万万没想到!这种事居然真的发生在我头上!

好几天没上后台了,今天无意中登录了一下,登不上去。
也没在意,去后台重启了一下服务,还是登不上。
mongo远程连不上。
这时意识到问题比较大,开SSL 连服务器,进数据库,检查表

所!有!的!表!都!不!见!了!

所!有!的!用 !户!都!被!删!了!

当时的表情和王尼玛一摸一样

刚开始以为是自己误操作,连忙打开log文件一看究竟,一条一条排查...逐个看登录IP,都是自己的...没有问题。等着!怎么出现一条法国IP?
就这个94.23.196.208:49142
服务器记录如下:

2017-11-17T18:48:15.257+0800 I NETWORK  [conn2522] received client metadata from 
94.23.196.208:49142 conn2522: { driver: { name: "PyMongo", version: "3.5.1" }, 
os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "3.10.0-514.26.2.el7.x86_64" },
 platform: "CPython 3.5.2.final.0" }

我知道,中招了,因为我从来没用过装有python的linux主机登录过后台

往下拉,看到了有意思的

2017-11-26T03:27:09.198+0800 I COMMAND  [conn5655] dropDatabase admin starting
2017-11-26T03:27:09.277+0800 I COMMAND  [conn5655] dropDatabase admin finished
2017-11-26T03:27:09.277+0800 I COMMAND  [conn5655] setting featureCompatibilityVersion to 3.2
2017-11-26T03:27:09.552+0800 I COMMAND  [conn5656] dropDatabase *** starting
2017-11-26T03:27:09.640+0800 I COMMAND  [conn5656] dropDatabase *** finished
2017-11-26T03:27:09.913+0800 I COMMAND  [conn5657] dropDatabase *** starting
2017-11-26T03:27:09.918+0800 I COMMAND  [conn5657] dropDatabase *** finished
2017-11-26T03:27:10.183+0800 I COMMAND  [conn5658] dropDatabase *** starting
2017-11-26T03:27:10.191+0800 I COMMAND  [conn5658] dropDatabase *** finished

一连上就疯狂的删库

再往下:

BitCoin: "1EPA6qXtthvmp5kU82q8zTNkFfvUknsShS", eMail: "cru3lty@safe-mail.net", 
Exchange: "https://localbitcoins.com", Solution: "Your DataBase is downloaded and backed up on our secured servers. 
To recover your lost data: Send 0.2 BTC to our BitCoin Address and Contact us by eMa..." } ], 
ordered: true } 

是的,勒索0.2比特币...
nnd前两天还看到新闻有木马drop数据库勒索比特币...这段话里的Your DataBase is downloaded and backed up on our secured servers根本是假的,后台记录显示他一连上就开始疯狂删库,根本就没有备份,大家不要上当!不要充值!

想起来前两天远程调试嫌麻烦,就把mongo的远程连接功能打开了,并且还去掉了安全校验...,当时做完后,忘了关闭远程连接,也忘了打开安全校验.......太太太太太 ~~~~~大意了!

给大家提个醒吧,数据库这个事一定不能大意,不要以为你的网站访问量低就没事,现在很多软件扫端口分分钟搞死你。不然他为何用python

推荐阅读更多精彩内容