couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Samuel Newson <rnew...@apache.org>
Subject Re: ransom note - couchdb exploit / privilege escalation ?
Date Thu, 19 Jan 2017 22:16:35 GMT
Hi Vivek,

We've received your report. I'm going to open a thread on our private security@ mailing list
and include you to continue discussing the details further.

For everyone else following dev@, we are investigating, and will report back here as we progress.

B.


> On 19 Jan 2017, at 21:22, Vivek Pathak <vpathak@orgmeta.com> wrote:
> 
> Hi
> 
> I am building a site http://jobfairinsider.com/ which internally uses couchdb 1.6.1 for
data hosting and management.  I have backups etc. - So the purpose of this post is more to
share details about the intrusion and to get everyone's feedback on how to investigate it
and avoid it in the future.
> 
> My setup has an admin user in couchdb whose password I dont think was compromised (as
confirmed by log grep on _session).  I had port 5984 open for some time while developing and
improving the site and its content.
> 
> The intrusion deleted all the databases and created a pleaseread database with a ransom
note.  The contents are available here: http://jobfairinsider.com:5984/_utils/document.html?pleaseread/5dc534179e5689037c222ed3fb36bf1b

> 
> The logs from couchdb are given at bottom.  I do not see _session to login but the databases
could all be deleted.  I was expecting this behavior:
> 
> [Thu, 19 Jan 2017 20:35:42 GMT] [info] [<0.4041.0>] 127.0.0.1 - - DELETE /testdb
401
> 
> But what we got is given below.
> 
> Thoughts?
> 
> Thanks
> 
> Vivek
> 
> [Wed, 18 Jan 2017 10:23:44 GMT] [info] [<0.31649.25>] 37.48.125.116 - - DELETE
/jfidb 200
> [Wed, 18 Jan 2017 10:23:44 GMT] [info] [<0.674.0>] Closing index for db: jfidb
idx: _design/wax sig: "872546a6edf5e779549881653de29e3f"
> reason: normal
> [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.8281.0>] Index shutdown by monitor notice
for db: jfiurls idx: _design/content
> [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.23.26>] 37.48.125.116 - - DELETE /jfiurls
200
> [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.8281.0>] Closing index for db: jfiurls
idx: _design/content sig: "440593a33a61f567c164d0ae5e4b95e2"
> reason: normal
> [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.32659.25>] 37.48.125.116 - - PUT /pleaseread
201
> [Wed, 18 Jan 2017 10:23:46 GMT] [info] [<0.642.26>] 37.48.125.116 - - POST /pleaseread
201
> 
> 
> Copy of the ransom doc:
> 
>       |{ "|_id|": |"5dc534179e5689037c222ed3fb36bf1b"|, "|_rev|":
>       |"1-5abb0255ebabae409655d39b8f61a0fb"|, "|PLEASE_READ|": |"SEND
>       0.1 BTC TO THIS WALLET: 1LM1e9zB1ZG6fGsYjeCMxSuBGcbAo5bF85 IF
>       YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER
>       IP AFTER SENDING THE BITCOINS r3l4x@sigaint.org HOW TO BUY
>       BITCOIN:
>       https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"| }|
> 


Mime
View raw message