Hot on the heels of MongoBleed—and a recent Darknet Army post highlighting just how many MongoDB deployments still expose TCP/27017 to the internet without authentication—I decided to do something about it.
Since OpenCanary does not have a module for MongoDB, I turned to my friend, Claude, and asked:
I’d like to add a viable MongoDB module to OpenCanary that at least responds like a MongoDB instance and lures the visitor into an authentication trap; I already run 3 opencanary instances so expect to add a mongodb.py and a config section to opencanaryd.conf – also with the version that the MongoDb will display upon connection
Are you up to that?
Claude, willing as ever, responded quickly:
I’m absolutely up for that! This is a great honeypot enhancement. I’ll create a MongoDB module for OpenCanary that emulates a MongoDB instance and lures attackers into an authentication trap.
Over the next 41 minutes, we worked together and created a MongoDB.py and the install/config guide to add the module to an existing installation. On the way, a couple of challenges were overcome and then the new stack came up and answered on TCP/27017.
With the module in place, OpenCanary immediately began logging realistic MongoDB traffic:
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-06 08:40:30.533450", "local_time_adjusted": "2026-02-06 09:40:30.533474", "logdata": {"action": "mongodb.connection"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 43040, "utc_time": "2026-02-06 08:40:30.533469"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-06 08:40:30.640077", "local_time_adjusted": "2026-02-06 09:40:30.640102", "logdata": {"action": "mongodb.command", "command": "query:admin.$cmd", "query": "{'ismaster': 1, 'helloOk': True}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 43040, "utc_time": "2026-02-06 08:40:30.640097"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-06 08:40:30.747591", "local_time_adjusted": "2026-02-06 09:40:30.747626", "logdata": {"action": "mongodb.connection"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 43046, "utc_time": "2026-02-06 08:40:30.747616"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-06 08:40:30.854361", "local_time_adjusted": "2026-02-06 09:40:30.854386", "logdata": {"action": "mongodb.command", "command": "query:admin.$cmd", "query": "{'ismaster': 1, 'helloOk': True}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 43046, "utc_time": "2026-02-06 08:40:30.854381"}
{"dst_host": "127.0.0.1", "dst_port": 27017, "local_time": "2026-02-06 08:40:30.962774", "local_time_adjusted": "2026-02-06 09:40:30.962796", "logdata": {"action": "mongodb.auth_attempt", "auth_data": "{'saslStart': 1, 'mechanism': 'SCRAM-SHA-1', 'payload': '6e2c2c6e3d53746576656e5469626572697573476962736f6e2c723d54742b346255474f486f56423558373875434d45665a53794153456e374870364e6465476e5a6a707367493d', 'autoAuthorize': 1, '$db': 'admin'}", "mechanism": "SCRAM-SHA-1", "username": "StevenTiberiusGibson"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "127.0.0.1", "src_port": 43046, "utc_time": "2026-02-06 08:40:30.962791"}I’d like to thank my friend, Claude, for his help on this!
Initial Observations
The most interesting observation so far is that very little of this activity is sophisticated—most of it is low-skill enumeration relying entirely on unauthenticated access.
The rub is that there is more interest in low-skill break-ins. As GlitchPool posted back in November 2024:
But here’s the crazy part—some businesses leave their databases completely unprotected, wide open on the internet. They don’t set up passwords or any security, which means ANYONE (like you) can access them with just a browser.
Typical connection logs see the following events – without a mongodb.auth_attempt action. Basically, it’s a connection with enumeration of any databases available – so relying on a lack of authentication. It’s not a simple browser connection to :27017, which would only trigger mongodb.connection events—this is a script, tool, or MongoDB Compass doing the talking.
{"dst_host": "10.0.47.222", "dst_port": 27017, "local_time": "2026-02-06 10:02:19.743609", "local_time_adjusted": "2026-02-06 11:02:19.743637", "logdata": {"action": "mongodb.connection"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "64.89.x.130", "src_port": 45530, "utc_time": "2026-02-06 10:02:19.743632"}
{"dst_host": "10.0.47.222", "dst_port": 27017, "local_time": "2026-02-06 10:02:19.840321", "local_time_adjusted": "2026-02-06 11:02:19.840345", "logdata": {"action": "mongodb.command", "command": "query:admin.$cmd", "query": "{'ismaster': 1, 'helloOk': True}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "64.89.x.130", "src_port": 45530, "utc_time": "2026-02-06 10:02:19.840339"}
{"dst_host": "10.0.47.222", "dst_port": 27017, "local_time": "2026-02-06 10:02:20.032176", "local_time_adjusted": "2026-02-06 11:02:20.032213", "logdata": {"action": "mongodb.connection"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "64.89.x.130", "src_port": 45544, "utc_time": "2026-02-06 10:02:20.032209"}
{"dst_host": "10.0.47.222", "dst_port": 27017, "local_time": "2026-02-06 10:02:20.068757", "local_time_adjusted": "2026-02-06 11:02:20.068779", "logdata": {"action": "mongodb.command", "command": "query:admin.$cmd", "query": "{'ismaster': 1, 'helloOk': True}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "64.89.x.130", "src_port": 45544, "utc_time": "2026-02-06 10:02:20.068774"}
{"dst_host": "10.0.47.222", "dst_port": 27017, "local_time": "2026-02-06 10:02:20.255257", "local_time_adjusted": "2026-02-06 11:02:20.255278", "logdata": {"action": "mongodb.command", "command": "listDatabases", "query": "{'listDatabases': 1, 'nameOnly': True, '$db': 'admin'}"}, "logtype": 20001, "node_id": "Switzerland", "src_host": "64.89.x.130", "src_port": 45544, "utc_time": "2026-02-06 10:02:20.255274"}Plans for Improvement
Over the coming weeks, I may “play nice” and modify the MongoDB stack to list some databases for the attacker, let them delete them and accept their ransom note. Of course this will be logged and then reset immediately!
It’ll take some interesting workflows to keep the illusion believable long enough to observe meaningful attacker behaviour.
