Servidor MongoDB / Debian atacado con éxito: ¿motivo para que la ip pública llegue al servidor mongodb?

6

Obtuve un servidor mongodb que, desde los archivos de registro, obtuvo una conexión desde una dirección IP remota, aunque obviamente no está permitido (o para ser más precisos: el mongod no está vinculado a ninguna interfaz pública) debido al archivo de configuración mongodb como se muestra a continuación.

La dirección IP ha intentado conectarse sin ssl y se ha denegado el acceso, pero obviamente faltan registros. Entonces, supongo que limpiaron partes de mongodb.log, aunque no todas, así que, por ejemplo, queda una entrada donde se muestra la dirección IP remota (¿podría ser una de ellas?).

Entonces, la pregunta es: ¿Cómo se puede obtener una dirección IP pública al servidor mongodb? Parece que tienen acceso a ssh debido a varios hechos a continuación, pero incluso entonces necesitarían usar la interfaz local para conectarse a mongodb, ¿no?

Lo que he descubierto hasta ahora:

  • /var/log/auth.log ha sido eliminado dentro del contenedor mongodb docker (o no existía todavía, porque no hice ssh directamente a los contenedores docker), pero aún existe en la máquina principal deamon comienza el 24 de abril, 06:25:29, así que asumo que lo eliminaron.
  • dejaron una carpeta READ_ME (vacía) & Carpeta PLEASE_READ_ME dentro del directorio raíz de mongodb, con un archivo "./PLEASE_READ_ME/collection-0-*****.wt" (enmascarado) que comienza con el siguiente mensaje: %código%
  • no crearon usuarios adicionales de la base de datos (o al menos, los usuarios adicionales no existen atm)
  • esta es la lista del servicio en la máquina principal (netstat)

    tcp 0 0 0.0.0.0:22 0.0.0.0:* ESCUCHAR 1281 / sshd
    tcp 0 0 127.0.0.1:25 0.0.0.0:* ESCUCHAR 1296 / exim4
    tcp 0 0 0.0.0.0:54885 0.0.0.0:* ESCUCHAR 707 / rpc.statd
    tcp 0 0 0.0.0.0:111 0.0.0.0:* ESCUCHAR 697 / rpcbind
    tcp6 0 0 ::: 22 ::: * ESCUCHADO 1281 / sshd
    tcp6 0 0 :: 1: 25 ::: * ESCUCHAR 1296 / exim4
    tcp6 0 0 ::: 35619 ::: * ESCUCHAR 707 / rpc.statd
    tcp6 0 0 ::: 27017 ::: * LISTEN 1172 / docker-proxy tcp6 0 0 ::: 111 ::: * ESCUCHAR 697 / rpcbind
    udp 0 0 127.0.0.1:883 0.0.0.0:* 707 / rpc.statd
    udp 0 0 0.0.0.0:39217 0.0.0.0:* 707 / rpc.statd
    udp 0 0 0.0.0.0:872 0.0.0.0:* 697 / rpcbind
    udp 0 0 0.0.0.0:111 0.0.0.0:* 697 / rpcbind
    udp6 0 0 ::: 49550 ::: * 707 / rpc.statd
    udp6 0 0 ::: 872 ::: * 697 / rpcbind
    udp6 0 0 ::: 111 ::: * 697 / rpcbind

Arquitectura:

  • Docker Deamon se ejecuta en una máquina virtual con Debian 8.7
  • Cada contenedor docker también ejecuta Debian 8.7
  • Un contenedor docker para mongodb, uno para aplicación (conectado a través de la red docker)

Versión Don't panic. Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 48 hours we erase all the data...

Registro (nombre de la base de datos, nombre principal y amp; ip enmascarado):

