couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vivek Pathak <vpat...@orgmeta.com>
Subject ransom note - couchdb exploit / privilege escalation ?
Date Thu, 19 Jan 2017 21:22:59 GMT
Hi

I am building a site http://jobfairinsider.com/ which internally uses 
couchdb 1.6.1 for data hosting and management.  I have backups etc. - So 
the purpose of this post is more to share details about the intrusion 
and to get everyone's feedback on how to investigate it and avoid it in 
the future.

My setup has an admin user in couchdb whose password I dont think was 
compromised (as confirmed by log grep on _session).  I had port 5984 
open for some time while developing and improving the site and its content.

The intrusion deleted all the databases and created a pleaseread 
database with a ransom note.  The contents are available here: 
http://jobfairinsider.com:5984/_utils/document.html?pleaseread/5dc534179e5689037c222ed3fb36bf1b



The logs from couchdb are given at bottom.  I do not see _session to 
login but the databases could all be deleted.  I was expecting this 
behavior:

[Thu, 19 Jan 2017 20:35:42 GMT] [info] [<0.4041.0>] 127.0.0.1 - - DELETE 
/testdb 401

But what we got is given below.

Thoughts?

Thanks

Vivek

[Wed, 18 Jan 2017 10:23:44 GMT] [info] [<0.31649.25>] 37.48.125.116 - - 
DELETE /jfidb 200
[Wed, 18 Jan 2017 10:23:44 GMT] [info] [<0.674.0>] Closing index for db: 
jfidb idx: _design/wax sig: "872546a6edf5e779549881653de29e3f"
reason: normal
[Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.8281.0>] Index shutdown by 
monitor notice for db: jfiurls idx: _design/content
[Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.23.26>] 37.48.125.116 - - 
DELETE /jfiurls 200
[Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.8281.0>] Closing index for 
db: jfiurls idx: _design/content sig: "440593a33a61f567c164d0ae5e4b95e2"
reason: normal
[Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.32659.25>] 37.48.125.116 - - 
PUT /pleaseread 201
[Wed, 18 Jan 2017 10:23:46 GMT] [info] [<0.642.26>] 37.48.125.116 - - 
POST /pleaseread 201


Copy of the ransom doc:

        |{ "|_id|": |"5dc534179e5689037c222ed3fb36bf1b"|, "|_rev|":
        |"1-5abb0255ebabae409655d39b8f61a0fb"|, "|PLEASE_READ|": |"SEND
        0.1 BTC TO THIS WALLET: 1LM1e9zB1ZG6fGsYjeCMxSuBGcbAo5bF85 IF
        YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER
        IP AFTER SENDING THE BITCOINS r3l4x@sigaint.org HOW TO BUY
        BITCOIN:
        https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"| }|


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message