| From: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | Edmundo Robles <edmundo(at)sw-argos(dot)com> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: I have a suspicious query |
| Date: | 2025-07-11 22:59:57 |
| Message-ID: | CAHyXU0w0dYku-QrfugeMQ2pjeWXucC46zSDxg0UUbOj_JUCaEQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Jul 11, 2025 at 11:13 AM Edmundo Robles <edmundo(at)sw-argos(dot)com>
wrote:
> Hi
>
> i have (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
> While monitoring active queries, I came across the following:
>
> `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
> _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
> _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
>
> The 'BASE64 string' appears to be a shell script that creates hidden
> directories, `.xdiag` and `.xperf`, in `/tmp`.
>
> Could you please help me locate and clean these? I apologize if this is
> not the appropriate contact for this issue.
>
this looks like a hack. something or someone has ability to run
arbitrary sql. shut the server down and start taking steps to secure. is
this server behind a firewall?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Matthias Apitz | 2025-07-12 13:23:28 | Re: I have a suspicious query |
| Previous Message | Merlin Moncure | 2025-07-11 22:57:11 | Re: Aggregate versions of hashing functions (md5, sha1, etc...) |