今天发现我们系统的一个生产库,所有用户的手机号码都被修改成一个'181xxxxxxxx’的号码,第一反应尼玛不会是被黑了吧,赶快看看日志:
1
2
3
4
5
6
7
| # cat mongod.log |grep "181xxxxxxxx"
2019-04-12T03:15:31.911+0000 I WRITE [conn573606] update XXX.xxxxxx command: { q: { is_delete: false, accountid: { $in: [ nul
, null ] } }, u: { $set: { mobile: "181xxxxxxxx", modify_time: new Date(1555038895441) } }, multi: true, upsert: false } planSumm
ry: IXSCAN { is_delete: 1 } keysExamined:306988 docsExamined:306988 nMatched:306988 nModified:306988 numYields:2839 locks:{ Globa
: { acquireCount: { r: 309828, w: 309828 } }, Database: { acquireCount: { w: 309828 } }, Collection: { acquireCount: { w: 2840 }
, oplog: { acquireCount: { w: 306988 } } } 36511ms
|
显然,这个更新有问题,修改了30万条记录;下面要找到删除操作的来源,通过时间查看该时间前有哪些操作:
1
2
3
4
5
| # cat mongod.log |grep "conn573606" |more
2019-04-12T03:13:11.125+0000 I NETWORK [conn573606] received client metadata from 10.x.x.x:xxxxx conn573606: { driver: { name:
"mongo-csharp-driver", version: "xxxx" }, os: { type: "Windows", name: "Microsoft Windows xxxx", architecture: "x86_64"
, version: "x.xx.x.x" }, platform: ".NET Framework x.x.x" }
|
这个连接来自于一个特定的IP和端口,可以帮助确定是哪个应用挖的坑!
通过代码搜索,快速定位到相应的问题,解决它!
还好这个字段有冗余,通过冗余快速的刷回了数据,另外数据库还有每天的完整备份,要不然就真的是删库到跑路了!
次阅读