MongoDB is crashing

Dear Community,

I have installed Mongodb on my VPS but for some time it crashed.

Here are the errors:

2020-09-17T19:49:47.801+0200 I NETWORK  [conn38] received client metadata from [134.122.38.54:58938](http://134.122.38.54:58938/) conn38: { driver: { name: "PyMongo", version: "3.11.0" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-47-generic" }, platform: "CPython 3.8.2.final.0" }
2020-09-17T19:49:48.029+0200 I NETWORK  [listener] connection accepted from [134.122.38.54:58940](http://134.122.38.54:58940/) #39 (4 connections now open)
2020-09-17T19:49:48.029+0200 I NETWORK  [conn39] received client metadata from [134.122.38.54:58940](http://134.122.38.54:58940/) conn39: { driver: { name: "PyMongo", version: "3.11.0" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-47-generic" }, platform: "CPython 3.8.2.final.0" }
2020-09-17T19:49:48.258+0200 I COMMAND  [conn39] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - starting
2020-09-17T19:49:48.258+0200 I COMMAND  [conn39] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - dropping 0 collections
2020-09-17T19:49:48.266+0200 I COMMAND  [conn39] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - finished
2020-09-17T19:49:48.381+0200 I COMMAND  [conn39] dropDatabase config - starting
2020-09-17T19:49:48.381+0200 I COMMAND  [conn39] dropDatabase config - dropping 0 collections
2020-09-17T19:49:48.383+0200 I COMMAND  [conn39] dropDatabase config - finished
2020-09-17T19:49:48.498+0200 I COMMAND  [conn39] dropDatabase local - starting
2020-09-17T19:49:48.498+0200 I COMMAND  [conn39] dropDatabase local - dropping 0 collections
2020-09-17T19:49:48.504+0200 I COMMAND  [conn39] dropDatabase local - finished
2020-09-17T19:49:48.619+0200 I STORAGE  [conn39] createCollection: READ_ME_TO_RECOVER_YOUR_DATA.README with generated UUID: 238fafb1-d410-41e9-8072-8a7939b5a64f
2020-09-17T19:49:48.741+0200 I NETWORK  [conn39] end connection [134.122.38.54:58940](http://134.122.38.54:58940/) (3 connections now open)
2020-09-17T19:49:48.741+0200 I NETWORK  [conn38] end connection [134.122.38.54:58938](http://134.122.38.54:58938/) (2 connections now open)

2020-09-18T12:13:04.144+0200 I NETWORK  [conn46] received client metadata from [134.122.38.54:38038](http://134.122.38.54:38038/) conn46: { driver: { name: "PyMongo", version: "3.11.0" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-47-generic" }, platform: "CPython 3.8.2.final.0" }
2020-09-18T12:13:04.372+0200 I NETWORK  [listener] connection accepted from [134.122.38.54:38040](http://134.122.38.54:38040/) #47 (4 connections now open)
2020-09-18T12:13:04.373+0200 I NETWORK  [conn47] received client metadata from [134.122.38.54:38040](http://134.122.38.54:38040/) conn47: { driver: { name: "PyMongo", version: "3.11.0" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-47-generic" }, platform: "CPython 3.8.2.final.0" }
2020-09-18T12:13:04.602+0200 I COMMAND  [conn47] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - starting
2020-09-18T12:13:04.605+0200 I COMMAND  [conn47] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - dropping 0 collections
2020-09-18T12:13:04.607+0200 I COMMAND  [conn47] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - finished
2020-09-18T12:13:04.722+0200 I COMMAND  [conn47] dropDatabase config - starting
2020-09-18T12:13:04.722+0200 I COMMAND  [conn47] dropDatabase config - dropping 0 collections
2020-09-18T12:13:04.724+0200 I COMMAND  [conn47] dropDatabase config - finished
2020-09-18T12:13:04.839+0200 I COMMAND  [conn47] dropDatabase local - starting
2020-09-18T12:13:04.839+0200 I COMMAND  [conn47] dropDatabase local - dropping 0 collections
2020-09-18T12:13:04.841+0200 I COMMAND  [conn47] dropDatabase local - finished
2020-09-18T12:13:04.959+0200 I STORAGE  [conn47] createCollection: READ_ME_TO_RECOVER_YOUR_DATA.README with generated UUID: 2b8efc1f-b9e0-49a0-9135-f819205d39f0
2020-09-18T12:13:05.080+0200 I NETWORK  [conn47] end connection [134.122.38.54:38040](http://134.122.38.54:38040/) (3 connections now open)
2020-09-18T12:13:05.080+0200 I NETWORK  [conn46] end connection [134.122.38.54:38038](http://134.122.38.54:38038/) (2 connections now open)

