CODEWITHSUNDEEP
mongodbdigital-ocean
user3545006
user3545006

Reputation: 127

MongoDB suddenly missing / data not found

Our MongoDB database in Digital Ocean suddenly went missing. When I run mongod, it says:

MongoDB starting : pid=27161 port=27017 dbpath=/data/db 64-bit host=unifyhub-db
2017-01-07T17:36:06.617+0800 I CONTROL  [initandlisten] db version v3.0.11
2017-01-07T17:36:06.617+0800 I CONTROL  [initandlisten] git version: 48f8b49dc30cc2485c6c1f3db31b723258fcbf39
2017-01-07T17:36:06.617+0800 I CONTROL  [initandlisten] build info: Linux ip-10-65-215-98 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 BOOST_LIB_VERSION=1_49
2017-01-07T17:36:06.617+0800 I CONTROL  [initandlisten] allocator: tcmalloc
2017-01-07T17:36:06.617+0800 I CONTROL  [initandlisten] options: {}
2017-01-07T17:36:06.676+0800 E NETWORK  [initandlisten] listen(): bind() failed errno:98 Address already in use for socket: 0.0.0.0:27017
2017-01-07T17:36:06.677+0800 E NETWORK  [initandlisten]   addr already in use
2017-01-07T17:36:06.677+0800 I STORAGE  [initandlisten] exception in initAndListen: 29 Data directory /data/db not found., terminating
2017-01-07T17:36:06.677+0800 I CONTROL  [initandlisten] dbexit:  rc: 100

Do you have any idea what happen here? We actually didn't do anything, we just found out that the whole application was not working because the database can't be found.

Upvotes: 2

Views: 4400

Answers (2)

Centillion
Centillion

Reputation: 381

Make sure your config file is loaded by explicitly calling it when running mongod:

mongod --config /etc/mongod.conf

And in your /etc/mongod.conf file make sure you have 

bindIp: 127.0.0.1

Now after restarting with this config file, like Ahmed ElBayaa says (I could not comment because of low reputation), try from a remote machine to connect using:

mongo server-ip:27017/

If all is configured correctly this connection should be refused!

Upvotes: 1

Ahmed ElBayaa
Ahmed ElBayaa

Reputation: 266

I think you were hijacked!

according to http://thehackernews.com/2017/01/secure-mongodb-database.html and http://securityaffairs.co/wordpress/55018/cyber-crime/mongodb-hacked.html there is a hacker targeting the opened MongoDB databases, and asks for ransom to return your data back.

I faced the exact same problem as yours. I thought it is something related to digital-ocean but after reading those posts, I checked my server and it is confirmed that it was hijacked.

I opened a mongo shell

mongo;

listed the databases

show dbs;

found a database called READ1 I checked it and found a collection with only one record, a message from the hijacker

use READ1;
show collections; // found a collection called info
db.info.find()

found this document:

{ "_id" : ObjectId("5877674456ae6684507ac017"), "mail" : "ha******@si*****.org", "text" : "SEND 0.1 BTC TO THIS ADDRESS ***** AND CONTACT THIS EMAIL WITH IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }

unfortunately, I didn't check the server since a while and I only keep the last five backups, so I lost my data. But luckily we are still in development mode and we don't have sensitive data.

anyway, I found my Mongodb version (2.4.10 Tokumx distribution) allows remote access by default. I tried the following from my local machine and it is surprisingly connected!!

mongo server-ip:27017/database-name

Finally, I made the following steps to disable the remote access 

ps aux | grep mongo //found path of the configuration file (/etc/tokumx.conf)

then as described here, I used vim to append the line bind_ip = 127.0.0.1 to the configuration files then restarted my tokumx service (mongodb in your case)

sudo service tokumx restart

Now remote access is disabled.

Upvotes: 4

Related Questions