Mongo DB hacked (read_me_to_recover) without the port exposed in the firewall?


I Have recently setup parse-server on a DO vps, using 3 docker containers, one for parse-server, one for parse-server dashboard and one for mongodb. Because I am just testing this setup I left the mongo container as it is (mongodb://mongo:27017/dev). I have NGINX (not in docker) running as a reverse proxy (to get SSL), it forwards port 80 and 443 to http://127.0.0.1:4040 internal (the parse dashboard web gui). and it routes 1338 to http://127.0.0.1:1337 the parse server (API) itself. This parse server connects to my mongo DB internally.

This is the first time I am using Docker and mongoDB, because of this setup and the mongo db port not open I thought it would be half-decently safe. My question is, how did the hacker breach my database? There was nothing of value stored but there might be in the future. I don’t think he exploited my parse server because I could see the connection coming from a cpython client (the parse connection showed as nodeJS client.

I have added: NGINX, FIREWALL,Docker processes, Mongo LOG lines

nginx terminal

{"t":{"$  date":"2020-08-13T12:23:14.165+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"connection accepted","attr":{"remote":"46.182.106.190:39672","sessionId":31,"connectionCount":3}} {"t":{"$  date":"2020-08-13T12:23:14.359+00:00"},"s":"I",  "c":"NETWORK",  "id":51800,   "ctx":"conn31","msg":"client metadata","attr":{"remote":"46.182.106.190:39672","client":"conn31","doc":{"driver":{"name":"PyMong                      o","version":"3.10.1"},"os":{"type":"Linux","name":"Linux","architecture":"x86_64","version":"4.15.0-112-generic"},"platform":"CPython 3.6.9.final.0"}}} {"t":{"$  date":"2020-08-13T12:23:15.941+00:00"},"s":"I",  "c":"COMMAND",  "id":20337,   "ctx":"conn31","msg":"dropDatabase - starting","attr":{"db":"READ_ME_TO_RECOVER_YOUR_DATA"}} 
> db.README.find(); { "_id" : ObjectId("5f3536cd2a546e2eea8211eb"), "content" : "All your data is a backed up. You must pay 0.015 BTC to 145Nny3Gi6nWVBz45Gv9SqxFaj                                                                                              uwTb2qTw 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contac                                                                                              t the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the                                                                                               law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to                                                                                               buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with yo                                                                                              ur DB IP: restore_base@tuta.io" }