ID: I202512301655 Status: idea Tags: MongoDB, ransome, hacking

My Mongodb ransome hack

I got hacked. Wow.

Recently I found the above item in my MongoDB container. I checked my API logs, and it didn’t get any traffic from there, so it must’ve been to do with the recent MongoBleed exploit.

I had switched mongo versions after the CVE, which you can read in My MongoBleed measures. But apparently that didn’t help. SO either I was too late and the user was already extracted, or there is something else.

But I remembered that I made a Portainer backups script. This includes my MongoDB containers. So all is well. Or at least, kinda. I had to do the following things:

1. Extract all my DB exports with rsync -avz root@<VPS_IP>:/root/backups/mongodb/ ~/vps-backups/mongodb/
2. Restoring mongo_2025-12-26_14-00.archive on the same db
3. Killing the v7.0.28 container
4. Creating a 8.2.3-noble container
5. Creating a new admin user
6. Creating a mongodb user for apps
7. Importing the Export into the new db
8. Renaming the DB from test to something else (yes I made that mistake when starting out)
9. Changing the export cron job to use the new credentials, here is the cron job.sh
10. Changing all apps to use new credentials
11. Changing passwords because you find out that you have special characters in your password, and mongo dislikes those.
12. Changing all passwords in the database, and of people with permissions

---

References