back to article Web-exposed MongoDB installs wiped by bitcoin ransoming script scum

Some 2,000 MongoDB installations have been compromised by an attacker demanding administrators pay 0.2 bitcoins (US$206) to have lost data returned. Victor Gevers (@0xDUDE), penetration tester and chairman of the GDI.foundation, noticed the attacks while reporting exposed non-password-protected MongoDB installations to owners …

  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    Just like Microsoft SQL

    Where the 'sa' god-mode account had a default blank password on install. Clearly no-one learns the lessons of history.

    1. TheVogon

      Re: Just like Microsoft SQL

      "Where the 'sa' god-mode account had a default blank password on install."

      The sa account is disabled by the default install settings though. And when you enable it, by default your password policy is enforced which means that you can't set a blank password without deliberately overriding that.

      (Using the current versions of Windows Server + SQL Server has given the lowest total CVE vulnerabilities of OS + Database software of any major competitor for every one of the last 10 years!)

      1. Anonymous Coward
        Anonymous Coward

        Re: Just like Microsoft SQL

        Thats why I used the words 'had' and 'lessons of history'. Clearly you have zero knowledge of previous SQL versions.

        1. TheVogon

          Re: Just like Microsoft SQL

          "Thats why I used the words 'had' and 'lessons of history'. Clearly you have zero knowledge of previous SQL versions."

          This has been the case since at least SQL Server 2000. Back in those days, lots of things had blank or standard password by default, so hardly a lesson specific to SQL Server....

        2. Anonymous Coward
          Anonymous Coward

          Re: Just like Microsoft SQL

          http://www.iss.net/security_center/reference/vulntemp/mssql-no-sapassword.htm

  3. Pascal Monett Silver badge

    Possibly not actually the fault of the customers

    Just checked out the MongoDB site. Everything about it says "for the basic user". It is specifically noted "Leave the Ops to Us" in one of the text boxes.

    Based on this, I am not surprised that so many instances were not properly configured. The subscribing customers left the Ops to them, and the Ops failed to do their job thoroughly.

    Seems like we're going to have to slog through another decade of ignoring security until it bites back before people generally get the notion that security IS NOT an afterthought.

  4. Anonymous Coward
    Anonymous Coward

    But even a basic MongoDBA

    should have some form of linux admin skills and ask questions like how is this firewalled, what ports are open or ip address limited? or even be able to check the version number.

    Controversial opinion, but if harak1k1 does restore the db's then $200 for a company to know that their DBA has a limited skill set is a lot less money than a full security audit.

    1. Tom 38 Silver badge

      Re: But even a basic MongoDBA

      DBA? Please, probably most of these installations were done by a single developer using the company AWS account and never looked at again.

      Woo, DevOps!

  5. Mahhn

    Shodan is evil

    "security search engine Shodan" Shodan is ANTI-security.

    Shodan is used by hackers for criminal activity, and should be shut down.

    It is the #1 source for perverts to find open web cams.

    It is used to try and break into companies. Their false claim that they just scan the net is BS, as I saw port scans from them nearly every day for 3 years on our institutions firewalls.

    1. Chris 155

      Re: Shodan is evil

      Would not having it make a difference? Network scans aren't hard to do and they've existed a lot longer than Shodan.

      Is a web cam secure because it's not listen on some web site that it's not? Is a MongoDB install secure because it's not listed?

      Maybe not having Shodan would restrict some of the lowest level bottom feeders who don't actually have the capacity to do any of this themselves, but a better solution would be just to secure your shit.

  6. Loyal Commenter Silver badge

    Nice picture of Sedlec Ossuary.

    ...been to Kutna Hora?

  7. Alexander J. Martin

    Relevant

    http://www.theregister.co.uk/2016/05/03/mongodb_security_breaches_vp_speaks/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021