Self hosted MongoDB breached and encrypted

I had just launched a new mongodb docker 7.0 on my machine, restored a database, still had no authentication and went to take a nap feeling quite safe since the Debian 11 host has UFW allowing only WWW and SSH (on a non standard port) and therefore 27017 is firewalled.

Waking up had a shock

database has been encrypted and left with only one clear document asking for a bitcoin ransom.

hacker was unlucky I guess. stopped the container, erased the bound data directory, spun up a new container, immediately defined an admin and enabled auth.

Can anyone come up with ideas on how could the bastard have achieved this?


If I recall correctly UFW won’t protect containers. I haven’t looked into this in some time but this article is relatively recent.

1 Like

Thanks Chris. Will definitely look into this.

Have been running for months my self hosted MongoDB without problems but just recently switched to a containerized version, so you might have a good clue.

I reinstalled AND activate user auth immedately an so far things look ok.

1 Like

FWIW I also activated my provider’s (Hetzner) firewall firewall allowing only WWW and SSH, so if the problem was a Docker/UFW interaction I should be safer.

1 Like