1.? 趕緊查看日志梦染，最后定位到時(shí)間就是我看幾前5分鐘：

Thu Jun 29 09:49:02.011 [conn726061649] insert mclog.click_20170629 ninserted:1 keyUpdates:0 locks(micros) w:78 119ms

Thu Jun 29 09:49:13.578 [conn726065856] dropDatabase system starting

Thu Jun 29 09:49:14.806 [conn726065856] removeJournalFiles

Thu Jun 29 09:49:14.952 [conn726065856] dropDatabase system finished

Thu Jun 29 09:49:14.952 [conn726065856] command system.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:1374138 reslen:57 1374ms

Thu Jun 29 09:49:22.009 [conn726065856] dropDatabase mclog starting

Thu Jun 29 09:49:22.804 [conn726065856] removeJournalFiles

Thu Jun 29 09:49:44.677 [conn726065856] dropDatabase mclog finished

Thu Jun 29 09:49:44.677 [conn726065856] command mclog.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:22668251 reslen:56 22668ms

Thu Jun 29 09:49:44.678 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.ns, filling with zeroes...

Thu Jun 29 09:49:44.708 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.ns, size: 16MB,? took 0.029 secs

Thu Jun 29 09:49:44.708 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.0, filling with zeroes...

Thu Jun 29 09:49:44.710 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.0, size: 64MB,? took 0.001 secs

2. 看到的比特幣勒索的原文在mongo的集合里：

2033 $ mongo

MongoDB shell version: 2.4.9

connecting to: test

> show dbs

WRITE_ME? ? ? ? 0.203125GB

mclog? 1.953125GB

> use WRITE_ME

switched to db WRITE_ME

> show collections

WRITE_ME

system.indexes

> db.WRITE_ME.findOne()

{

"_id" : ObjectId("59545cc0e3fc71362d60f182"),

"email" : "request@tfwno.gf",

"btc_wallet" : "1FApP5DgbN2JoyRnmJgEwGxkbvCEu2rFQB",

"note" : "Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 24 hours we erase all data."

}

> exit

3. 日志上下文：

Thu Jun 29 09:49:13.578 [conn726065856] dropDatabase system starting

32615 Thu Jun 29 09:49:14.806 [conn726065856] removeJournalFiles

32616 Thu Jun 29 09:49:14.952 [conn726065856] dropDatabase system finished

32617 Thu Jun 29 09:49:14.952 [conn726065856] command system.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:1374138? ? ? reslen:57 1374ms

32618 Thu Jun 29 09:49:22.009 [conn726065856] dropDatabase mclog starting

32619 Thu Jun 29 09:49:22.804 [conn726065856] removeJournalFiles

32620 Thu Jun 29 09:49:44.677 [conn726065856] dropDatabase mclog finished

32621 Thu Jun 29 09:49:44.677 [conn726065856] command mclog.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:22668251? ? ? reslen:56 22668ms

32622 Thu Jun 29 09:49:44.678 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.ns, filling with zeroes...

32623 Thu Jun 29 09:49:44.708 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.ns, size: 16MB,? took 0.029 secs

32624 Thu Jun 29 09:49:44.708 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.0, filling with zeroes...

32625 Thu Jun 29 09:49:44.710 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.0, size: 64MB,? took 0.001 secs

32626 Thu Jun 29 09:49:44.710 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.1, filling with zeroes...

32627 Thu Jun 29 09:49:44.712 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.1, size: 128MB,? took 0.002 secs

32628 Thu Jun 29 09:49:44.712 [conn726075088] build index mclog.click_20170629 { _id: 1 }

32629 Thu Jun 29 09:49:44.728 [conn726075088] build index done.? scanned 0 total records. 0.015 secs

32630 Thu Jun 29 09:49:46.971 [conn726065856] dropDatabase local starting

32631 Thu Jun 29 09:49:47.015 [conn726065856] removeJournalFiles

32632 Thu Jun 29 09:49:47.018 [conn726065856] dropDatabase local finished

32633 Thu Jun 29 09:49:48.990 [conn726087507] build index mclog.conversion_20170629 { _id: 1 }

32634 Thu Jun 29 09:49:48.991 [conn726087507] build index done.? scanned 0 total records. 0 secs

32635 Thu Jun 29 09:49:49.024 [conn726087635] build index mclog.clicktoconversion_20170628 { _id: 1 }

32636 Thu Jun 29 09:49:49.024 [conn726087635] build index done.? scanned 0 total records. 0 secs

32637 Thu Jun 29 09:49:49.286 [conn726065856] dropDatabase cool_db starting

32638 Thu Jun 29 09:49:49.325 [conn726065856] removeJournalFiles

32639 Thu Jun 29 09:49:49.327 [conn726065856] dropDatabase cool_db finished

32640 Thu Jun 29 09:49:51.924 [conn726065856] dropDatabase test starting

32641 Thu Jun 29 09:49:51.969 [conn726065856] removeJournalFiles

32642 Thu Jun 29 09:49:51.971 [conn726065856] dropDatabase test finished

4. 聯(lián)系了阿里云救鲤，看到了早晨七八點(diǎn)報(bào)出的有惡意掃描，但是沒(méi)有詳細(xì)信息尉尾。由于是自建mongo服務(wù)器，人家不給什么指導(dǎo)燥透。給發(fā)了幾個(gè)連接處理該威脅的沙咏。本想找找他們技術(shù)幫助尋找被入侵的蹤跡——后門(mén)原因在哪里。結(jié)果未果班套。

5. 最后自己打算恢復(fù)快照肢藐，最新的快照在早上9點(diǎn)。于是發(fā)現(xiàn)需要先mongodump出來(lái)新生成的數(shù)據(jù)吱韭，開(kāi)始導(dǎo)出到另一個(gè)磁盤(pán)吆豹。

mongodump -h 127.0.0.1 --port 27017 -d mclog -o /home/mongodump/mclog

然后恢復(fù)快照。

6. 最后 mongorestore -d mclog /home/mongodump/mclog/mclog 重新導(dǎo)入新的數(shù)據(jù)。