public inbox for [email protected]help / color / mirror / Atom feed
Unknown temp directories and library files 10+ messages / 5 participants [nested] [flat]
* Unknown temp directories and library files @ 2024-10-10 10:22 Priancka Chatz <[email protected]> 0 siblings, 2 replies; 10+ messages in thread From: Priancka Chatz @ 2024-10-10 10:22 UTC (permalink / raw) To: pgsql-admin Hi admins, I am observing a new/unknown behavior on some of my instances. My postgres Data directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory present inside /home/postgres/pgdata which has 100s of directory underneath it and inside each directory some library files related to Psycopg2. Not sure what these files are and why it is getting created. I am attaching screenshots for reference. Can anyone shed some light or direct me to any links to troubleshoot this? Regards, Priyanka Attachments: [image/png] Screenshot 2024-10-10 at 12.20.00.png (519.8K, 3-Screenshot%202024-10-10%20at%2012.20.00.png) download | view image [image/png] Screenshot 2024-10-10 at 12.20.21.png (1.5M, 4-Screenshot%202024-10-10%20at%2012.20.21.png) download | view image ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 13:09 Laurenz Albe <[email protected]> parent: Priancka Chatz <[email protected]> 1 sibling, 1 reply; 10+ messages in thread From: Laurenz Albe @ 2024-10-11 13:09 UTC (permalink / raw) To: Priancka Chatz <[email protected]>; pgsql-admin On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > I am observing a new/unknown behavior on some of my instances. My postgres Data > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory > present inside /home/postgres/pgdata which has 100s of directory underneath it > and inside each directory some library files related to Psycopg2. Not sure what > these files are and why it is getting created. I am attaching screenshots for reference. > Can anyone shed some light or direct me to any links to troubleshoot this? I'd say somebody broke into your database and is abusing it for his purposes. If that proves true, rescue what you can of the data and start with a new installation, preferably with better security. Yours, Laurenz Albe ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 13:47 Priancka Chatz <[email protected]> parent: Laurenz Albe <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Priancka Chatz @ 2024-10-11 13:47 UTC (permalink / raw) To: Laurenz Albe <[email protected]>; +Cc: pgsql-admin Hi Laurenz, What kind of security was breached here or you think needs to be tightened up? And how to prove this is a security issue or not ? Pretty worried, Priyanka On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]> wrote: > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > > I am observing a new/unknown behavior on some of my instances. My > postgres Data > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp > directory > > present inside /home/postgres/pgdata which has 100s of directory > underneath it > > and inside each directory some library files related to Psycopg2. Not > sure what > > these files are and why it is getting created. I am attaching > screenshots for reference. > > Can anyone shed some light or direct me to any links to troubleshoot > this? > > I'd say somebody broke into your database and is abusing it for his > purposes. > > If that proves true, rescue what you can of the data and start with a new > installation, preferably with better security. > > Yours, > Laurenz Albe > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 20:16 Laurenz Albe <[email protected]> parent: Priancka Chatz <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Laurenz Albe @ 2024-10-11 20:16 UTC (permalink / raw) To: Priancka Chatz <[email protected]>; +Cc: pgsql-admin On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]> wrote: > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > > > I am observing a new/unknown behavior on some of my instances. My postgres Data > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory > > > present inside /home/postgres/pgdata which has 100s of directory underneath it > > > and inside each directory some library files related to Psycopg2. Not sure what > > > these files are and why it is getting created. I am attaching screenshots for reference. > > > Can anyone shed some light or direct me to any links to troubleshoot this? > > > > I'd say somebody broke into your database and is abusing it for his purposes. > > > > If that proves true, rescue what you can of the data and start with a new > > installation, preferably with better security. I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp". That looks very much like somebody guessed your superuser password and is hijacking the operating system account. Is that by any event a database accessible on the internet? Did you have a really secure password? Yours, Laurenz Albe ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 20:21 Imran Khan <[email protected]> parent: Priancka Chatz <[email protected]> 1 sibling, 0 replies; 10+ messages in thread From: Imran Khan @ 2024-10-11 20:21 UTC (permalink / raw) To: Priancka Chatz <[email protected]>; +Cc: pgsql-admin Hi, Try to first restrict the access of localhost and assign a password for postgres which is known to you. Then ask Linux team or server team to share logs of logins and history of root. Finally, restart the instance to clear pgsql_tmp dir. Thanks, Imran On Fri, Oct 11, 2024, 1:20 PM Priancka Chatz <[email protected]> wrote: > Hi admins, > > I am observing a new/unknown behavior on some of my instances. My postgres > Data directory path is /home/postgres/pgdata/pgroot/data. And I see a temp > directory present inside /home/postgres/pgdata which has 100s of directory > underneath it and inside each directory some library files related to > Psycopg2. Not sure what these files are and why it is getting created. I am > attaching screenshots for reference. > Can anyone shed some light or direct me to any links to troubleshoot this? > > Regards, > Priyanka > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 20:50 Jeff Janes <[email protected]> parent: Laurenz Albe <[email protected]> 0 siblings, 2 replies; 