| From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | email2anup14(at)gmail(dot)com, PostgreSQL mailing lists <pgsql-bugs(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: BUG #16692: Postgres process using 100 percent CPU |
| Date: | 2020-10-31 17:01:20 |
| Message-ID: | CAMkU=1xHh5gaAkSeOeWygMKTKAVaN6qWV-njk3X8XHAS-555nA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Fri, Oct 30, 2020 at 10:32 AM Magnus Hagander <magnus(at)hagander(dot)net>
wrote:
> On Fri, Oct 30, 2020 at 3:29 PM PG Bug reporting form
> <noreply(at)postgresql(dot)org> wrote:
> >
> > 37811 postgres 20 0 2442744 2.3g 4 S 399.7 14.8 148:23.87
> > n2cP0Mv4
> >
>
> That is not a PostgreSQL process.
>
> It looks very much like malware running on your system, that happens
> to be running under the "postgres" user account.
>
To expand on that, the malware was likely to have been installed and
started through a compromised superuser account for his database. It is a
common attack to look for postgreSQL superuser accounts with weak
passwords, then use lo_export or COPY ... TO PROGRAM to drop cryptocurrency
mining programs. They often have names that look like that, too.
Reinstalling but without fixing the security practices just means the bad
guys come back again.
Cheers,
Jeff
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2020-10-31 18:55:28 | Re: BUG #16691: Autovacuum stops processing certain databases until postgresql rebooted |
| Previous Message | Grigory Smolkin | 2020-10-31 10:27:10 | Re: pg_receivewal compressed partial file problem |