Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1szFzO-0056oh-Ol for pgsql-admin@arkaria.postgresql.org; Fri, 11 Oct 2024 13:47:30 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1szFzN-004qrY-2b for pgsql-admin@arkaria.postgresql.org; Fri, 11 Oct 2024 13:47:29 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1szFzM-004qrA-NL for pgsql-admin@lists.postgresql.org; Fri, 11 Oct 2024 13:47:29 +0000 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1szFzF-000WXC-Tg for pgsql-admin@postgresql.org; Fri, 11 Oct 2024 13:47:28 +0000 Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-5c94b0b466cso763284a12.0 for ; Fri, 11 Oct 2024 06:47:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728654442; x=1729259242; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NvyIoxqaeHgcHddbCcT0JIVBvYnXzjd/wis3xEqFQzU=; b=N8AJq/16rrx+KB/KbqsdYPDq9mbbdyuNR0sIaSQ6p8YRykoxHsStKGnw6OprW37VP3 h0dANJ2O8+g3og7cjBNltBAvK7aprq4+Ra1r3vGPoeavdrjnrSJSfVDyo0/3uyJ8WZEj weNo5LpTpIyOpCnzL/aZSGEcBDBSoiGwxV/lPB9gMGU6K4D2ga52RDeESIWdrB20uzrn vA0lEcbRWCRWEBbl+eN5PE/Tc3PFtzJfcVyBe/kZGn4Ik38ptFhjzeMJBWuhKhRrtRSD MGDjksfiiSGLfZfXbqwTW4HAOfZZWhSrTWED5RNw7C116C4qglWfYiALxCdNwjmZv766 DFYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728654442; x=1729259242; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NvyIoxqaeHgcHddbCcT0JIVBvYnXzjd/wis3xEqFQzU=; b=Yh+lHOh+j0eB79LSqzJ13UnXFVCGFJvwhAyRLgVeFwEZwRbxZCunfPPZAH1fR5Puxe guPYa001T0xdL7as6R9HEpDKEublP10PmXUeOQVULwfm3V8Q77Nnl1u8bW9mrAdLMa5U Pb/W65YXb+sdljWfv7cmd6fW+5N41P/dB8fyMKr/BM9LTq19xjEMKRs95wMK1YPt9a8d AO5iqNLAse/kf2F6Bfw8MsszCmNvqiFEUom6wF3yr6MUeeg7HPBKMJmgtIg818CDfJRm wfLI7cnma0ysNZ3Vub5HmxiqMWUHATXp7cXuxf1rL7J7xXG0DXAPYp+D2jnWkfQ/CL9E mX5g== X-Gm-Message-State: AOJu0Yx5gOtr31ycIkC50AMFPR+E8LrtUIGe3lCtAT3gqLHO9IA5F7wG 7bYElpbWu2+N9kXUYY5hL7Ms3gn0mwfshJqL45UNbbxtlGOZtpj2H4NViPVAo2PUVhGm6wAFebo dHCyxSxx/yc+DBTkto6k1SkmQAP4= X-Google-Smtp-Source: AGHT+IEQbO/Mb0Ej1jJ1YnsX09Qw7+q9f7WLaUAALuCeCLvkjmYepN/NjguO0aJZfWC9RKHkwveJ1CqTrzIzY32+a1M= X-Received: by 2002:a05:6402:1e8e:b0:5c9:4aa1:b02c with SMTP id 4fb4d7f45d1cf-5c94aa1b2c5mr1677257a12.22.1728654441622; Fri, 11 Oct 2024 06:47:21 -0700 (PDT) MIME-Version: 1.0 References: <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at> In-Reply-To: <6b344a9d0ae654ca0bda0381a2f7f96df76ae3b2.camel@cybertec.at> From: Priancka Chatz Date: Fri, 11 Oct 2024 15:47:10 +0200 Message-ID: Subject: Re: Unknown temp directories and library files To: Laurenz Albe Cc: pgsql-admin Content-Type: multipart/alternative; boundary="000000000000eeb518062433b9b5" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000eeb518062433b9b5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Laurenz, What kind of security was breached here or you think needs to be tightened up? And how to prove this is a security issue or not ? Pretty worried, Priyanka On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laurenz Albe wrote: > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > > I am observing a new/unknown behavior on some of my instances. My > postgres Data > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp > directory > > present inside /home/postgres/pgdata which has 100s of directory > underneath it > > and inside each directory some library files related to Psycopg2. Not > sure what > > these files are and why it is getting created. I am attaching > screenshots for reference. > > Can anyone shed some light or direct me to any links to troubleshoot > this? > > I'd say somebody broke into your database and is abusing it for his > purposes. > > If that proves true, rescue what you can of the data and start with a new > installation, preferably with better security. > > Yours, > Laurenz Albe > --000000000000eeb518062433b9b5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Laurenz,

What kind of security was b= reached here or you think needs to be tightened up?=C2=A0 And how to prove = this is a security issue or not ?=C2=A0

Pretty wor= ried,
Priyanka

On Fri, Oct 11, 2024 at 3:09=E2=80=AFPM Laure= nz Albe <laurenz.albe@cybert= ec.at> wrote:
On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> I am observing a new/unknown behavior on some of my instances. My post= gres Data
> directory path is /home/postgres/pgdata/pgroot/data. And I see a temp = directory
> present inside /home/postgres/pgdata which has 100s of directory under= neath it
> and inside each directory some library files related to Psycopg2. Not = sure what
> these files are and why it is getting created. I am attaching screensh= ots for reference.
> Can anyone shed some light or direct me to any links to troubleshoot t= his?

I'd say somebody broke into your database and is abusing it for his pur= poses.

If that proves true, rescue what you can of the data and start with a new installation, preferably with better security.

Yours,
Laurenz Albe
--000000000000eeb518062433b9b5--