2017-04-23T12:03:03.511Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:44575 #16 (5 connections now open)
2017-04-23T12:03:03.540Z I ACCESS   [conn16] Successfully authenticated as principal *** on testdatabase
2017-04-23T12:03:15.461Z I NETWORK  [conn16] end connection ***.***.***.***:44575 (4 connections now open)
2017-04-24T05:07:57.711Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:27790 #17 (5 connections now open)
2017-04-24T05:07:57.724Z I NETWORK  [conn17] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-24T05:45:35.997Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54235 #18 (5 connections now open)
2017-04-24T05:45:36.027Z I ACCESS   [conn18] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:36.053Z I NETWORK  [conn18] end connection ***.***.***.***:54235 (4 connections now open)
2017-04-24T05:45:36.063Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54236 #19 (5 connections now open)
2017-04-24T05:45:36.086Z I ACCESS   [conn19] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:39.843Z I NETWORK  [conn19] end connection ***.***.***.***:54236 (4 connections now open)
2017-04-24T05:45:39.853Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54237 #20 (5 connections now open)
2017-04-24T05:45:39.874Z I ACCESS   [conn20] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.071Z I NETWORK  [conn20] end connection ***.***.***.***:54237 (4 connections now open)
2017-04-24T05:45:40.080Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54238 #21 (5 connections now open)
2017-04-24T05:45:40.101Z I ACCESS   [conn21] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.108Z I NETWORK  [conn21] end connection ***.***.***.***:54238 (4 connections now open)                                                                                                                                                                
2017-04-24T05:45:40.117Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54239 #22 (5 connections now open)
2017-04-24T05:45:40.138Z I ACCESS   [conn22] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.784Z I NETWORK  [conn22] end connection ***.***.***.***:54239 (4 connections now open)
2017-04-24T05:45:44.797Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54245 #23 (5 connections now open)
2017-04-24T05:45:44.820Z I ACCESS   [conn23] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.824Z I NETWORK  [conn23] end connection ***.***.***.***:54245 (4 connections now open)
2017-04-24T05:45:44.833Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54246 #24 (5 connections now open)
2017-04-24T05:45:44.854Z I ACCESS   [conn24] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.858Z I NETWORK  [conn24] end connection ***.***.***.***:54246 (4 connections now open)
2017-04-24T05:45:44.868Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54247 #25 (5 connections now open)
2017-04-24T05:45:44.888Z I ACCESS   [conn25] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:56.683Z I NETWORK  [conn25] end connection ***.***.***.***:54247 (4 connections now open)
2017-04-24T06:00:01.936Z I NETWORK  [conn3] end connection ***.***.***.***:39610 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK  [conn2] end connection ***.***.***.***:39609 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK  [conn4] end connection ***.***.***.***:39636 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK  [conn1] end connection ***.***.***.***:39548 (3 connections now open)
2017-04-24T06:00:05.915Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49695 #26 (1 connection now open)
2017-04-24T06:00:05.951Z I ACCESS   [conn26] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:09.089Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49758 #27 (2 connections now open)
2017-04-24T06:00:09.103Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49760 #28 (3 connections now open)
2017-04-24T06:00:09.125Z I ACCESS   [conn28] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:20.916Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:49790 #29 (4 connections now open)
2017-04-24T06:05:32.404Z I NETWORK  [initandlisten] connection accepted from ***.***.***.***:54712 #30 (5 connections now open)
2017-04-24T06:05:32.414Z I ACCESS   [conn30] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }

Archivo de configuración (nombre de base de datos enmascarado):

storage:
    dbPath: "/***"
    directoryPerDB: true
    journal:
        enabled: true
systemLog:
    destination: file
    path:   "/***/mongodb.log"                                                                                                     
    logAppend: true
    timeStampFormat: iso8601-utc
processManagement:
    fork: true
net:
    bindIp: [127.0.0.1,172.0.0.5]
    port: 27017
    wireObjectCheck : false
    unixDomainSocket: 
        enabled : true
    http:
        enabled: false
    ssl:
        mode: requireSSL
        PEMKeyFile: /certs/server-***.***.***.***.pem
        CAFile: /certs/ca.pem
        #CRLFile: <string>
        allowConnectionsWithoutCertificates: false
        allowInvalidCertificates: false
        allowInvalidHostnames: true
        #disabledProtocols: false
        #FIPSMode: <boolean>
security:
    authorization: enabled

Los jefes de la ventana acoplable principal /var/log/auth.log (ip enmascarado)

