[xyunknown]

Aquired log of such a hostage taking, contains the IP of the hostage taker, but beware it could be obscured by a botnet or similar.

Update: in a different log he used a different server for the attack, suggesting he might be using innocent servers, therefore I removed the log.

[xyunknown]

Could someone more familiar with MongoDB please confirm that this does not show any backup of data? Maybe MongoDB does not log just looking up data?

[jstanley]

The database was dropped within ~1 second of the connection, so either it was a very small database or he didn't have time to take a backup.

[xyunknown]

My thoughts, too. But before claiming this I at least wanted to encourage a second look. I also ensured this was the only time he connected, so there is no plausable way he is backing up the data.

[xyunknown]

There is now more evidence supporting that there are no backups, e.g. he doesn't even store information about which servers he already looted (he is erasing the same servers twice or more). Until someone has logs that prove otherwise on bigger datasets, nobody should pay this guy. Also it seems implausible seeing the vast amount of data which he would need to have backed up, closing in several hundreds of terabytes, based on an estimation of last year.

[fauria]

The attacker could have used a script like this:

  use foobar
  db.collection.find()
  db.dropDatabase()

and then:

  cat script.js | mongo | tee backup

so there is indeed a plausible way to backup the database before dropping it. The timestamps seems to be as well plausible for a small database.

[kalleboo]

A separate connection was used to create the random note. There could have been an earlier connection from another IP that did the data dump that didn't make it into the log.

[sebcat]

The IP listed in that log belongs to a DigitalOcean instance.