Internet-Security.com TCP port 28017 details

MongoDB historically used TCP 28017 for its built-in HTTP status/REST interface (the web console typically at http://host:28017/, with DB traffic on 27017).
This interface existed in early MongoDB releases (enabled via flags like --httpinterface/--rest), was deprecated after 2.6, and removed by 3.6+.
Real-world examples include MongoDB Community/Enterprise Server, Percona Server for MongoDB, and packaged deployments such as Bitnami MongoDB images that exposed the status page on 28017 when enabled.
In practice, many internet-exposed MongoDB instances on 28017 were indexed by Shodan and abused in ransom/extortion campaigns, where attackers enumerated databases and sometimes wiped data after demanding payment.
Modern best practice is to disable this interface or restrict it via firewall; newer MongoDB versions no longer provide it.

TCP 28017