MIME-Version: 1.0
References: 
 <CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
 <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at>
 <CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
 <1eb200f88003972f2723967ddc95b70b3e61f5de.camel@cybertec.at>
 <CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
 <CAC4eXDjhFjdeb+Aa5bh9aBLevMcOd=AHFni7sxjBGE2ZZLGAyg@mail.gmail.com>
In-Reply-To: 
 <CAC4eXDjhFjdeb+Aa5bh9aBLevMcOd=AHFni7sxjBGE2ZZLGAyg@mail.gmail.com>
From: Priancka Chatz <pc9926@gmail.com>
Date: Sat, 12 Oct 2024 12:05:57 +0200
Message-ID: 
 <CANnOdgYMJiRjQU1-Jaqo3vp4LY7O3rmxMLq=e5M=GzdryCDNOg@mail.gmail.com>
Subject: Re: Unknown temp directories and library files
To: Imran Khan <imran.k.23@gmail.com>
Cc: Jeff Janes <jeff.janes@gmail.com>,
 Laurenz Albe <laurenz.albe@cybertec.at>,
	pgsql-admin <pgsql-admin@postgresql.org>
Content-Type: multipart/alternative; boundary="000000000000a3e29c062444c0dc"
Archived-At: 
 <https://www.postgresql.org/message-id/CANnOdgYMJiRjQU1-Jaqo3vp4LY7O3rmxMLq%3De5M%3DGzdryCDNOg%40mail.gmail.com>
Precedence: bulk

--000000000000a3e29c062444c0dc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

It is not pgsql_tmp but a directory two level before the postgres data
directory. I tried deleting the files but they reappear in about 10 mins or
so, so it is not a sysadmin leftover.  I am suspecting it is something that
probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g
running and some of these require python. However, I am still not sure why
they exist and what is creating it.

Regards,
Priyanka

On Fri, Oct 11, 2024 at 11:01=E2=80=AFPM Imran Khan <imran.k.23@gmail.com> =
wrote:

> In that case involving OS admin make sense.
>
> On Fri, Oct 11, 2024, 11:51=E2=80=AFPM Jeff Janes <jeff.janes@gmail.com> =
wrote:
>
>>
>>
>> On Fri, Oct 11, 2024 at 4:16=E2=80=AFPM Laurenz Albe <laurenz.albe@cyber=
tec.at>
>> wrote:
>>
>>> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
>>> > On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe <laurenz.albe@cy=
bertec.at>
>>> wrote:
>>> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
>>> > > > I am observing a new/unknown behavior on some of my instances. My
>>> postgres Data
>>> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a
>>> temp directory
>>> > > > present inside /home/postgres/pgdata which has 100s of directory
>>> underneath it
>>> > > > and inside each directory some library files related to Psycopg2.
>>> Not sure what
>>> > > > these files are and why it is getting created. I am attaching
>>> screenshots for reference.
>>> > > > Can anyone shed some light or direct me to any links to
>>> troubleshoot this?
>>> > >
>>> > > I'd say somebody broke into your database and is abusing it for his
>>> purposes.
>>> > >
>>> > > If that proves true, rescue what you can of the data and start with
>>> a new
>>> > > installation, preferably with better security.
>>>
>>> I have no conclusive proof for abuse, but a library has no business in
>>> "pgsql_tmp".
>>> That looks very much like somebody guessed your superuser password and
>>> is hijacking
>>> the operating system account.
>>>
>>
>> But he didn't say they were in pgsql_tmp, just that they were in some
>> temp directory apparently 3 or 4 levels higher in the directory tree tha=
n
>> where I would expect pgsql_tmp to be. To me this looks like some cruft l=
eft
>> over from some sysadmin running the python package manager, perhaps whil=
e
>> logged in as the wrong user. (Although I suppose that running a package
>> manager as the wrong user is also something a hacker might try to do...)
>>
>> Cheers,
>>
>> Jeff
>>
>

--000000000000a3e29c062444c0dc
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It is not pgsql_tmp but a directory two level before the p=
ostgres data directory. I tried deleting the files but they reappear in abo=
ut 10 mins or so, so it is not a sysadmin leftover.=C2=A0 I am suspecting i=
t is something that probably is assisting with some tools maybe: there is P=
atroni ,pgqd, wal-g running and some of these require python. However, I am=
 still not sure why they exist and what is creating it.=C2=A0<div><br></div=
><div>Regards,</div><div>Priyanka</div></div><br><div class=3D"gmail_quote"=
><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Oct 11, 2024 at 11:01=E2=80=
=AFPM Imran Khan &lt;<a href=3D"mailto:imran.k.23@gmail.com">imran.k.23@gma=
il.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"m=
argin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left=
:1ex"><div dir=3D"auto">In that=C2=A0case involving OS admin make sense.</d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
Fri, Oct 11, 2024, 11:51=E2=80=AFPM Jeff Janes &lt;<a href=3D"mailto:jeff.j=
anes@gmail.com" target=3D"_blank">jeff.janes@gmail.com</a>&gt; wrote:<br></=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div=
 dir=3D"ltr"><br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" clas=
s=3D"gmail_attr">On Fri, Oct 11, 2024 at 4:16=E2=80=AFPM Laurenz Albe &lt;<=
a href=3D"mailto:laurenz.albe@cybertec.at" rel=3D"noreferrer" target=3D"_bl=
ank">laurenz.albe@cybertec.at</a>&gt; wrote:<br></div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex">On Fri, 2024-10-11 at 15:47 +0200, Priancka Ch=
atz wrote:<br>
&gt; On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe &lt;<a href=3D"ma=
ilto:laurenz.albe@cybertec.at" rel=3D"noreferrer" target=3D"_blank">laurenz=
.albe@cybertec.at</a>&gt; wrote:<br>
&gt; &gt; On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:<br>
&gt; &gt; &gt; I am observing a new/unknown behavior on some of my instance=
s. My postgres Data<br>
&gt; &gt; &gt; directory path is /home/postgres/pgdata/pgroot/data. And I s=
ee a temp directory<br>
&gt; &gt; &gt; present inside /home/postgres/pgdata which has 100s of direc=
tory underneath it<br>
&gt; &gt; &gt; and inside each directory some library files related to Psyc=
opg2. Not sure what<br>
&gt; &gt; &gt; these files are and why it is getting created. I am attachin=
g screenshots for reference.<br>
&gt; &gt; &gt; Can anyone shed some light or direct me to any links to trou=
bleshoot this?<br>
&gt; &gt; <br>
&gt; &gt; I&#39;d say somebody broke into your database and is abusing it f=
or his purposes.<br>
&gt; &gt; <br>
&gt; &gt; If that proves true, rescue what you can of the data and start wi=
th a new<br>
&gt; &gt; installation, preferably with better security.<br>
<br>
I have no conclusive proof for abuse, but a library has no business in &quo=
t;pgsql_tmp&quot;.<br>
That looks very much like somebody guessed your superuser password and is h=
ijacking<br>
the operating system account.<br></blockquote><div><br></div><div>But he di=
dn&#39;t say they were in pgsql_tmp, just that they were in some temp direc=
tory apparently 3 or 4 levels higher in the directory tree than where I wou=
ld expect pgsql_tmp to be. To me this looks like some cruft left over from =
some sysadmin running the python package manager, perhaps while logged in a=
s the wrong user. (Although I suppose that running a package manager as the=
 wrong user is also something a hacker might try to do...)</div><div><br></=
div><div>Cheers,</div><div><br></div><div>Jeff</div></div></div>
</blockquote></div>
</blockquote></div>

--000000000000a3e29c062444c0dc--