Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Databases Security

'Meow' Attack Has Now Wiped Nearly 4,000 Databases (arstechnica.com) 54

On Thursday long-time Slashdot reader PuceBaboon wrote: Ars Technica is reporting a new attack on unprotected databases which, to date, has deleted all content from over 1,000 ElasticSearch and MongoDB databases across the 'net, leaving the calling-card "meow" in its place.

Most people are likely to find this a lot less amusing than a kitty video, so if you have a database instance on a cloud machine, now would be a good time to verify that it is password protected by something other than the default, install password...

From the article: The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details of the UFO VPN had been destroyed. UFO VPN had already been in the news that day because the world-readable database exposed a wealth of sensitive user information... Besides amounting to a serious privacy breach, the database was at odds with the Hong Kong-based UFO's promise to keep no logs. The VPN provider responded by moving the database to a different location but once again failed to secure it properly. Shortly after, the Meow attack wiped it out.
"Attacks have continued and are getting closer to 4,000," reports Bleeping Computer. "A new search on Saturday using Shodan shows that more than 3,800 databases have entry names matching a 'meow' attack. More than 97% of them are Elastic and MongoDB."
This discussion has been archived. No new comments can be posted.

'Meow' Attack Has Now Wiped Nearly 4,000 Databases

Comments Filter:
  • by nospam007 ( 722110 ) * on Saturday July 25, 2020 @02:37PM (#60331113)

    The cat is out of the bag.
    Meow!

  • by olsmeister ( 1488789 ) on Saturday July 25, 2020 @02:39PM (#60331121)
    It may be doing more good than harm.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      My thoughts as well.

      If the data is gone, then it's not going to be part of another data breach!

    • by ceoyoyo ( 59147 )

      May be?

      Someone decided to do a public service on a large scale. Governments should really offer bounties for this kind of thing.

    • by kriston ( 7886 ) on Saturday July 25, 2020 @07:02PM (#60331737) Homepage Journal

      Especially when you consider that, until relatively recently, Elasticsearch security (the "X Pack") was a non-free add-on.

      • If you have sensitive data in an elastic search instance, and you can't password protect it, it should _not_ have a public IP. I can't think of a situation where any kind of database should be writable and open to the world without a user / password.
    • by gweihir ( 88907 )

      It may be doing more good than harm.

      Pretty much. At least this is much better than privacy-relevant data leaking.

    • I agree, it's much better to have the database wiped than stolen

    • Came here to say this. Teach idiots a low-cost lesson, while deleting data that might be sensitive.

      Good kitty...

    • Pussy Galore was a character in a James Bond movie. It also describes pathetic snowflakes doing their own IT well beyond capability levels, I would like to know why that VPN was not busted under consumer law. I guess any storage in the middle kingdom is just unsafe.
    • by DThorne ( 21879 )
      I get your point, but do you think the future holds a secure internet where everybody follows best practices? Perhaps it's just cynicism but I don't think that will ever happen, there's simply too much corporate pressure for profits over revenue-free costs like maintaining security.
  • by Gravis Zero ( 934156 ) on Saturday July 25, 2020 @02:41PM (#60331123)

    Meow

  • by petes_PoV ( 912422 ) on Saturday July 25, 2020 @02:48PM (#60331143)

    UFO VPN ... the world-readable database exposed a wealth of sensitive user information. ... UFO's promise to keep no logs ...Shortly after, the Meow attack wiped it out.

    Thus fixing the problem!

  • by spcebar ( 2786203 ) on Saturday July 25, 2020 @02:48PM (#60331145)
    Looks like these cats are dropping tables.
  • need to be knee-capped.
    • The vigilante vandals, or the incompetent administrators?

      • Getting incompetent admins on board with security standards is like herding cats.
        • it's always those admins fault and never management either right?

          • I'm hard pressed to think of a way management could possibly be responsible for leaving a database unsecured on the internet with default password, unless they themselves created it which seems unlikely.

            I'd agree they are indirectly responsible due to shoddy hiring practices though.

      • Or the ones wanting those admins to hoard all that data in the first place?

