I had just launched a new mongodb docker 7.0 on my machine, restored a database, still had no authentication and went to take a nap feeling quite safe since the Debian 11 host has UFW allowing only WWW and SSH (on a non standard port) and therefore 27017 is firewalled.
database has been encrypted and left with only one clear document asking for a bitcoin ransom.
hacker was unlucky I guess. stopped the container, erased the bound data directory, spun up a new container, immediately defined an admin and enabled auth.
Can anyone come up with ideas on how could the bastard have achieved this?
Have been running for months my self hosted MongoDB without problems but just recently switched to a containerized version, so you might have a good clue.
I reinstalled AND activate user auth immedately an so far things look ok.
FWIW I also activated my provider’s (Hetzner) firewall firewall allowing only WWW and SSH, so if the problem was a Docker/UFW interaction I should be safer.
