Hi Vivek, We've received your report. I'm going to open a thread on our private security@ mailing list and include you to continue discussing the details further.
For everyone else following dev@, we are investigating, and will report back here as we progress. B. > On 19 Jan 2017, at 21:22, Vivek Pathak <[email protected]> wrote: > > Hi > > I am building a site http://jobfairinsider.com/ which internally uses couchdb > 1.6.1 for data hosting and management. I have backups etc. - So the purpose > of this post is more to share details about the intrusion and to get > everyone's feedback on how to investigate it and avoid it in the future. > > My setup has an admin user in couchdb whose password I dont think was > compromised (as confirmed by log grep on _session). I had port 5984 open for > some time while developing and improving the site and its content. > > The intrusion deleted all the databases and created a pleaseread database > with a ransom note. The contents are available here: > http://jobfairinsider.com:5984/_utils/document.html?pleaseread/5dc534179e5689037c222ed3fb36bf1b > > > The logs from couchdb are given at bottom. I do not see _session to login > but the databases could all be deleted. I was expecting this behavior: > > [Thu, 19 Jan 2017 20:35:42 GMT] [info] [<0.4041.0>] 127.0.0.1 - - DELETE > /testdb 401 > > But what we got is given below. > > Thoughts? > > Thanks > > Vivek > > [Wed, 18 Jan 2017 10:23:44 GMT] [info] [<0.31649.25>] 37.48.125.116 - - > DELETE /jfidb 200 > [Wed, 18 Jan 2017 10:23:44 GMT] [info] [<0.674.0>] Closing index for db: > jfidb idx: _design/wax sig: "872546a6edf5e779549881653de29e3f" > reason: normal > [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.8281.0>] Index shutdown by monitor > notice for db: jfiurls idx: _design/content > [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.23.26>] 37.48.125.116 - - DELETE > /jfiurls 200 > [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.8281.0>] Closing index for db: > jfiurls idx: _design/content sig: "440593a33a61f567c164d0ae5e4b95e2" > reason: normal > [Wed, 18 Jan 2017 10:23:45 GMT] [info] [<0.32659.25>] 37.48.125.116 - - PUT > /pleaseread 201 > [Wed, 18 Jan 2017 10:23:46 GMT] [info] [<0.642.26>] 37.48.125.116 - - POST > /pleaseread 201 > > > Copy of the ransom doc: > > |{ "|_id|": |"5dc534179e5689037c222ed3fb36bf1b"|, "|_rev|": > |"1-5abb0255ebabae409655d39b8f61a0fb"|, "|PLEASE_READ|": |"SEND > 0.1 BTC TO THIS WALLET: 1LM1e9zB1ZG6fGsYjeCMxSuBGcbAo5bF85 IF > YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER > IP AFTER SENDING THE BITCOINS [email protected] HOW TO BUY > BITCOIN: > https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)"| }| >