        • by PPH ( 736903 )

          Or the ones wanting those admins to hoard all that data in the first place?

          Smart admins will just turn off logging and insert one record that reads "meow". When management or law enforcement comes around asking for data, they just respond "Oh noes! It looks like we've been hacked!"

      • by Tablizer ( 95088 )

        Both

      • >> [kneecapping]
        > The vigilante vandals, or the incompetent administrators?

        False dichotomy.

    • Comment removed based on user account deletion
    • need to be knee-capped.

      Why? I'd rather the hackers delete my data that the company left in the open, than some other hackers collect it.

      • Why? I'd rather the hackers delete my data that the company left in the open, than some other hackers collect it.

        That's a good point. It might even convince the DB owner to set a real password.

        With that said, I gotta admit I'm okay with the kneecapping.

      • You're assuming they didn't slurp all the data before they overwroye it.

        • You're assuming they didn't slurp all the data before they overwroye it.

          Even if they did, I'd still rather only one group get it than everyone.

  • It would be a good idea to " verify that it is password protected by something other than the default, install password"

    That includes hardware as well as software.

    • Unless you wanted to "shred" a bunch of documents and make it look like someone else did it. Why no FBI agent, I didn't delete the database. Meow.

    • You should never have a database (or data store) on the open internet. Put it behind SSH or a VPN.

      The creators of SSH have security as their top priority, whereas the creators of databases do not.
  • expose stuff to the internet with out security. Who knew.
  • "... now would be a good time to verify that it is password protected by something other than the default, install password..."

    No.

    A "good time" to verify that it is password protected by something other than the default is when you fucking install it.

    If this is the competence level they operate at then they have no business doing anything with databases.

  • by Dunbal ( 464142 ) * on Saturday July 25, 2020 @06:11PM (#60331633)
    But it's cheaper than having an IT guy and a server!
  • What exactly is an unsecured database? All I've ever used is MySQL and Oracle and creating passwords for accounts/databases (and requiring credentials for transacting with them) is nonoptional. What database engine doesn't use credentials, and why?

    • After a fashion, the database is to the system it is running on like a server (virtual or not) is to the firewall connecting it to the network.

      To be secure, your database needs a password.
      But if someone on the system can simply open and modify (database) files, then password or not, they have avoided your database system's security.

      So your system ( and/or network) needs a password too.

      And given flaws in systems, you need other security measure such as routing tables that only allow access from particular ad

    • Elasticsearch, until very recently, had no support for security at all. It is designed to be run in a private network or behind an auth proxy. Depending on where you get the source code, it will usually default to only listen on localhost, but since it's cluster software, any real use case is going to open that up.

    • I think you can force MySQL to run the root user without a password. In ye olden days, it was just an option in my.cnf, as I recall, but now you really have to go out of your way. Early on in teaching myself MySQL I was running a Windows port on Windows 98 of all things, and as I recall I was running without password. Security wasn't a big consideration, because I had dial up Internet, and I was just running the server on localhost.

    • by slazzy ( 864185 )
      MongoDB doesn't use credentials by default. Why you say? it's to ensure lots of people use their paid consulting and DB hosting service (at least, that's the only reason I can think of). I actually love MongoDB it's great to store objects directly from javascript, but this is a beyond stupid default security...
    • by Osgeld ( 1900440 )

      from what I am reading its mostly no name garbage that's trying to sell you a service you do not need

    • All I've ever used is MySQL and Oracle and creating passwords for accounts/databases (and requiring credentials for transacting with them) is nonoptional.

      No, you are wrong about that. Some installers(the deb packages on Debian and Debian-derived distributions) force you to create a root password on installation, but others ( the rpm packages on Red Hat and Red Hat-derived distributions) don't.

      Nothing in the MySQL database itself requires a root password.

  • Any database that's publicly exposed needs to be wiped ASAP. Those incompetent motherf$%e$rs don't deserve to have our data, and wiping it before the Chinese or Russian or Iranian state backed a-holes get it is a public service.

    Thank you Robin Meow!

Never test for an error condition you don't know how to handle. -- Steinbach

Working...