MIME-Version: 1.0
References: 
 <CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
 <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at>
 <CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
 <1eb200f88003972f2723967ddc95b70b3e61f5de.camel@cybertec.at>
 <CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
In-Reply-To: 
 <CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
From: Imran Khan <imran.k.23@gmail.com>
Date: Sat, 12 Oct 2024 00:01:43 +0300
Message-ID: 
 <CAC4eXDjhFjdeb+Aa5bh9aBLevMcOd=AHFni7sxjBGE2ZZLGAyg@mail.gmail.com>
Subject: Re: Unknown temp directories and library files
To: Jeff Janes <jeff.janes@gmail.com>
Cc: Laurenz Albe <laurenz.albe@cybertec.at>,
 Priancka Chatz <pc9926@gmail.com>,
	pgsql-admin <pgsql-admin@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000201db9062439cc0b"
Archived-At: 
 <https://www.postgresql.org/message-id/CAC4eXDjhFjdeb%2BAa5bh9aBLevMcOd%3DAHFni7sxjBGE2ZZLGAyg%40mail.gmail.com>
Precedence: bulk

--000000000000201db9062439cc0b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

In that case involving OS admin make sense.

On Fri, Oct 11, 2024, 11:51=E2=80=AFPM Jeff Janes <jeff.janes@gmail.com> wr=
ote:

>
>
> On Fri, Oct 11, 2024 at 4:16=E2=80=AFPM Laurenz Albe <laurenz.albe@cybert=
ec.at>
> wrote:
>
>> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
>> > On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe <laurenz.albe@cyb=
ertec.at>
>> wrote:
>> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
>> > > > I am observing a new/unknown behavior on some of my instances. My
>> postgres Data
>> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a
>> temp directory
>> > > > present inside /home/postgres/pgdata which has 100s of directory
>> underneath it
>> > > > and inside each directory some library files related to Psycopg2.
>> Not sure what
>> > > > these files are and why it is getting created. I am attaching
>> screenshots for reference.
>> > > > Can anyone shed some light or direct me to any links to
>> troubleshoot this?
>> > >
>> > > I'd say somebody broke into your database and is abusing it for his
>> purposes.
>> > >
>> > > If that proves true, rescue what you can of the data and start with =
a
>> new
>> > > installation, preferably with better security.
>>
>> I have no conclusive proof for abuse, but a library has no business in
>> "pgsql_tmp".
>> That looks very much like somebody guessed your superuser password and i=
s
>> hijacking
>> the operating system account.
>>
>
> But he didn't say they were in pgsql_tmp, just that they were in some tem=
p
> directory apparently 3 or 4 levels higher in the directory tree than wher=
e
> I would expect pgsql_tmp to be. To me this looks like some cruft left ove=
r
> from some sysadmin running the python package manager, perhaps while logg=
ed
> in as the wrong user. (Although I suppose that running a package manager =
as
> the wrong user is also something a hacker might try to do...)
>
> Cheers,
>
> Jeff
>

--000000000000201db9062439cc0b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">In that=C2=A0case involving OS admin make sense.</div><br=
><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, O=
ct 11, 2024, 11:51=E2=80=AFPM Jeff Janes &lt;<a href=3D"mailto:jeff.janes@g=
mail.com">jeff.janes@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding=
-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Oct 11, 2024 at 4:=
16=E2=80=AFPM Laurenz Albe &lt;<a href=3D"mailto:laurenz.albe@cybertec.at" =
target=3D"_blank" rel=3D"noreferrer">laurenz.albe@cybertec.at</a>&gt; wrote=
:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Fri, 2024-1=
0-11 at 15:47 +0200, Priancka Chatz wrote:<br>
&gt; On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe &lt;<a href=3D"ma=
ilto:laurenz.albe@cybertec.at" target=3D"_blank" rel=3D"noreferrer">laurenz=
.albe@cybertec.at</a>&gt; wrote:<br>
&gt; &gt; On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:<br>
&gt; &gt; &gt; I am observing a new/unknown behavior on some of my instance=
s. My postgres Data<br>
&gt; &gt; &gt; directory path is /home/postgres/pgdata/pgroot/data. And I s=
ee a temp directory<br>
&gt; &gt; &gt; present inside /home/postgres/pgdata which has 100s of direc=
tory underneath it<br>
&gt; &gt; &gt; and inside each directory some library files related to Psyc=
opg2. Not sure what<br>
&gt; &gt; &gt; these files are and why it is getting created. I am attachin=
g screenshots for reference.<br>
&gt; &gt; &gt; Can anyone shed some light or direct me to any links to trou=
bleshoot this?<br>
&gt; &gt; <br>
&gt; &gt; I&#39;d say somebody broke into your database and is abusing it f=
or his purposes.<br>
&gt; &gt; <br>
&gt; &gt; If that proves true, rescue what you can of the data and start wi=
th a new<br>
&gt; &gt; installation, preferably with better security.<br>
<br>
I have no conclusive proof for abuse, but a library has no business in &quo=
t;pgsql_tmp&quot;.<br>
That looks very much like somebody guessed your superuser password and is h=
ijacking<br>
the operating system account.<br></blockquote><div><br></div><div>But he di=
dn&#39;t say they were in pgsql_tmp, just that they were in some temp direc=
tory apparently 3 or 4 levels higher in the directory tree than where I wou=
ld expect pgsql_tmp to be. To me this looks like some cruft left over from =
some sysadmin running the python package manager, perhaps while logged in a=
s the wrong user. (Although I suppose that running a package manager as the=
 wrong user is also something a hacker might try to do...)</div><div><br></=
div><div>Cheers,</div><div><br></div><div>Jeff</div></div></div>
</blockquote></div>

--000000000000201db9062439cc0b--