Re: Unknown temp directories and library files

On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
wrote:

> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
> wrote:
> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > > I am observing a new/unknown behavior on some of my instances. My
> postgres Data
> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a
> temp directory
> > > > present inside /home/postgres/pgdata which has 100s of directory
> underneath it
> > > > and inside each directory some library files related to Psycopg2.
> Not sure what
> > > > these files are and why it is getting created. I am attaching
> screenshots for reference.
> > > > Can anyone shed some light or direct me to any links to troubleshoot
> this?
> > >
> > > I'd say somebody broke into your database and is abusing it for his
> purposes.
> > >
> > > If that proves true, rescue what you can of the data and start with a
> new
> > > installation, preferably with better security.
>
> I have no conclusive proof for abuse, but a library has no business in
> "pgsql_tmp".
> That looks very much like somebody guessed your superuser password and is
> hijacking
> the operating system account.
>

But he didn't say they were in pgsql_tmp, just that they were in some temp
directory apparently 3 or 4 levels higher in the directory tree than where
I would expect pgsql_tmp to be. To me this looks like some cruft left over
from some sysadmin running the python package manager, perhaps while logged
in as the wrong user. (Although I suppose that running a package manager as
the wrong user is also something a hacker might try to do...)

Cheers,

Jeff