
MongoDB Apocalypse Is Here as Ransom Attacks Hit 10,000 Servers - sathishvj
https://www.bleepingcomputer.com/news/security/mongodb-apocalypse-is-here-as-ransom-attacks-hit-10-000-servers/
======
slau
The same story on Ars has had a bit more traction (120+ comments).

[https://news.ycombinator.com/item?id=13345947](https://news.ycombinator.com/item?id=13345947)

------
gnarbarian
"hackers have now hit around 10,500 MongoDB servers. That's about 25% of all
MongoDB databases accessible via the Internet. The attacks don't target all
MongoDB databases, but only those left accessible via the Internet and without
a password on the administrator account."

25% of mongodb installs externally accessible lack a fucking password on the
admin account.

They deserve it. Maybe it will teach them something.

~~~
iagooar
I agree with you, but to me it is a problem that goes back to the people who
made the decision of allowing admin accounts without a password. In a world
where software stacks have multiple applications, programming languages and
databases, it happens that people are not experts in everything. They make
mistakes. Then there is a huge pool of companies who have poorly skilled devs
coming from the Wordpress/Drupal/Prestashop/Etc background who many times
don't actually know anything about security.

Then there is the fact that MongoDB is known for having a very bad reputation
among software engineers. I could personally write down many horror stories
that I experienced myself, plus all the things you get to hear from friends
and tech blogs.

Maybe after this attack some companies ban it from their software stacks. I
really hope they do so. The world would be a better place without MongoDB.

~~~
mdekkers
> it is a problem that goes back to the people who made the decision of
> allowing admin accounts without a password.

No. Just.. no.... Security of YOUR system is YOUR responsibility.

> In a world where software stacks have multiple applications, programming
> languages and databases, it happens that people are not experts in
> everything.

Hire one.

> Maybe after this attack some companies ban it from their software stacks.

Or maybe decision makers realise that yes, you do need to pay for skills.

~~~
iagooar
>> it is a problem that goes back to the people who made the decision of
allowing admin accounts without a password. > No. Just.. no.... Security of
YOUR system is YOUR responsibility.

I agree. But what you are saying has nothing to do with whether a database
should have sane defaults or not.

>> In a world where software stacks have multiple applications, programming
languages and databases, it happens that people are not experts in everything.
> Hire one.

You seem not to know much about the real world out there. Companies are
struggling A LOT to find ANY people at all.

>> Maybe after this attack some companies ban it from their software stacks. >
Or maybe decision makers realise that yes, you do need to pay for skills.

More money is not going to magically increase the pool of skilled software
engineers around the world. If all the companies in the world increased what
they pay, nothing would change, besides the fact that they would spend more
money.

~~~
mdekkers
> [...] sane defaults [...]

Defaults - sane or not - lead to exactly these types of situations. It
encourages "it's good enough" thinking, and dilutes the feeling of
responsibility.

> You seem not to know much about the real world out there.

yeah, yeah... yawn.

> Companies are struggling A LOT to find ANY people at all.

Uhm, not companies that are willing to pay good money for good
devs/devops/sysadmins.

> More money is not going to magically increase the pool of skilled software
> engineers around the world.

I would argue that it is the software developers' job to develop software. It
would be a sysadmin/devops type person to look after the infrastructure, and
make sure it is properly secured. I see _so_ many job ads for a single role
(developer, engineer, CTO, whatever) and then a jobdescription for "must be
able to do everything related to any aspect of all our IT". Hilarious.

------
bdcravens
Maybe I'm being all "get off my lawn", but I feel this is an almost inevitable
result of attitudes about new stacks, the rise of the bootcamper, and
hackathons-turned-product. In theory that young hipster developer that fits
the mold would be just a junior on the team, and their enthusiam and
foolhardiness towards moving fast and breaking things would be tempered by
more mature team members and operators. However, I think we're seeing a world
where 2013 bootcamp grads are the seniors and the cult of hacking and
iterating and breaking things means situations like this will become more
common.

~~~
johnloeber
As a young hipster developer, I agree with you 100%. Modern startups have
generally been taking an approach that is totally dismissive of long-tail
risks such as this one.

I think it is extremely unfortunate that financial incentives are currently
stacked against engineering responsibly -- a startup that tries to actually
secure a well-built product will need to spend an often unaffordable amount of
money or time doing so.

------
wonko1
Why do so many MongoDB installation lack a password on the Admin account?

I tried search for me info, but could find anything. Was this the default?
Procedure given in a popular tutorial? It seems pretty insane.

~~~
HappyTypist
It was the default for at least a year I think. They changed the defaults, but
that didn't impact any existing default configs...

------
kapauldo
Is there a tool for checking mongo vulnerabilities?

