Ransacked by hackers (Meteor Standalone App)

[User90210]

http://www.csoonline.com/article/3154190/security/exposed-mongodb-installs-being-erased-held-for-ransom.html

I followed all the steps described in deployment tutorial for Standalone server and Mongo database has been deleted by hackers.

I think there has to be an issue with Passenger configuration!

[Daniel Knoppel]

Sorry to hear about your DB getting hacked, but I doubt Passenger has anything to do with your mongodb installation security. 

Databases are usually exploited because of application and/or firewall problems. You should check at least these things:

https://docs.mongodb.com/manual/administration/security-checklist/

- Daniel

[User90210]

I am going to investigate it, however my suspicion is that if you follow the steps described in deployment tutorial

https://www.phusionpassenger.com/library/walkthroughs/deploy/meteor/ownserver/standalone/oss/trusty/deploy_app.html

your Mongo is exposed to this attack. I think if you leave it this way your database can be easily accessed anonymously.

Of course it is not Passenger's software issue. However myself (and I believe many) would have assumed that the basics of security are covered for all of the parts of the tutorial (like it is told to create application user instead of using system general account).

I think people should know about this issue since it's been already 27000 ransacked databases.

[Tinco Andringa]

What operating system did you run this on? (You can find this info by running `lsb_release -a`). What does `cat /etc/mongodb.conf|grep bind_ip` say? I have just ran through the tutorial and it configured securely for me on Ubuntu.

Op ma 9 jan. 2017 om 14:27 schreef User90210 <sroka...@gmail.com>:

--
You received this message because you are subscribed to the Google Groups "Phusion Passenger Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phusion-passen...@googlegroups.com.
To post to this group, send email to phusion-...@googlegroups.com.
Visit this group at https://groups.google.com/group/phusion-passenger.
To view this discussion on the web visit https://groups.google.com/d/msgid/phusion-passenger/e90f2dc6-8fa5-4cec-971f-80ef43d903ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Solutions Engineer & Product Manager

Phusion B.V. |  Easy to use, robust, and efficient software for high‑demanding unix server environments

Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 63501007 (The Netherlands)

[Daniel Knoppel]

@User90210

Agreed in general, we don't want our tutorials to recommend things that would be insecure (without at least warning about it).

However, in this particular case I don't see how the tutorial leaves the database vulnerable. As Tinco mentioned, on Ubuntu 14.04 if you apt-get install mongodb then the database is bound to 127.0.0.1 meaning it is only accessible from the local machine, so it can't be "easily accessed anonymously".

Let us know if you find out anything that would have helped you in the documentation.

- Daniel

[User90210]

I cannot access it right now since I panicked and installed UFW which disallows me to connect via SSH and there's an issue with accessing my recovery console (which has already been addressed to the server's support).

It was deployed in September on Ubuntu 14.04. Once I have access I'll post details you requested. I am also interested in making sure it's safe in future.

[User90210]

Yes, that is very strange. I haven't updated Ubuntu since I deployed the app in September. I heard Mongo has added security patch regarding this issue some time recently.

Do you know how to access Mongo if it was not secured? It would be good to make sure in future that your DB is safe.

[User90210]

Unfortunately I don't have an access to the server any more...

I got in touch with some people helping with this situation and I was told to check on Shodan.io and the port 27017 was open during the attack like for example here:
https://www.shodan.io/host/45.55.34.183#27017 or
https://www.shodan.io/host/5.39.43.166#27017

I have another server with multiple deployments as Nginx integration mode (not Standalone) and it looks fine.

@Tinco Andringa
Are you a Standalone integration mode? Can you check ports on Shodan.io and tell if 27017 is open? (making sure LastUpdate covers the deployment date)

@Daniel Knoppel
I think it would be worth to add final security check to the deployment tutorial maybe? If you look at
https://www.shodan.io/search?query=product%3AMongoDB you can find so many exposed DBs that it has to be a very common pitfal

[Tinco Andringa]

Hi,

It is indeed a very common pitfall, though it is uncertain why so many people ended up with insecure configurations. For example, I can see in Ubuntu's package logs that the bind_ip line has been there since at least 2011, so any mongodb installed after that date should have been secure unless the user explicitly changed the configuration.

Were you the only person using that machine? Have you ever changed the `/etc/mongodb.conf` file? Have you ever tried to connect to your mongodb server from outside before? When you followed the Passenger deployment tutorial, was this a newly provisioned machine, or did you run Meteor on that same server before?

The answer to one of those questions should point us to why your server was configured insecurely.

Kind regards,

Tinco

Op di 10 jan. 2017 om 11:41 schreef User90210 <sroka...@gmail.com>:

--

You received this message because you are subscribed to the Google Groups "Phusion Passenger Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to phusion-passen...@googlegroups.com.
To post to this group, send email to phusion-...@googlegroups.com.
Visit this group at https://groups.google.com/group/phusion-passenger.

To view this discussion on the web visit https://groups.google.com/d/msgid/phusion-passenger/27267d8d-5524-4d93-8dcb-50f7e9680599%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Daniel Knoppel]

OK, so if port 27017 was open then the conclusion is that the hack had nothing to do with Passenger.

Our tutorial is also safe at this time because the default install will bind to localhost and it won't be accessible from the internet (e.g. by Shodan). 

Thinking out loud, I'm a little hesitant to add security reminders the tutorial, because we are not responsible for the security of other tools and packages. Interestingly, mongo doesn't even give security reminders in their own installation instructions (I guess they also assume the default install is safe).

However, we do care a lot about security, and the tutorials are explicitly meant to be very beginner-friendly, I've added a link to the mongod security checklist:

https://github.com/phusion/passenger_library/commit/230fbea4082557a0c5079d1ce75198e327f549f7

- Daniel

[User90210]

That looks good!

Although 27k DBs is a massive number!

[User90210]

Hi,
1. Yes, I was the only person
2. Not changing `/etc/mongodb.conf` that I remember
3. Not connecting to my mongodb from outside
4. It was after I couldn't make it working to run on Apache I tried Standalone Mode that worked

Do you have any thoughts how it happened that so many DBs were exposed?

There's 2 profiles on Twitter if you want to be updated about the situation and possible solution:
https://twitter.com/0xDUDE
https://twitter.com/nmerrigan