Re: posgresql.log

On 05/21/2018 04:40 PM, Bartosz Dmytrak wrote:
>
> Hi Gurus,
>
> Looking into my postgresql.log on one of my test servers I found scary entry:
>
> --2018-05-19 05:28:21-- http://207.148.79.161/post0514/post
>
> Connecting to 207.148.79.161:80... connected.
>
> HTTP request sent, awaiting response... 200 OK
>
> Length: 1606648 (1.5M) [application/octet-stream]
>
> Saving to: ‘/var/lib/postgresql/10/main/postgresq1’
>
> 0K .......... .......... .......... .......... ..........  3% 71.0K 21s
>
>     50K .......... .......... .......... .......... ..........  6% 106K 17s
>
>    100K .......... .......... .......... .......... ..........  9% 213K 13s
>
>    150K .......... .......... .......... .......... .......... 12% 213K 11s
>
[snip]
> 1500K .......... .......... .......... .......... .......... 98% 11.8M 0s
>
>   1550K .......... ........ 100% 12.5M=2.6s
>
> 2018-05-19 05:28:25 (598 KB/s) - ‘/var/lib/postgresql/10/main/postgresq1’
> saved [1606648/1606648]
>
> Downloaded file is not posgresql but postgresq1(one).
>
> It was pure pg instalation without any contrib modules addons etc,
> istalled on ubuntu box by apt manager using repos:
>
> http://apt.postgresql.org/pub/repos/apt xenial-pgdg/main
>
> http://apt.postgresql.org/pub/repos/apt xenial-pgdg
>
> I have never seen such entry on other my other servers…
>
> Could you be so kind and explain me what is it? I am afraid my postgres
> has been hacekd.
>

This looks like what happens when the adobe flash player package downloads
the closed-source binary installer.  Thus, I wouldn't be surprised if the
repository package isn't downloading the installation binaries from
http://207.148.79.161/post0514/post.

--
Angular momentum makes the world go 'round.