New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
so sad, so many startups leaked.
30,000 "system administrators" don't notice that their db app is listening on 0.0.0.0 without any authentication.....
Google didn't tell me to change it...
Can we assume the exploit was caused by Open Source model?
@joepie91
"gg" to both the "system administrators" and the "hackers."
Did they have to purposely disable authentication though? With MySQL, even when I'm logged in locally I still need to authenticate.
Or do NoSQL DBs work differently?
Authentication is optional, but it's a feature available. Guess they forgot to enable it.
It's not enabled by default? Wow
They should have used SIMP
/sarcasm
Yeah that's pretty bad. This is why you use 127.0.0.1 for any service listening on a port that doesn't require public access. If it does require that, authentication should be your first thought.
A big corp I'm aware of and where a friend of mine works at seems to be compromised.
The issue of MongoDB listening on all IP addresses (by default) was raised back in 2011 and only fixed in April 2014. If that's not a good enough reason to not use MongoDB, take a look at this article I came across a couple days ago.
Nothing to do with open source.
Not until fairly recently, no.
Hi
MySQL wins the day!
@vladka24 Wait, before they change there config to listen outside
Any host offering 600TB storage servers for $10 a year?
This is lowendtalk... 7$ max.
30,000 "sys administrators" running without firewalls.
a production db should be in private network only.
That was exactly what I was thinking as well
"sys administrators"
Especially with that remote admin exploit where everyone could login without knowing the password (regardless of the password's complexity) with a simple bruteforce of around 65k re-tries some time ago.