2020-09-18T17:53:05.203+0200 I NETWORK  [conn52] received client metadata from [134.122.38.54:32922](http://134.122.38.54:32922/) conn52: { driver: { name: "PyMongo", version: "3.11.0" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-47-generic" }, platform: "CPython 3.8.2.final.0" }
2020-09-18T17:53:05.431+0200 I NETWORK  [listener] connection accepted from [134.122.38.54:32924](http://134.122.38.54:32924/) #53 (4 connections now open)
2020-09-18T17:53:05.434+0200 I NETWORK  [conn53] received client metadata from [134.122.38.54:32924](http://134.122.38.54:32924/) conn53: { driver: { name: "PyMongo", version: "3.11.0" }, os: { type: "Linux", name: "Linux", architecture: "x86_64", version: "5.4.0-47-generic" }, platform: "CPython 3.8.2.final.0" }
2020-09-18T17:53:05.664+0200 I COMMAND  [conn53] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - starting
2020-09-18T17:53:05.664+0200 I COMMAND  [conn53] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - dropping 0 collections
2020-09-18T17:53:05.667+0200 I COMMAND  [conn53] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - finished
2020-09-18T17:53:05.781+0200 I COMMAND  [conn53] dropDatabase config - starting
2020-09-18T17:53:05.782+0200 I COMMAND  [conn53] dropDatabase config - dropping 0 collections
2020-09-18T17:53:05.793+0200 I COMMAND  [conn53] dropDatabase config - finished
2020-09-18T17:53:05.908+0200 I COMMAND  [conn53] dropDatabase local - starting
2020-09-18T17:53:05.911+0200 I COMMAND  [conn53] dropDatabase local - dropping 0 collections
2020-09-18T17:53:05.912+0200 I COMMAND  [conn53] dropDatabase local - finished
2020-09-18T17:53:06.027+0200 I STORAGE  [conn53] createCollection: READ_ME_TO_RECOVER_YOUR_DATA.README with generated UUID: 49ee438e-fc1b-4ab9-926e-760844110871
2020-09-18T17:53:06.148+0200 I NETWORK  [conn52] end connection [134.122.38.54:32922](http://134.122.38.54:32922/) (3 connections now open)
2020-09-18T17:53:06.148+0200 I NETWORK  [conn53] end connection [134.122.38.54:32924](http://134.122.38.54:32924/) (2 connections now open)

2020-09-22T07:22:40.520+0200 I NETWORK  [conn121] received client metadata from [199.58.80.194:48952](http://199.58.80.194:48952/) conn121: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "4.4.1" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "20.04" } }
2020-09-22T07:22:42.876+0200 I COMMAND  [conn121] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - starting
2020-09-22T07:22:42.876+0200 I COMMAND  [conn121] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - dropping 0 collections
2020-09-22T07:22:42.890+0200 I COMMAND  [conn121] dropDatabase READ_ME_TO_RECOVER_YOUR_DATA - finished
2020-09-22T07:22:43.423+0200 I COMMAND  [conn121] dropDatabase config - starting
2020-09-22T07:22:43.423+0200 I COMMAND  [conn121] dropDatabase config - dropping 0 collections
2020-09-22T07:22:43.426+0200 I COMMAND  [conn121] dropDatabase config - finished
2020-09-22T07:22:43.764+0200 I COMMAND  [conn121] dropDatabase local - starting
2020-09-22T07:22:43.765+0200 I COMMAND  [conn121] dropDatabase local - dropping 0 collections
2020-09-22T07:22:43.766+0200 I COMMAND  [conn121] dropDatabase local - finished
2020-09-22T07:22:44.347+0200 I NETWORK  [conn121] end connection [199.58.80.194:48952](http://199.58.80.194:48952/) (2 connections now open)

What can I do to fix this?

Best regards

Is this open on the internet with no authentication enabled? Because this looks suspiciously like a ransom thing to do.

3 Likes

Hi @Rene_Schneider,

As @chris correctly noted, the issue is someone connecting to an unsecured deployment (there are no authentication messages in the logs), dropping the databases, and then creating a collection with a ransom note. This cycle happens several times in the log excerpt, so there are likely multiple bad actors who have discovered your unsecured deployment.

For a similar recent discussion and advice, please see Database deleted auto - #7 by Stennie.

Regards,
Stennie