On 01/24/2018 10:22 AM, Merlin Moncure wrote:
> On Wed, Jan 24, 2018 at 4:52 AM, Durumdara <durumdara(at)gmail(dot)com> wrote:
>> Hello!
>>
>> Somewhere the system administrator (who don't know the PG really) installed
>> a PGSQL server (10.x) with a database.
>> He couldn't manage the server well.
>>
>> Yesterday my colleague saw 21 databases in this server with random names.
>> He checked it with built in PGAdmin IV.
>> Today we checked it again, and we saw 33 databases.
>>
>> The first name is "ahucli" for example - like an aztec king... :-).
>>
>> The server OS is Windows, the PGSQL is 10.x.
>>
>> What can cause this strange thing?
>>
>> 1.) PGAdmin IV bug?
>> 2.) Their server is hacked/cracked from outside?
>> 3.) A wrong configured tool, or an automation?
>> 4.) "Alien invasion", etc.
>>
>> Did you see same thing anywhere?
>>
>> Thank you for any advice in this theme!
> You could be looking at a very serious situation. Random data stored
> without your knowledge can be symptom of a hack or simple bug.
> Figuring out which is which is a very urgent consideration. You may
> want to consider:
>
> *) poke around created database and try to determine if the created
> databases point to something you created or more suspicious things.
> this is URGENT
> *) review firewall and network configuration
> *) review pg_hba.conf
> *) generally check logs everywhere, be advised hackers are often smart
> and covert tracks
> *) log all connections. adjust logging to also capture client ip and
> pid if not already
> *) log all queries (also with ajustments above). this is expensive,
> so be prepared to turn off when problem is found
>
> merlin
>
Step one for me would be to unplug the ethernet cable. If it in some
unaccessible place shut it down, make it accessible, then go with
Merlins list.