongoDB. I wrote a short article how to protect your server http://blondiecode-lh.tumblr.com/post/155621499716/mongodb-extorted-by-a-kraken-ransomware-virus. Hope will be helpful!

Reply Report
violetzs January 10, 2017

Today I tried to connect to our MongoServer from another server, but it does not work. So I wonder how the virus does and is it running on our side server?

It does not stop deleting our database ;’(

Reply Report
violetzs January 10, 2017

Okay, I found the attacker’s IP is 46.166.173.106 and make changes in iptables: /etc/sysconfig/iptables

-A INPUT -s 46.166.173.106 -p tcp –dport 27017 -j DROP
-A INPUT -s 46.166.173.106 -p tcp –dport 80 -j DROP
-A INPUT -s 46.166.173.106 -p tcp –dport 22 -j DROP

-A INPUT -s 127.0.0.1 -p tcp –dport 27017 -j ACCEPT
-A INPUT -p tcp –dport 27017 -j DROP

Hope it works to me and stop deleting the databases.

Reply Report
viettran October 6, 2017

I had the same problem because I deployed alpha edition and didn’t care security. I thought no body would know my server but some guy lurked in and asked for some BTC payment. That’s interesting how they knew my server address when it was just created, not in production yet. I ignored the message, set up firewall, limit source ip access, enable MongoDB authentication. So far, the issue hasn’t happened again yet. And one advice for you guys: NEVER PAY MONEY. They don’t care your data, all they want is money. If you pay money, you shot yourself twice.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help