Apr 24 06:25:29 *** sshd[5332]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:25:32 *** sshd[4660]: Received disconnect from ***.***.***.***: 11: disconnected by user
Apr 24 06:25:32 *** sshd[4660]: pam_unix(sshd:session): session closed for user root
Apr 24 06:25:41 *** CRON[5111]: pam_unix(cron:session): session closed for user root
Apr 24 06:25:44 *** sshd[5342]: Invalid user admin from ***.***.***.***
Apr 24 06:25:44 *** sshd[5342]: input_userauth_request: invalid user admin [preauth]
Apr 24 06:25:44 *** sshd[5342]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 41822 ssh2 [preauth]
Apr 24 06:26:19 *** sshd[5393]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:26 *** sshd[5423]: Invalid user pat from ***.***.***.***
Apr 24 06:28:26 *** sshd[5423]: input_userauth_request: invalid user pat [preauth]
Apr 24 06:28:26 *** sshd[5423]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:28 *** sshd[5421]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:30:46 *** sshd[5450]: Accepted publickey for root from ***.***.***.*** port 47739 ssh2: RSA 74:72:c0:b4:6e:6d:11:3a:2e:c5:4e:be:34:60:e1:99
Apr 24 06:30:46 *** sshd[5450]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 24 06:30:49 *** sshd[5499]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:33:16 *** sshd[5842]: Invalid user postgres from ***.***.***.***
Apr 24 06:33:16 *** sshd[5842]: input_userauth_request: invalid user postgres [preauth]
Apr 24 06:33:16 *** sshd[5842]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:36:16 *** sshd[5844]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:02 *** sshd[5846]: Invalid user nginx from ***.***.***.***
Apr 24 06:38:02 *** sshd[5846]: input_userauth_request: invalid user nginx [preauth]
Apr 24 06:38:02 *** sshd[5846]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:28 *** sshd[3979]: Timeout, client not responding.
Apr 24 06:38:28 *** sshd[3979]: pam_unix(sshd:session): session closed for user root
Apr 24 06:38:32 *** sshd[5450]: Timeout, client not responding.
Apr 24 06:38:32 *** sshd[5450]: pam_unix(sshd:session): session closed for user root
Apr 24 06:39:14 *** sshd[4027]: Timeout, client not responding.
Apr 24 06:39:14 *** sshd[4027]: pam_unix(sshd:session): session closed for user root
Apr 24 06:41:42 *** sshd[5848]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:07 *** sshd[5850]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:08 *** sshd[5852]: Invalid user  from ***.***.***.***
Apr 24 06:42:08 *** sshd[5852]: input_userauth_request: invalid user  [preauth]
Apr 24 06:42:08 *** sshd[5852]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:55 *** sshd[5854]: Invalid user spark from ***.***.***.***
Apr 24 06:42:55 *** sshd[5854]: input_userauth_request: invalid user spark [preauth]
Apr 24 06:42:55 *** sshd[5854]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:06 *** sshd[5859]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Invalid user odoo from ***.***.***.***
Apr 24 06:47:48 *** sshd[5861]: input_userauth_request: invalid user odoo [preauth]
Apr 24 06:47:48 *** sshd[5857]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:32 *** sshd[5872]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:34 *** sshd[5870]: Invalid user steam from ***.***.***.***
Apr 24 06:52:34 *** sshd[5870]: input_userauth_request: invalid user steam [preauth]
Apr 24 06:52:34 *** sshd[5870]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:54:00 *** sshd[5874]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 46803 ssh2 [preauth]
Apr 24 06:57:22 *** sshd[5877]: Invalid user teste from ***.***.***.***
Apr 24 06:57:22 *** sshd[5877]: input_userauth_request: invalid user teste [preauth]
Apr 24 06:57:22 *** sshd[5877]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:57:58 *** sshd[5879]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:02:13 *** sshd[5881]: Invalid user hadoop from ***.***.***.***
Apr 24 07:02:13 *** sshd[5881]: input_userauth_request: invalid user hadoop [preauth]
Apr 24 07:02:13 *** sshd[5881]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:03:16 *** sshd[5885]: Invalid user admin from ***.***.***.***
Apr 24 07:03:16 *** sshd[5885]: input_userauth_request: invalid user admin [preauth]
Apr 24 07:03:16 *** sshd[5883]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 4792 ssh2 [preauth]
Apr 24 07:03:17 *** sshd[5885]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 4802 ssh2 [preauth]
    
pregunta Techradar 25.04.2017 - 11:51
fuente

2 respuestas

2

Como falta de información, la próxima vez que el plizz incluya la versión del kernel, la versión docker y si la aplicación cliente se conecta con el usuario root.

Posibles exploits que utilizaron:

  • cliente de base de datos comprometida con la aplicación, así que compruebe si hay vulnerabilidades

  • ya que los contenedores de la ventana acoplable comparten el kernel con el host y otros contenedores comprueban la versión del kernel para detectar posibles vulnerabilidades

  • ssh explotado. Como no veo ninguna información, existe fail2ban o ssh auth basado en clave o simplemente password o VPN (se recomienda cambiar el puerto ssh, la clave pública auth y fail2ban o solo permitir la conexión a ssh a través de VPN privada)

Lo que hay que entender es que tal vez no haya una sola vulnerabilidad que se convierta en una vulnerabilidad, puede ser una cadena de vulnerabilidades.

    
respondido por el Hrvoje Milković 12.09.2017 - 16:26
fuente
-2

Compruebe cuántas interfaces están activas en el host MDB. Es posible que esté protegiendo una red y que una sea vulnerable. un simple ifconfig puede darte una idea.

    
respondido por el Hugo R 08.08.2017 - 09:21
fuente

Lea otras preguntas en las etiquetas