10+ messages in thread From: Jeff Janes @ 2024-10-11 20:50 UTC (permalink / raw) To: Laurenz Albe <[email protected]>; +Cc: Priancka Chatz <[email protected]>; pgsql-admin On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]> wrote: > On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: > > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]> > wrote: > > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > > > > I am observing a new/unknown behavior on some of my instances. My > postgres Data > > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a > temp directory > > > > present inside /home/postgres/pgdata which has 100s of directory > underneath it > > > > and inside each directory some library files related to Psycopg2. > Not sure what > > > > these files are and why it is getting created. I am attaching > screenshots for reference. > > > > Can anyone shed some light or direct me to any links to troubleshoot > this? > > > > > > I'd say somebody broke into your database and is abusing it for his > purposes. > > > > > > If that proves true, rescue what you can of the data and start with a > new > > > installation, preferably with better security. > > I have no conclusive proof for abuse, but a library has no business in > "pgsql_tmp". > That looks very much like somebody guessed your superuser password and is > hijacking > the operating system account. > But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...) Cheers, Jeff ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 21:00 Imran Khan <[email protected]> parent: Jeff Janes <[email protected]> 1 sibling, 0 replies; 10+ messages in thread From: Imran Khan @ 2024-10-11 21:00 UTC (permalink / raw) To: Jeff Janes <[email protected]>; +Cc: Laurenz Albe <[email protected]>; Priancka Chatz <[email protected]>; pgsql-admin My apology for misunderstanding.. On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <[email protected]> wrote: > > > On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]> > wrote: > >> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: >> > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]> >> wrote: >> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: >> > > > I am observing a new/unknown behavior on some of my instances. My >> postgres Data >> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a >> temp directory >> > > > present inside /home/postgres/pgdata which has 100s of directory >> underneath it >> > > > and inside each directory some library files related to Psycopg2. >> Not sure what >> > > > these files are and why it is getting created. I am attaching >> screenshots for reference. >> > > > Can anyone shed some light or direct me to any links to >> troubleshoot this? >> > > >> > > I'd say somebody broke into your database and is abusing it for his >> purposes. >> > > >> > > If that proves true, rescue what you can of the data and start with a >> new >> > > installation, preferably with better security. >> >> I have no conclusive proof for abuse, but a library has no business in >> "pgsql_tmp". >> That looks very much like somebody guessed your superuser password and is >> hijacking >> the operating system account. >> > > But he didn't say they were in pgsql_tmp, just that they were in some temp > directory apparently 3 or 4 levels higher in the directory tree than where > I would expect pgsql_tmp to be. To me this looks like some cruft left over > from some sysadmin running the python package manager, perhaps while logged > in as the wrong user. (Although I suppose that running a package manager as > the wrong user is also something a hacker might try to do...) > > Cheers, > > Jeff > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-11 21:01 Imran Khan <[email protected]> parent: Jeff Janes <[email protected]> 1 sibling, 1 reply; 10+ messages in thread From: Imran Khan @ 2024-10-11 21:01 UTC (permalink / raw) To: Jeff Janes <[email protected]>; +Cc: Laurenz Albe <[email protected]>; Priancka Chatz <[email protected]>; pgsql-admin In that case involving OS admin make sense. On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <[email protected]> wrote: > > > On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]> > wrote: > >> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: >> > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]> >> wrote: >> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: >> > > > I am observing a new/unknown behavior on some of my instances. My >> postgres Data >> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a >> temp directory >> > > > present inside /home/postgres/pgdata which has 100s of directory >> underneath it >> > > > and inside each directory some library files related to Psycopg2. >> Not sure what >> > > > these files are and why it is getting created. I am attaching >> screenshots for reference. >> > > > Can anyone shed some light or direct me to any links to >> troubleshoot this? >> > > >> > > I'd say somebody broke into your database and is abusing it for his >> purposes. >> > > >> > > If that proves true, rescue what you can of the data and start with a >> new >> > > installation, preferably with better security. >> >> I have no conclusive proof for abuse, but a library has no business in >> "pgsql_tmp". >> That looks very much like somebody guessed your superuser password and is >> hijacking >> the operating system account. >> > > But he didn't say they were in pgsql_tmp, just that they were in some temp > directory apparently 3 or 4 levels higher in the directory tree than where > I would expect pgsql_tmp to be. To me this looks like some cruft left over > from some sysadmin running the python package manager, perhaps while logged > in as the wrong user. (Although I suppose that running a package manager as > the wrong user is also something a hacker might try to do...) > > Cheers, > > Jeff > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-12 10:05 Priancka Chatz <[email protected]> parent: Imran Khan <[email protected]> 0 siblings, 1 reply; 10+ messages in thread From: Priancka Chatz @ 2024-10-12 10:05 UTC (permalink / raw) To: Imran Khan <[email protected]>; +Cc: Jeff Janes <[email