Unauthenticated MongoDB lead to compromising the database server

Welcome to my blog!

Today I write about how to find out unauthenticated MongoDB servers on the Internet and compromised them.
First, MongoDB servers serve on port 27017 by default. You know what I mean? Yeah, we can use Shodan to find them instead of crawl the Internet from beginning. Let's search: product:MongoDB on Shodan.

So many MongoDB servers are exposed to the Internet. In the query above, I use the filter "product", if you are unfamiliar with Shodan filter, you can learn about them here.
In the result of Shodan search, you can see some MongoDB servers like that:

They are unauthenticated MongoDB servers, it means you can access and run MongoDB commands on them without username and password. In fact, MongoDB is unauthenticated by default and the admin forgot to enable authentication after installing it.

So, how to search for only unauthenticated MongoDB servers on Shodan? Let's add the word metrics to the query like this: product:MongoDB metrics and boom!

Now you can access them by using MongoDB shell, you can download it as a standalone instead of installing the whole MongoDB package. We can list the databases' name by using the command: show dbs. More dangerous, not only we can read data but also we can insert, modify or remove the whole data of the MongoDB server.
For a tutorial about MongoDB commands, let's go here.

I suggest that you should contact the MongoDB servers' owners for a fix instead of hacking them. I see many government and digital currency exchanges' website still open their MongoDB database publicly and unauthenticated. Maybe you can get some bounty by reporting the vulnerability to them.

In real life, a hacking group named Unistellar is actively attacking the unauthenticated MongoDB servers. They encrypt all database and leave a database named "hacked_by_unistellar" with some messages that the owners can contact them to rescue the data. They usually use the email: unistellar@yandex.com.

If you are an admin and want to fix this vulnerability, you should apply the MongoDB security checklist to at least enable authentication on your MongoDB server.

If you found it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!