| From: | Antonis Christodoulou <christan305(at)hotmail(dot)com> |
|---|---|
| To: | Ahmet Demir <dbademir(at)gmail(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Rob Sargent <robjsargent(at)gmail(dot)com>, pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours |
| Date: | 2023-01-02 06:53:32 |
| Message-ID: | VI1P193MB0510A77728EBC92F0E26D11AE1F79@VI1P193MB0510.EURP193.PROD.OUTLOOK.COM |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
And for the record, Ahmet, here’s a weird cron job:
christan(at)vultr:~$ sudo crontab -l -u postgres
13 * * * * /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh > /dev/null 2>&1 &
Had no idea somebody can add something like this externally...
> On 2 Jan 2023, at 8:34 AM, Antonis Christodoulou <christan305(at)hotmail(dot)com> wrote:
>
> Hmm wow, never thought this could be the case. Yes I am using postgres/postgres for my db, and I am indeed allowing full remote access in my pg_hba.conf (I would definitely change this, just wanted to start testing it…)
>
> # Remote database connections
> host all postgres 0.0.0.0/0 md5
>
>> On 2 Jan 2023, at 8:29 AM, Ahmet Demir <dbademir(at)gmail(dot)com <mailto:dbademir(at)gmail(dot)com>> wrote:
>>
>> And I can suggest checking cron jobs both on root and postgres, killing those processes and changing root postgres passwords.
>>
>> Ahmet
>>
>> On Mon, 2 Jan 2023 at 09:19, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us <mailto:tgl(at)sss(dot)pgh(dot)pa(dot)us>> wrote:
>> Antonis Christodoulou <christan305(at)hotmail(dot)com <mailto:christan305(at)hotmail(dot)com>> <VI1P193MB051005C8BE974502A0D4A315E1F79(at)VI1P193MB0510(dot)EURP193(dot)PROD(dot)OUTLOOK(dot)COM <mailto:VI1P193MB051005C8BE974502A0D4A315E1F79(at)VI1P193MB0510(dot)EURP193(dot)PROD(dot)OUTLOOK(dot)COM>> writes:
>> > This is a machine in the cloud, I can’t disconnect it.
>>
>> In that case, you need to be taking nonzero security precautions.
>>
>> > And yes the ps looks like this precisely when I do a fresh restart. I kill all postgres processes and restart:
>> > Then this is the output of me ps:
>>
>> That looks fine ... but this doesn't:
>>
>> >>> postgres 3342383 1 0 2022 ? 00:00:00 FzXlkULu
>> >>> postgres 3344758 1 99 2022 ? 3-14:39:11 OElid7Dp
>> >>> postgres 3419125 1 18 13:57 ? 01:17:03 tracepath
>>
>> Somebody is hacking into your system and commandeering it to run
>> something resource-intensive, possibly a bitcoin miner. Whatever
>> it is, it's trying to obscure its process name which is hardly
>> a sign of good intentions.
>>
>> I'd counsel taking a hard look at your pg_hba.conf to be sure
>> it's not allowing non-credentialed logins from anywhere. And
>> for pete's sake don't use a guessable password.
>>
>> regards, tom lane
>>
>>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthias Apitz | 2023-01-02 07:46:31 | Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours |
| Previous Message | Antonis Christodoulou | 2023-01-02 06:34:22 | Re: PostgreSQL 12 service failing in Ubuntu 20.04 after a few hours |