Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1szM48-005cyr-LE
	for pgsql-admin@arkaria.postgresql.org; Fri, 11 Oct 2024 20:16:48 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1szM46-00AhAM-Cu
	for pgsql-admin@arkaria.postgresql.org; Fri, 11 Oct 2024 20:16:46 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1szM45-00Ah8M-Vb
	for pgsql-admin@lists.postgresql.org; Fri, 11 Oct 2024 20:16:46 +0000
Received: from mail-lf1-x12c.google.com ([2a00:1450:4864:20::12c])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1szM43-000Pns-1g
	for pgsql-admin@postgresql.org; Fri, 11 Oct 2024 20:16:44 +0000
Received: by mail-lf1-x12c.google.com with SMTP id
 2adb3069b0e04-5398e3f43f3so2737443e87.2
        for <pgsql-admin@postgresql.org>;
 Fri, 11 Oct 2024 13:16:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=cybertec.at; t=1728677800; x=1729282600;
 darn=postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=s5Fh2gWVBcrZwFaK8xbkYhxVxn7xteEV22JQNk/qOvw=;
        b=YVoH+K0V6sLiBSvenMzXVL+samQJWzKJRsMySLJavouXshsS/M2p/35c5dl8ebWEQy
         pbUxWSi6psen34bKMZslts6hz7dUt4bW9kQqTAeY4m2M3mZma9sFmM/nceEY0SL4wy8A
         gxgzxVTYOilwPS2mGp5RHyRpQyeaGD+Ufo8TQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728677800; x=1729282600;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=s5Fh2gWVBcrZwFaK8xbkYhxVxn7xteEV22JQNk/qOvw=;
        b=uRDjPgjqi20An3M0TcTdOArDfxlAvkGuyIcBd1EyDy8m31Oza3wEqzKVundki40jLD
         NdzCsygOyXNh2myjBOnIvEyWiq7YWwPg8yfWt7DylMDDIPfFy4lYwtWDcacOujeVxYwT
         cMrK9pfJkYcmXiM6szjaWWBeUW0TqiJ2QQYA/E7bZrIx2ki0B/5f+ZViHdFTghJaDIve
         Hj6UtRWYlImT6jR4I5y9v2+0cP9vGr2RDfwQ8qbrFbZm1qGvrZcAk6+4XzfMQh0q5CKm
         qGfIAlqYV9w3ztF7sC3hfAuB1IOUnKz43PNNmK+skSRfiCf9QT+SNkPeNKcUZs5rwaB4
         YtOg==
X-Gm-Message-State: AOJu0Yy1JySwEZMr5I069gvSAsupA+iPFutVqaCh2GrIfjCxFm6gbRbB
	HgU0qWY8rxkNThHYXV8YNy6gKbij2A6lwwMmXjNRKQ/+2Vj2Ohunsfy44Uy1DqM=
X-Google-Smtp-Source: 
 AGHT+IFN3G5PFYIfU3i5EHPAVC6+kLwLRlVGG+JEVddCQ33GXSxCvTyjII8qwoIlBSGk0wESNT6wMg==
X-Received: by 2002:a05:6512:3b0a:b0:536:562d:dd11 with SMTP id
 2adb3069b0e04-539da3b520emr1928640e87.11.1728677800308;
        Fri, 11 Oct 2024 13:16:40 -0700 (PDT)
Received: from dynamic-pd01.res.v6.highway.a1.net
 ([2001:871:260:536:206a:2b5b:d652:a7f2])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-430ccf51770sm83356285e9.22.2024.10.11.13.16.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 11 Oct 2024 13:16:39 -0700 (PDT)
Message-ID: <1eb200f88003972f2723967ddc95b70b3e61f5de.camel@cybertec.at>
Subject: Re: Unknown temp directories and library files
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Priancka Chatz <pc9926@gmail.com>
Cc: pgsql-admin <pgsql-admin@postgresql.org>
Date: Fri, 11 Oct 2024 22:16:39 +0200
In-Reply-To: 
 <CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
References: 
	<CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
	 <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at>
	 <CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.52.4 (3.52.4-1.fc40) 
MIME-Version: 1.0
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/1eb200f88003972f2723967ddc95b70b3e61f5de.camel%40cybertec.at>
Precedence: bulk

On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe <laurenz.albe@cybert=
ec.at> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My pos=
tgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp=
 directory
> > > present inside /home/postgres/pgdata which has 100s of directory unde=
rneath it
> > > and inside each directory some library files related to Psycopg2. Not=
 sure what
> > > these files are and why it is getting created. I am attaching screens=
hots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot =
this?
> >=20
> > I'd say somebody broke into your database and is abusing it for his pur=
poses.
> >=20
> > If that proves true, rescue what you can of the data and start with a n=
ew
> > installation, preferably with better security.

I have no conclusive proof for abuse, but a library has no business in "pgs=
ql_tmp".
That looks very much like somebody guessed your superuser password and is h=
ijacking
the operating system account.

Is that by any event a database accessible on the internet?  Did you have a=
 really
secure password?

Yours,
Laurenz Albe