1.  赶紧查看日志，最后定位到时间就是我看几前5分钟：

Thu Jun 29 09:49:02.011 [conn726061649] insert mclog.click_20170629 ninserted:1 keyUpdates:0 locks(micros) w:78 119ms

Thu Jun 29 09:49:13.578 [conn726065856] dropDatabase system starting

Thu Jun 29 09:49:14.806 [conn726065856] removeJournalFiles

Thu Jun 29 09:49:14.952 [conn726065856] dropDatabase system finished

Thu Jun 29 09:49:14.952 [conn726065856] command system.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:1374138 reslen:57 1374ms

Thu Jun 29 09:49:22.009 [conn726065856] dropDatabase mclog starting

Thu Jun 29 09:49:22.804 [conn726065856] removeJournalFiles

Thu Jun 29 09:49:44.677 [conn726065856] dropDatabase mclog finished

Thu Jun 29 09:49:44.677 [conn726065856] command mclog.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:22668251 reslen:56 22668ms

Thu Jun 29 09:49:44.678 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.ns, filling with zeroes...

Thu Jun 29 09:49:44.708 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.ns, size: 16MB,  took 0.029 secs

Thu Jun 29 09:49:44.708 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.0, filling with zeroes...

Thu Jun 29 09:49:44.710 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.0, size: 64MB,  took 0.001 secs

2. 看到的比特币勒索的原文在mongo的集合里：

2033 $ mongo

MongoDB shell version: 2.4.9

connecting to: test

> show dbs

WRITE_ME        0.203125GB

mclog  1.953125GB

> use WRITE_ME

switched to db WRITE_ME

> show collections

WRITE_ME

system.indexes

> db.WRITE_ME.findOne()

{

"_id" : ObjectId("59545cc0e3fc71362d60f182"),

"email" : "request@tfwno.gf",

"btc_wallet" : "1FApP5DgbN2JoyRnmJgEwGxkbvCEu2rFQB",

"note" : "Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 24 hours we erase all data."

}

> exit

3. 日志上下文：

Thu Jun 29 09:49:13.578 [conn726065856] dropDatabase system starting

32615 Thu Jun 29 09:49:14.806 [conn726065856] removeJournalFiles

32616 Thu Jun 29 09:49:14.952 [conn726065856] dropDatabase system finished

32617 Thu Jun 29 09:49:14.952 [conn726065856] command system.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:1374138      reslen:57 1374ms

32618 Thu Jun 29 09:49:22.009 [conn726065856] dropDatabase mclog starting

32619 Thu Jun 29 09:49:22.804 [conn726065856] removeJournalFiles

32620 Thu Jun 29 09:49:44.677 [conn726065856] dropDatabase mclog finished

32621 Thu Jun 29 09:49:44.677 [conn726065856] command mclog.$cmd command: { dropDatabase: 1.0 } ntoreturn:1 keyUpdates:0 locks(micros) W:22668251      reslen:56 22668ms

32622 Thu Jun 29 09:49:44.678 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.ns, filling with zeroes...

32623 Thu Jun 29 09:49:44.708 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.ns, size: 16MB,  took 0.029 secs

32624 Thu Jun 29 09:49:44.708 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.0, filling with zeroes...

32625 Thu Jun 29 09:49:44.710 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.0, size: 64MB,  took 0.001 secs

32626 Thu Jun 29 09:49:44.710 [FileAllocator] allocating new datafile /sda/var/lib/mongodb/mclog.1, filling with zeroes...

32627 Thu Jun 29 09:49:44.712 [FileAllocator] done allocating datafile /sda/var/lib/mongodb/mclog.1, size: 128MB,  took 0.002 secs

32628 Thu Jun 29 09:49:44.712 [conn726075088] build index mclog.click_20170629 { _id: 1 }

32629 Thu Jun 29 09:49:44.728 [conn726075088] build index done.  scanned 0 total records. 0.015 secs

32630 Thu Jun 29 09:49:46.971 [conn726065856] dropDatabase local starting

32631 Thu Jun 29 09:49:47.015 [conn726065856] removeJournalFiles

32632 Thu Jun 29 09:49:47.018 [conn726065856] dropDatabase local finished

32633 Thu Jun 29 09:49:48.990 [conn726087507] build index mclog.conversion_20170629 { _id: 1 }

32634 Thu Jun 29 09:49:48.991 [conn726087507] build index done.  scanned 0 total records. 0 secs

32635 Thu Jun 29 09:49:49.024 [conn726087635] build index mclog.clicktoconversion_20170628 { _id: 1 }

32636 Thu Jun 29 09:49:49.024 [conn726087635] build index done.  scanned 0 total records. 0 secs

32637 Thu Jun 29 09:49:49.286 [conn726065856] dropDatabase cool_db starting

32638 Thu Jun 29 09:49:49.325 [conn726065856] removeJournalFiles

32639 Thu Jun 29 09:49:49.327 [conn726065856] dropDatabase cool_db finished

32640 Thu Jun 29 09:49:51.924 [conn726065856] dropDatabase test starting

32641 Thu Jun 29 09:49:51.969 [conn726065856] removeJournalFiles

32642 Thu Jun 29 09:49:51.971 [conn726065856] dropDatabase test finished

4. 联系了阿里云，看到了早晨七八点报出的有恶意扫描，但是没有详细信息。由于是自建mongo服务器，人家不给什么指导。给发了几个连接处理该威胁的。本想找找他们技术帮助寻找被入侵的踪迹——后门原因在哪里。结果未果。

5. 最后自己打算恢复快照，最新的快照在早上9点。于是发现需要先mongodump出来新生成的数据，开始导出到另一个磁盘。

mongodump -h 127.0.0.1 --port 27017 -d mclog -o /home/mongodump/mclog

然后恢复快照。

6. 最后 mongorestore -d mclog /home/mongodump/mclog/mclog 重新导入新的数据。