MIME-Version: 1.0
References: 
 <CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
 <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at>
 <CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
 <1eb200f88003972f2723967ddc95b70b3e61f5de.camel@cybertec.at>
In-Reply-To: <1eb200f88003972f2723967ddc95b70b3e61f5de.camel@cybertec.at>
From: Jeff Janes <jeff.janes@gmail.com>
Date: Fri, 11 Oct 2024 16:50:39 -0400
Message-ID: 
 <CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
Subject: Re: Unknown temp directories and library files
To: Laurenz Albe <laurenz.albe@cybertec.at>
Cc: Priancka Chatz <pc9926@gmail.com>,
 pgsql-admin <pgsql-admin@postgresql.org>
Content-Type: multipart/alternative; boundary="0000000000007d144f062439a4d3"
Archived-At: 
 <https://www.postgresql.org/message-id/CAMkU%3D1wEy1KW%3D1B7p0rS9rnmjHiG25eS%2BxD_hNZ22aW0gP5OQg%40mail.gmail.com>
Precedence: bulk

--0000000000007d144f062439a4d3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 11, 2024 at 4:16=E2=80=AFPM Laurenz Albe <laurenz.albe@cybertec=
.at>
wrote:

> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> > On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe <laurenz.albe@cybe=
rtec.at>
> wrote:
> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > > I am observing a new/unknown behavior on some of my instances. My
> postgres Data
> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a
> temp directory
> > > > present inside /home/postgres/pgdata which has 100s of directory
> underneath it
> > > > and inside each directory some library files related to Psycopg2.
> Not sure what
> > > > these files are and why it is getting created. I am attaching
> screenshots for reference.
> > > > Can anyone shed some light or direct me to any links to troubleshoo=
t
> this?
> > >
> > > I'd say somebody broke into your database and is abusing it for his
> purposes.
> > >
> > > If that proves true, rescue what you can of the data and start with a
> new
> > > installation, preferably with better security.
>
> I have no conclusive proof for abuse, but a library has no business in
> "pgsql_tmp".
> That looks very much like somebody guessed your superuser password and is
> hijacking
> the operating system account.
>

But he didn't say they were in pgsql_tmp, just that they were in some temp
directory apparently 3 or 4 levels higher in the directory tree than where
I would expect pgsql_tmp to be. To me this looks like some cruft left over
from some sysadmin running the python package manager, perhaps while logged
in as the wrong user. (Although I suppose that running a package manager as
the wrong user is also something a hacker might try to do...)

Cheers,

Jeff

--0000000000007d144f062439a4d3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Fri, Oct 11, 2024 at 4:16=E2=80=AF=
PM Laurenz Albe &lt;<a href=3D"mailto:laurenz.albe@cybertec.at">laurenz.alb=
e@cybertec.at</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex">On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:<br>
&gt; On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe &lt;<a href=3D"ma=
ilto:laurenz.albe@cybertec.at" target=3D"_blank">laurenz.albe@cybertec.at</=
a>&gt; wrote:<br>
&gt; &gt; On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:<br>
&gt; &gt; &gt; I am observing a new/unknown behavior on some of my instance=
s. My postgres Data<br>
&gt; &gt; &gt; directory path is /home/postgres/pgdata/pgroot/data. And I s=
ee a temp directory<br>
&gt; &gt; &gt; present inside /home/postgres/pgdata which has 100s of direc=
tory underneath it<br>
&gt; &gt; &gt; and inside each directory some library files related to Psyc=
opg2. Not sure what<br>
&gt; &gt; &gt; these files are and why it is getting created. I am attachin=
g screenshots for reference.<br>
&gt; &gt; &gt; Can anyone shed some light or direct me to any links to trou=
bleshoot this?<br>
&gt; &gt; <br>
&gt; &gt; I&#39;d say somebody broke into your database and is abusing it f=
or his purposes.<br>
&gt; &gt; <br>
&gt; &gt; If that proves true, rescue what you can of the data and start wi=
th a new<br>
&gt; &gt; installation, preferably with better security.<br>
<br>
I have no conclusive proof for abuse, but a library has no business in &quo=
t;pgsql_tmp&quot;.<br>
That looks very much like somebody guessed your superuser password and is h=
ijacking<br>
the operating system account.<br></blockquote><div><br></div><div>But he di=
dn&#39;t say they were in pgsql_tmp, just that they were in some temp direc=
tory apparently 3 or 4 levels higher in the directory tree than where I wou=
ld expect pgsql_tmp to be. To me this looks like some cruft left over from =
some sysadmin running the python package manager, perhaps while logged in a=
s the wrong user. (Although I suppose that running a package manager as the=
 wrong user is also something a hacker might try to do...)</div><div><br></=
div><div>Cheers,</div><div><br></div><div>Jeff</div></div></div>

--0000000000007d144f062439a4d3--