1. 赶紧查看日志,最后定位到时间就是我看几前5分钟:
Thu Jun 29 09:49:02.011 [conn726061649] insert mclog.click_20170629 ninserted:1 keyUpdates:0 locks(micros) w:78 119ms
Thu Jun 29 09:49:13.578 [conn726065856] dropDatabase system starting
Thu Jun 29 09:49:14.806 [conn726065856] removeJournalFiles
Thu Jun 29 09:49:14.952 [conn726065856] dropDatabase system finished
Thu Jun 29 09:49:14.952 [conn726065856] command system.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:1374138 reslen:57 1374ms
Thu Jun 29 09:49:22.009 [conn726065856] dropDatabase mclog starting
Thu Jun 29 09:49:22.804 [conn726065856] removeJournalFiles
Thu Jun 29 09:49:44.677 [conn726065856] dropDatabase mclog finished
Thu Jun 29 09:49:44.677 [conn726065856] command mclog.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:22668251 reslen:56 22668ms
Thu Jun 29 09:49:44.678 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.ns, filling with zeroes...
Thu Jun 29 09:49:44.708 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.ns, size: 16MB, took 0.029 secs
Thu Jun 29 09:49:44.708 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.0, filling with zeroes...
Thu Jun 29 09:49:44.710 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.0, size: 64MB, took 0.001 secs
2. 看到的比特币勒索的原文在mongo的集合里:
2033 $ mongo
MongoDB shell version: 2.4.9
connecting to: test
> show dbs
WRITE_ME 0.203125GB
mclog 1.953125GB
> use WRITE_ME
switched to db WRITE_ME
> show collections
WRITE_ME
system.indexes
> db.WRITE_ME.findOne()
{
"_id" : ObjectId("59545cc0e3fc71362d60f182"),
"email" : "[email protected]",
"btc_wallet" : "1FApP5DgbN2JoyRnmJgEwGxkbvCEu2rFQB",
"note" : "Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 24 hours we erase all data."
}
> exit
3. 日志上下文:
Thu Jun 29 09:49:13.578 [conn726065856] dropDatabase system starting
32615 Thu Jun 29 09:49:14.806 [conn726065856] removeJournalFiles
32616 Thu Jun 29 09:49:14.952 [conn726065856] dropDatabase system finished
32617 Thu Jun 29 09:49:14.952 [conn726065856] command system.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:1374138 reslen:57 1374ms
32618 Thu Jun 29 09:49:22.009 [conn726065856] dropDatabase mclog starting
32619 Thu Jun 29 09:49:22.804 [conn726065856] removeJournalFiles
32620 Thu Jun 29 09:49:44.677 [conn726065856] dropDatabase mclog finished
32621 Thu Jun 29 09:49:44.677 [conn726065856] command mclog.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:22668251 reslen:56 22668ms
32622 Thu Jun 29 09:49:44.678 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.ns, filling with zeroes...
32623 Thu Jun 29 09:49:44.708 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.ns, size: 16MB, took 0.029 secs
32624 Thu Jun 29 09:49:44.708 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.0, filling with zeroes...
32625 Thu Jun 29 09:49:44.710 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.0, size: 64MB, took 0.001 secs
32626 Thu Jun 29 09:49:44.710 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.1, filling with zeroes...
32627 Thu Jun 29 09:49:44.712 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.1, size: 128MB, took 0.002 secs
32628 Thu Jun 29 09:49:44.712 [conn726075088] build index mclog.click_20170629 { _id: 1 }
32629 Thu Jun 29 09:49:44.728 [conn726075088] build index done. scanned 0 total records. 0.015 secs
32630 Thu Jun 29 09:49:46.971 [conn726065856] dropDatabase local starting
32631 Thu Jun 29 09:49:47.015 [conn726065856] removeJournalFiles
32632 Thu Jun 29 09:49:47.018 [conn726065856] dropDatabase local finished
32633 Thu Jun 29 09:49:48.990 [conn726087507] build index mclog.conversion_20170629 { _id: 1 }
32634 Thu Jun 29 09:49:48.991 [conn726087507] build index done. scanned 0 total records. 0 secs
32635 Thu Jun 29 09:49:49.024 [conn726087635] build index mclog.clicktoconversion_20170628 { _id: 1 }
32636 Thu Jun 29 09:49:49.024 [conn726087635] build index done. scanned 0 total records. 0 secs
32637 Thu Jun 29 09:49:49.286 [conn726065856] dropDatabase cool_db starting
32638 Thu Jun 29 09:49:49.325 [conn726065856] removeJournalFiles
32639 Thu Jun 29 09:49:49.327 [conn726065856] dropDatabase cool_db finished
32640 Thu Jun 29 09:49:51.924 [conn726065856] dropDatabase test starting
32641 Thu Jun 29 09:49:51.969 [conn726065856] removeJournalFiles
32642 Thu Jun 29 09:49:51.971 [conn726065856] dropDatabase test finished
4. 联系了阿里云,看到了早晨七八点报出的有恶意扫描,但是没有详细信息。由于是自建mongo服务器,人家不给什么指导。给发了几个连接处理该威胁的。本想找找他们技术帮助寻找被入侵的踪迹——后门原因在哪里。结果未果。
5. 最后自己打算恢复快照,最新的快照在早上9点。于是发现需要先mongodump出来新生成的数据,开始导出到另一个磁盘。
mongodump -h 127.0.0.1 --port 27017 -d mclog -o /home/mongodump/mclog
然后恢复快照。
6. 最后 mongorestore -d mclog /home/mongodump/mclog/mclog 重新导入新的数据。