ID: I202601061703 Status: idea Tags: MongoDB, ransome, hacking

my mongodb ransome hack part2

It happened again:

Just like the first time I got a ransomed note.

So this means that they have more privileges, cause otherwise they should’ve been nuked when I deleted the container.

Turns out, I hadn’t enabled --auth, so I had created an admin account for no reason, you could just login without credentials. And the reason I didn’t notice is because I always tried logging in with auth, and it will block you when it is invalid, even if you don’t use --auth

So how did I solve this:

1. I ran MongoDB via this portainer stack.
2. I connected everything over localhost instead of exposing my container to the outside internet
3. I use ssh -L 27018:localhost:27017 root@<VPS-IP> to connect to port 27017 on the VPS.
4. I then connect to this connection string in mongodb compass: mongodb://root:example@localhost:27018/ (the root:example is the username and password) The reason I choose 27018 is because I already have a local mongo container running on my pc on 27017

This way my db is not exposed to the internet.

And I can also connect to mongo-express by going to <ip>:8081

Want to check if you have authentication enabled:

docker exec <contaienr-name> mongosh --eval "db.version()"

or just try connecting to mongodb://root:example@localhost:27018/

---

References