protected]>; Laurenz Albe <[email protected]>; pgsql-admin It is not pgsql_tmp but a directory two level before the postgres data directory. I tried deleting the files but they reappear in about 10 mins or so, so it is not a sysadmin leftover. I am suspecting it is something that probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g running and some of these require python. However, I am still not sure why they exist and what is creating it. Regards, Priyanka On Fri, Oct 11, 2024 at 11:01 PM Imran Khan <[email protected]> wrote: > In that case involving OS admin make sense. > > On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <[email protected]> wrote: > >> >> >> On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]> >> wrote: >> >>> On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: >>> > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]> >>> wrote: >>> > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: >>> > > > I am observing a new/unknown behavior on some of my instances. My >>> postgres Data >>> > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a >>> temp directory >>> > > > present inside /home/postgres/pgdata which has 100s of directory >>> underneath it >>> > > > and inside each directory some library files related to Psycopg2. >>> Not sure what >>> > > > these files are and why it is getting created. I am attaching >>> screenshots for reference. >>> > > > Can anyone shed some light or direct me to any links to >>> troubleshoot this? >>> > > >>> > > I'd say somebody broke into your database and is abusing it for his >>> purposes. >>> > > >>> > > If that proves true, rescue what you can of the data and start with >>> a new >>> > > installation, preferably with better security. >>> >>> I have no conclusive proof for abuse, but a library has no business in >>> "pgsql_tmp". >>> That looks very much like somebody guessed your superuser password and >>> is hijacking >>> the operating system account. >>> >> >> But he didn't say they were in pgsql_tmp, just that they were in some >> temp directory apparently 3 or 4 levels higher in the directory tree than >> where I would expect pgsql_tmp to be. To me this looks like some cruft left >> over from some sysadmin running the python package manager, perhaps while >> logged in as the wrong user. (Although I suppose that running a package >> manager as the wrong user is also something a hacker might try to do...) >> >> Cheers, >> >> Jeff >> > ^ permalink raw reply [nested|flat] 10+ messages in thread
* Re: Unknown temp directories and library files @ 2024-10-15 16:03 vignesh kumar <[email protected]> parent: Priancka Chatz <[email protected]> 0 siblings, 0 replies; 10+ messages in thread From: vignesh kumar @ 2024-10-15 16:03 UTC (permalink / raw) To: Priancka Chatz <[email protected]>; Imran Khan <[email protected]>; +Cc: Jeff Janes <[email protected]>; Laurenz Albe <[email protected]>; pgsql-admin Any local connection that serves server operation should be routed to socket connection instead of localhost.. that's first layer of security.. change default port to some thing else .if your application demands default port add loadbalancer to listen on default port Sent from Outlook for Android<https://aka.ms/AAb9ysg; ________________________________ From: Priancka Chatz <[email protected]> Sent: Saturday, October 12, 2024 3:35:57 PM To: Imran Khan <[email protected]> Cc: Jeff Janes <[email protected]>; Laurenz Albe <[email protected]>; pgsql-admin <[email protected]> Subject: Re: Unknown temp directories and library files It is not pgsql_tmp but a directory two level before the postgres data directory. I tried deleting the files but they reappear in about 10 mins or so, so it is not a sysadmin leftover. I am suspecting it is something that probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g running and some of these require python. However, I am still not sure why they exist and what is creating it. Regards, Priyanka On Fri, Oct 11, 2024 at 11:01 PM Imran Khan <[email protected]<mailto:[email protected]>> wrote: In that case involving OS admin make sense. On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <[email protected]<mailto:[email protected]>> wrote: On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]<mailto:[email protected]>> wrote: On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]<mailto:[email protected]>> wrote: > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > > > I am observing a new/unknown behavior on some of my instances. My postgres Data > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory > > > present inside /home/postgres/pgdata which has 100s of directory underneath it > > > and inside each directory some library files related to Psycopg2. Not sure what > > > these files are and why it is getting created. I am attaching screenshots for reference. > > > Can anyone shed some light or direct me to any links to troubleshoot this? > > > > I'd say somebody broke into your database and is abusing it for his purposes. > > > > If that proves true, rescue what you can of the data and start with a new > > installation, preferably with better security. I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp". That looks very much like somebody guessed your superuser password and is hijacking the operating system account. But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...) Cheers, Jeff ^ permalink raw reply [nested|flat] 10+ messages in thread
end of thread, other threads:[~2024-10-15 16:03 UTC | newest] Thread overview: 10+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2024-10-10 10:22 Unknown temp directories and library files Priancka Chatz <[email protected]> 2024-10-11 13:09 ` Laurenz Albe <[email protected]> 2024-10-11 13:47 ` Priancka Chatz <[email protected]> 2024-10-11 20:16 ` Laurenz Albe <[email protected]> 2024-10-11 20:50 ` Jeff Janes <[email protected]> 2024-10-11 21:00 ` Imran Khan <[email protected]> 2024-10-11 21:01 ` Imran Khan <[email protected]> 2024-10-12 10:05 ` Priancka Chatz <[email protected]> 2024-10-15 16:03 ` vignesh kumar <[email protected]> 2024-10-11 20:21 ` Imran Khan <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox