I had just launched a new mongodb docker 7.0 on my machine, restored a database, still had no authentication and went to take a nap feeling quite safe since the Debian 11 host has UFW allowing only WWW and SSH (on a non standard port) and therefore 27017 is firewalled.
Waking up had a shock
database has been encrypted and left with only one clear document asking for a bitcoin ransom.
hacker was unlucky I guess. stopped the container, erased the bound data directory, spun up a new container, immediately defined an admin and enabled auth.
Can anyone come up with ideas on how could the bastard have achieved this?
Thanks