Re: posgresql.log

On Mon, May 21, 2018 at 2:40 PM Bartosz Dmytrak <bdmytrak(at)gmail(dot)com> wrote:

> Hi Gurus,
>
> Looking into my postgresql.log on one of my test servers I found scary
> entry:
>
>
>
> --2018-05-19 05:28:21-- http://207.148.79.161/post0514/post
>
> Connecting to 207.148.79.161:80... connected.
>
> HTTP request sent, awaiting response... 200 OK
>
> Length: 1606648 (1.5M) [application/octet-stream]
>
> Saving to: ‘/var/lib/postgresql/10/main/postgresq1’
>
>
>
> 0K .......... .......... .......... .......... .......... 3% 71.0K
> 21s
>
> 50K .......... .......... .......... .......... .......... 6% 106K
> 17s
>
> 100K .......... .......... .......... .......... .......... 9% 213K
> 13s
>
> 150K .......... .......... .......... .......... .......... 12% 213K
> 11s
>
> 200K .......... .......... .......... .......... .......... 15% 16.3M 9s
>
> 250K .......... .......... .......... .......... .......... 19% 215K 8s
>
> 300K .......... .......... .......... .......... .......... 22% 15.6M 7s
>
> 350K .......... .......... .......... .......... .......... 25% 11.7M 6s
>
> 400K .......... .......... .......... .......... .......... 28% 219K 5s
>
> 450K .......... .......... .......... .......... .......... 31% 12.1M 5s
>
> 500K .......... .......... .......... .......... .......... 35% 11.7M 4s
>
> 550K .......... .......... .......... .......... .......... 38% 12.2M 3s
>
> 600K .......... .......... .......... .......... .......... 41% 12.1M 3s
>
> 650K .......... .......... .......... .......... .......... 44% 228K 3s
>
> 700K .......... .......... .......... .......... .......... 47% 12.2M 3s
>
> 750K .......... .......... .......... .......... .......... 50% 12.1M 2s
>
> 800K .......... .......... .......... .......... .......... 54% 11.7M 2s
>
> 850K .......... .......... .......... .......... .......... 57% 12.1M 2s
>
> 900K .......... .......... .......... .......... .......... 60% 11.8M 2s
>
> 950K .......... .......... .......... .......... .......... 63% 12.1M 1s
>
> 1000K .......... .......... .......... .......... .......... 66% 12.0M 1s
>
> 1050K .......... .......... .......... .......... .......... 70% 243K 1s
>
> 1100K .......... .......... .......... .......... .......... 73% 12.1M 1s
>
> 1150K .......... .......... .......... .......... .......... 76% 12.1M 1s
>
> 1200K .......... .......... .......... .......... .......... 79% 11.7M 1s
>
> 1250K .......... .......... .......... .......... .......... 82% 12.1M 1s
>
> 1300K .......... .......... .......... .......... .......... 86% 12.1M 0s
>
> 1350K .......... .......... .......... .......... .......... 89% 11.8M 0s
>
> 1400K .......... .......... .......... .......... .......... 92% 12.1M 0s
>
> 1450K .......... .......... .......... .......... .......... 95% 12.1M 0s
>
> 1500K .......... .......... .......... .......... .......... 98% 11.8M 0s
>
> 1550K .......... ........ 100%
> 12.5M=2.6s
>
>
>
> 2018-05-19 05:28:25 (598 KB/s) - ‘/var/lib/postgresql/10/main/postgresq1’
> saved [1606648/1606648]
>
>
>
> Downloaded file is not posgresql but postgresq1(one).
>
>
>
> It was pure pg instalation without any contrib modules addons etc,
> istalled on ubuntu box by apt manager using repos:
>
> http://apt.postgresql.org/pub/repos/apt xenial-pgdg/main
>
> http://apt.postgresql.org/pub/repos/apt xenial-pgdg
>
>
>
> I have never seen such entry on other my other servers…
>
> Could you be so kind and explain me what is it? I am afraid my postgres
> has been hacekd.
>
>
>
>
>
> Best Regards
>
> *Bartosz Dmytrak*
>

If this is a test server and you can take it offline for forensics I would
do so, especially if it could provide a path to other internal or critical
resources. If you can image it for safekeeping and forensics, even better.

That appears to be output from wget but the intrusion, if any, could be
through any number of vectors (web, ssh, local attack, etc.) not directly
related to PostgreSQL. Check in your other logs starting with a search for
anything related to that IP address.

Verify the usual. Patches up to date, ports appropriately firewalled off,
no default passwords, etc.

IP comes back to vultr.com which is a cloud company (i.e. could be anyone)
but if it is an attack perhaps contact their abuse department.

Unless you are positive the server was not attacked, don't trust it unless
you can be absolutely certain it is clean. Best bet is to backup any
critical data (and check it for trustworthiness), wipe and rebuild.

Only you (well, OK, maybe them, now) know what data was on this server but
depending on its importance, internal policies, legal requirements and
agreements with third-parties you may have notification requirements and
could need to engage forensics experts.

Good luck,
Steve