Re: Compromised postgresql instances

> On Jun 8, 2018, at 1:47 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com> writes:
>> On 06/08/2018 04:34 PM, Steve Atkins wrote:
>>> I've noticed a steady trickle of reports of postgresql servers being compromised via being left available to the internet with insecure or default configuration, or brute-forced credentials. The symptoms are randomly named binaries being uploaded to the data directory and executed with the permissions of the postgresql user, apparently via an extension or an untrusted PL.
>>>
>>> Is anyone tracking or investigating this?
>
>> Please cite actual instances of such reports. Vague queries like this
>> help nobody.
>
> I imagine Steve is reacting to this report from today:
> https://www.postgresql.org/message-id/CANozSKLGgWDpzfua2L=OGFN=Dg3Po98UjqJJ18gBVFR1-yK5+A@mail.gmail.com
>
> I recall something similar being reported a few weeks ago,

https://www.postgresql.org/message-id/020901d3f14c%24512a46d0%24f37ed470%24%40gmail.com

> but am
> too lazy to trawl the archives right now.

Yes, plus I recall a couple of discussions on IRC with similar behaviour, and
a few more details about how the binaries were being uploaded.

>
>> Furthermore, security concerns are best addressed to the security
>> mailing list.
>
> Unless there's some evidence that these attacks are getting in through
> a heretofore unknown PG security vulnerability, rather than user
> misconfiguration (such as weak/no password), I'm not sure what the
> security list would have to offer. Right now it seems like Steve's move
> to try to gather more evidence is quite the right thing to do.

Yeah. It's not a security issue with postgresql itself, I don't believe, so not
really something that has to go to the security alias. It's more of an ops
issue, but I thought I'd ask here to see if anyone was already looking at it,
and to raise a flag if they weren't.

Cheers,
Steve