Hijackers hijacking what hijackers hijacked
Feedback is always important, and that’s exactly what I got when I posted my original article about MongoDB databases being hijacked. One of the main questions that I was asked is how the hijacking actually happens.
The answer is simple: there was no security.
I started diving into how the hijack actually happens and what I found amazed me. In fact, it encouraged me to do a quick writeup to let people know that they shouldn’t pay the ransom.
If you’re part of my mailing list, I sent my free writeup to you already. If you’re not on my mailing list, you should be!
I’m not trying to sell you on anything. I simply like to share my knowledge. It’s fun, keeps me fresh, and you get some cool [anti]hacking tips in the process.
Since I’ve written everything once already, here are the Cliff Notes (are they still around?).
The first hijacking
The attackers are simply finding databases that aren’t using any authentication. Believe it or not, there’s a lot of them out there!
They simply connect to the server and presumably download the database.
Then they delete your database (or collection in MongoDB terms).
They replace it with their own that tells you to pay them in Bitcoins to get it back.
The copycat hijacking
The problem is that whoever hijacked the database in the first place easily leaves the door open for someone else.
I illustrated this point by changing a record’s Bitcoin address to my own.
So now, if this person decided to pay the ransom, I’d get the money and they wouldn’t get anything from me… I don’t have their database.
Don’t worry, I changed all the information back to the original content in case the person does in fact pay.
Summing it up
Don’t pay the ransom if your database is hijacked. You have no clue if the Bitcoin address is the original one. You have no clue if the original hijackers actually backed up your database. As always, there are no assurances when dealing with hijackers.
Hopefully you backed up your database recently!
If you’re curious about how easy this all was, check out my writeup.