Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1szFOn-0052x2-CW
	for pgsql-admin@arkaria.postgresql.org; Fri, 11 Oct 2024 13:09:41 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1szFOl-0040GI-GH
	for pgsql-admin@arkaria.postgresql.org; Fri, 11 Oct 2024 13:09:39 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1szFOl-0040GA-3c
	for pgsql-admin@lists.postgresql.org; Fri, 11 Oct 2024 13:09:39 +0000
Received: from mail-ej1-x62f.google.com ([2a00:1450:4864:20::62f])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <laurenz.albe@cybertec.at>)
	id 1szFOi-000WFE-9O
	for pgsql-admin@postgresql.org; Fri, 11 Oct 2024 13:09:38 +0000
Received: by mail-ej1-x62f.google.com with SMTP id
 a640c23a62f3a-a994ecf79e7so325130666b.0
        for <pgsql-admin@postgresql.org>;
 Fri, 11 Oct 2024 06:09:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=cybertec.at; s=cybertec.at; t=1728652176; x=1729256976;
 darn=postgresql.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FFtKOvcl54NDbYltWV/QAcTBf9wLwa2hSTCJsIXU0bI=;
        b=MuimSuRu7pGN0J0vOy0sWBKMg3ICKiiROhp6OaSSFJm5jZjYmaFRVuF0G736sQs6Ff
         JI0ocGzZ4kQt5KUtVsZiiwzs0x6ElU3SJOv8qZ7OcJp6LFQZERFxO+URrM0u8/3P+d3o
         UgeuTQdoG/pq5Z1r0+D8f6yu22gixZVCcS9ME=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1728652176; x=1729256976;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:to:from:subject:message-id:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=FFtKOvcl54NDbYltWV/QAcTBf9wLwa2hSTCJsIXU0bI=;
        b=c2BFLrQ9J8VWzKua1pNa1e8oFi40QUY9tG8egx9yqZMj15oRRwonWJIW79dIcxDByj
         nwTqG6HeLk/s2tMvlQWQgp1Q7qmNiMk18FWM2ikL2u2VJ+dDD/1caGRU2sD/ghJIlztJ
         65isCXdv+hr15uIjq/b9nmHnpIe9tCSgscuIAMghTaIOCl/qycbp8vvpo7uW4pXts41A
         SS9LkwY/WTb+/4OJh3D0i+JWMV3sZ1gXXR9zFkkZuqm5tZDIcBCm/WXCZrfIBavLISVW
         1RcRg9MaAYQE3/PHMIU0WCRJyM0OpeAgVnQkG3n36QIRsH+ebEaAseupf0ATy23w7/XI
         QprA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVMCd5cN9bbhup+zr3rRsGjIKN3dPQE1w5NYaKZYXEOqSfzyuiKwg7euNsn9GzwP9jI1jjb5xDQccf/lg==@postgresql.org
X-Gm-Message-State: AOJu0YwzrxH0YMkb4/YUA/xS9zH5TCI5ZUwuOIFWbKFGRp+7sp7TZRcZ
	WepqOFY0QF71zAX3xyR3S5eNMlJbY0aMoOpjyq0wifRDTU7gXhpn69cMhpfDEkGj/w47ysdzm7S
	3
X-Google-Smtp-Source: 
 AGHT+IFIvhdAF7KVa5BwSrkW9b/PRMuAejlSGsgOi4IiEGqCZJEuS5VyUpKkl010qaD1ybUm1Bcqhg==
X-Received: by 2002:a17:907:e655:b0:a99:76a9:a9b3 with SMTP id
 a640c23a62f3a-a99b9454926mr216938366b.14.1728652175523;
        Fri, 11 Oct 2024 06:09:35 -0700 (PDT)
Received: from dynamic-pd01.res.v6.highway.a1.net
 ([2001:871:5e:cee2:5de8:9778:e8b6:6357])
        by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-a99a7f26036sm211087266b.62.2024.10.11.06.09.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 11 Oct 2024 06:09:35 -0700 (PDT)
Message-ID: <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at>
Subject: Re: Unknown temp directories and library files
From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Priancka Chatz <pc9926@gmail.com>, pgsql-admin
 <pgsql-admin@postgresql.org>
Date: Fri, 11 Oct 2024 15:09:34 +0200
In-Reply-To: 
 <CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
References: 
	<CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.52.4 (3.52.4-1.fc40) 
MIME-Version: 1.0
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel%40cybertec.at>
Precedence: bulk

On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> I am observing a new/unknown behavior on some of my instances. My postgre=
s Data
> directory path is /home/postgres/pgdata/pgroot/data. And I see a temp dir=
ectory
> present inside /home/postgres/pgdata which has 100s of directory undernea=
th it
> and inside each directory some library files related to Psycopg2. Not sur=
e what
> these files are and why it is getting created. I am attaching screenshots=
 for reference.
> Can anyone shed some light or direct me to any links to troubleshoot this=
?

I'd say somebody broke into your database and is abusing it for his purpose=
s.

If that proves true, rescue what you can of the data and start with a new
installation, preferably with better security.

Yours,
Laurenz Albe