public inbox for [email protected]
help / color / mirror / Atom feedFrom: Imran Khan <[email protected]>
To: Jeff Janes <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: Priancka Chatz <[email protected]>
Cc: pgsql-admin <[email protected]>
Subject: Re: Unknown temp directories and library files
Date: Sat, 12 Oct 2024 00:00:30 +0300
Message-ID: <CAC4eXDjmTmdiDVgUyUcx3GRf2NPZPGwBYmEq=MicKuR6nS7kNw@mail.gmail.com> (raw)
In-Reply-To: <CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
References: <CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
<[email protected]>
<CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
<[email protected]>
<CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
My apology for misunderstanding..
On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <[email protected]> wrote:
>
>
> On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]>
> wrote:
>
>> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
>> > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]>
>> wrote:
>> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
>> > > > I am observing a new/unknown behavior on some of my instances. My
>> postgres Data
>> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a
>> temp directory
>> > > > present inside /home/postgres/pgdata which has 100s of directory
>> underneath it
>> > > > and inside each directory some library files related to Psycopg2.
>> Not sure what
>> > > > these files are and why it is getting created. I am attaching
>> screenshots for reference.
>> > > > Can anyone shed some light or direct me to any links to
>> troubleshoot this?
>> > >
>> > > I'd say somebody broke into your database and is abusing it for his
>> purposes.
>> > >
>> > > If that proves true, rescue what you can of the data and start with a
>> new
>> > > installation, preferably with better security.
>>
>> I have no conclusive proof for abuse, but a library has no business in
>> "pgsql_tmp".
>> That looks very much like somebody guessed your superuser password and is
>> hijacking
>> the operating system account.
>>
>
> But he didn't say they were in pgsql_tmp, just that they were in some temp
> directory apparently 3 or 4 levels higher in the directory tree than where
> I would expect pgsql_tmp to be. To me this looks like some cruft left over
> from some sysadmin running the python package manager, perhaps while logged
> in as the wrong user. (Although I suppose that running a package manager as
> the wrong user is also something a hacker might try to do...)
>
> Cheers,
>
> Jeff
>
view thread (10+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: Unknown temp directories and library files
In-Reply-To: <CAC4eXDjmTmdiDVgUyUcx3GRf2NPZPGwBYmEq=MicKuR6nS7kNw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox