MongoDB extorted by a kraken ransomware virus. SOLVED

Recently plenty of servers became a victim of hacker attacks. The reason was the vulnerability of non-relational database mongodb. Hackers used this security hole to erase database from the server and demanded a ransom by inserting the following code in your database:

The victim could find this record in mongodb logfile (for ubuntu-servers the path is /var/log/mongodb/mongod.log).

When you recover the database hacker will erase it again, so even if you have backups on your server this will not solve a problem.

What should I do to protect my server?

DO NOT PAY TO THIS RASCAL! He will not return your database.

1. If your database should not be reachable for external ips, you may just disable remote access to a MongoDB server. Change mongod.conf (standart path for Ubuntu is /etc/mongod.conf) and uncomment or add the rule: If you need access to your database from external ip-address go to point 2.

2. Deny all incoming traffic from external ip-adresses on port 27017 (or your custom port for MongoDB server)! For Linux systems use iptables program. Remember that rules in iptables configurations fall into chains and chains have an order. At first you should open the port for some external ip and then close it for others. If you will change an order you will disable access for all ips. Insert this rule to open port for local database Insert rules for external servers that use your database (new rule for each ip) Then deny access for everyone else Attention! Do NOT use this command BEFORE you read next! Important additional information, you can read next rule in mongodb help Change Default Policy to DROP https://docs.mongodb.com/manual/tutorial/configure-linux-iptables-firewall/ iptables -P INPUT DROP Unfortunately some people don't read all sentences. This rule you can use only after completing all iptables configuration, because this rule can close to You all connections to your server including SSH immediately. And you should not use this rule in this exactly case, because closing mongodb port are good enough. But do not worry if you lost connection to your server, just restart it from provider web interface. All iptables rules will be dropped. To check all iptables configuration use this command: To drop ALL iptables: Important! This rules will work up to server restart. So if some rule working wrong and you lost connection to your server, just restart it via your provider web interface. Use iptables-persistent if you need automatically restarting service. Installation: If rules are determined but iptables-peristent are not installed, rules will be saved automatically during installation. To start service: Rules are saved to /etc/iptables/rules.v4 and /etc/iptables/rules.v6

Using this service, you can check your server for open ports: https://www.shodan.io (Just type your server's ip in the search box)