Hello MongoDB (open remote access)
Good day.
I went through the search for Habr, but I did not find a post about such a problem, although a couple of times the comments of dedicated people surfaced.
We have several VPS, where we use MongoDB, the OS is usually Debian 6 / Ubuntu, we put almost everything from the packages, the benefit of everything is enough. The other day, checking old servers, found
')
For me, of course it was a shock! Attempt to get remote access was successful
He climbed into /etc/mongodb.conf, thinking that someone from colleagues could open access to himself, but there was not a word about it. Hoping that the same colleague simply deleted a similar entry, got into the config on the local machine (debian 6) and also did not find anything about remote access. Ran through all known sites with monoDB and was able to log in everywhere.
Immediately began to google the problem and finally found on the off. net.bindIp
Walked through all the servers, in /etc/mongodb.conf added the line
Overloaded mongoDB
Then remote access was closed
I decided to figure out how it happened, of course, immediately remembered about mysql, which by default remote access is closed, and of course for many, including me, it was reasonable to think that it didn’t invent any special elegance here. I picked up debian 7.4.0 (the last stable one) from scratch, and put the btcd from the package, I found it in the configs
I remember from memory that they put from the repository from Mongolian DB on an article on the Install MongoDB on Debian off site, because the hosters only gave VPS based on Debian 6, with a very old version of MongoDB. After installing from their repository in the configs, again I did not find anything about remote access. The article itself also does not write anything about this, which was very offensive.
Without thinking twice, I decided to check my neighbors by IP address.
I found a very decent list of open databases of MongoDB, some of which were on authorization, some were just for backup, but still open.
So what can you do with such access? Began to test on your project, at least:
Of course, someone says that this is all for speed, that the system administrator, by default, should monitor everything himself. But here only VPS'ki very even available, a bunch of articles where they praise the new databases and other software, to which many simple programmers agree to work with VPS, not having a lot of administrative experience. From the developers of monoDB, I at least expected a commented memo in configs, since they don’t want to close remote access by default
Similar articles, but already on memcached: As I found a vulnerability on phpclub.ru , 1% of all sites of the RuNet keeps their memcached open to the world. Some statistics
I went through the search for Habr, but I did not find a post about such a problem, although a couple of times the comments of dedicated people surfaced.
We have several VPS, where we use MongoDB, the OS is usually Debian 6 / Ubuntu, we put almost everything from the packages, the benefit of everything is enough. The other day, checking old servers, found
')
For me, of course it was a shock! Attempt to get remote access was successful
He climbed into /etc/mongodb.conf, thinking that someone from colleagues could open access to himself, but there was not a word about it. Hoping that the same colleague simply deleted a similar entry, got into the config on the local machine (debian 6) and also did not find anything about remote access. Ran through all known sites with monoDB and was able to log in everywhere.
Immediately began to google the problem and finally found on the off. net.bindIp
net.bindIp
Type: string
Default: All interfaces. ... versionchanged :: 2.6.0 The configurations and configurations include {{role}} to 127.0.0.1.
Specifies the IP address. You may attach mongos or mongod to any interface. When attaching to the publicly accessible interface,
To bind to multiple IP addresses, enter a list of comma separated values.
Walked through all the servers, in /etc/mongodb.conf added the line
bind_ip = 127.0.0.1 Overloaded mongoDB
/etc/init.d/mongodb restart Then remote access was closed
Debriefing
I decided to figure out how it happened, of course, immediately remembered about mysql, which by default remote access is closed, and of course for many, including me, it was reasonable to think that it didn’t invent any special elegance here. I picked up debian 7.4.0 (the last stable one) from scratch, and put the btcd from the package, I found it in the configs
bind_ip = 127.0.0.1 I remember from memory that they put from the repository from Mongolian DB on an article on the Install MongoDB on Debian off site, because the hosters only gave VPS based on Debian 6, with a very old version of MongoDB. After installing from their repository in the configs, again I did not find anything about remote access. The article itself also does not write anything about this, which was very offensive.
Checking neighbors
Without thinking twice, I decided to check my neighbors by IP address.
Sketched a quick PHP script
<?php set_time_limit(600); $ipSt = '*.*.*.'; // 11.22.33. for($a = 0, $b = 255; $a <= $b; $a++) { $ip = $ipSt . $a; echo $ip.': '; ob_start(); $fp = fsockopen($ip, 27017, $errno, $errstr, 0.1); ob_get_contents(); ob_clean(); if (!$fp) { echo '---'; } else { echo 'OK'; fclose($fp); } echo '<br />'; } I found a very decent list of open databases of MongoDB, some of which were on authorization, some were just for backup, but still open.
Breaking into?
So what can you do with such access? Began to test on your project, at least:
- received a list of users with e-mail addresses
- could edit articles - change text, put pictures and js-scripts
- through mongofiles I was able to upload files to the database, but I didn’t have enough mind to save
Results
Of course, someone says that this is all for speed, that the system administrator, by default, should monitor everything himself. But here only VPS'ki very even available, a bunch of articles where they praise the new databases and other software, to which many simple programmers agree to work with VPS, not having a lot of administrative experience. From the developers of monoDB, I at least expected a commented memo in configs, since they don’t want to close remote access by default
# bind_ip = 127.0.0.1 Similar articles, but already on memcached: As I found a vulnerability on phpclub.ru , 1% of all sites of the RuNet keeps their memcached open to the world. Some statistics
Source: https://habr.com/ru/post/221221/
All Articles