Yesterday, I received a short message from ariyun in the middle of the night saying that the server had abnormal login in other places.
I came to the company this morning to ask no one to log in, and then I went to see ubuntu system log.
It was found that there were two logins, one from Romania and the other from Shanghai, using mongodb as the user name.
This machine used apt-get to install a mongo version. This is the mongodb user generated by this. Later, it was abandoned because the version was too low. However, it was not uninstalled.
Then manually install a version and start the operation with root permission.
No services are running with mongodb users
The firewall is always on and only allows access to ports 22 and 80. mongo ports are not open to the public.
Check /etc/passwd to find mongodb106: 65534::/home/mongodb:/bin/bash run command is bash, and this user is now prohibited from logging in.
Looking at the mongodb user group, we found that mongodb actually belongs to the root user group. . .
May I ask Xiada, is the user name and password generated by default the same for this mongodb user? Or did they hit the password? What harm can this user do to the server after logging in?
After MongoDB ubuntu is installed by default, it looks like this:
The user mongodb is generated, but cannot log in to the operating system.
Judging from your description, there are two possibilities:
1. mongodb may have been compromised and modified to allow login. Take a look at the relevant logs, but it may not have been deleted.
2. It may just be some scanning tools that have scanned your operating system.
If this is the first case, the consequences will depend on whether the other party has malice. Hurry up and take some remedial measures, install the latest security patches, check security-related configurations, and backup/encrypt critical business data.
Love MongoDB！ Have fun！
MongoDB Online Lecture Series 19- MongoDB 10 Steps to Build a Single View
Everybody come tomorrow, 19th, please stamp: >—<