Re: Unknown temp directories and library files

public inbox for [email protected]  
help / color / mirror / Atom feed

From: vignesh kumar <[email protected]>
To: Priancka Chatz <[email protected]>
To: Imran Khan <[email protected]>
Cc: Jeff Janes <[email protected]>
Cc: Laurenz Albe <[email protected]>
Cc: pgsql-admin <[email protected]>
Subject: Re: Unknown temp directories and library files
Date: Tue, 15 Oct 2024 16:03:47 +0000
Message-ID: <MN0PR20MB49123389E5DFF5A2F907997D87452@MN0PR20MB4912.namprd20.prod.outlook.com> (raw)
In-Reply-To: <CANnOdgYMJiRjQU1-Jaqo3vp4LY7O3rmxMLq=e5M=GzdryCDNOg@mail.gmail.com>
References: <CANnOdgb=p9mLcg=5BMJ76yEZ+RYR7WHgS1VJRf8EY5VvOcf3ng@mail.gmail.com>
	<[email protected]>
	<CANnOdgYuaUxnx2XwDek3ZQYK0OiO_XniVNhKB-Ezfz6TRANGtQ@mail.gmail.com>
	<[email protected]>
	<CAMkU=1wEy1KW=1B7p0rS9rnmjHiG25eS+xD_hNZ22aW0gP5OQg@mail.gmail.com>
	<CAC4eXDjhFjdeb+Aa5bh9aBLevMcOd=AHFni7sxjBGE2ZZLGAyg@mail.gmail.com>
	<CANnOdgYMJiRjQU1-Jaqo3vp4LY7O3rmxMLq=e5M=GzdryCDNOg@mail.gmail.com>

Any local connection that serves server operation should be routed to socket connection instead of localhost.. that's first layer of security.. change default port to some thing else .if your application demands default port add loadbalancer to listen on default port

Sent from Outlook for Android<https://aka.ms/AAb9ysg;
________________________________
From: Priancka Chatz <[email protected]>
Sent: Saturday, October 12, 2024 3:35:57 PM
To: Imran Khan <[email protected]>
Cc: Jeff Janes <[email protected]>; Laurenz Albe <[email protected]>; pgsql-admin <[email protected]>
Subject: Re: Unknown temp directories and library files

It is not pgsql_tmp but a directory two level before the postgres data directory. I tried deleting the files but they reappear in about 10 mins or so, so it is not a sysadmin leftover.  I am suspecting it is something that probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g running and some of these require python. However, I am still not sure why they exist and what is creating it.

Regards,
Priyanka

On Fri, Oct 11, 2024 at 11:01 PM Imran Khan <[email protected]<mailto:[email protected]>> wrote:
In that case involving OS admin make sense.

On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <[email protected]<mailto:[email protected]>> wrote:

On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <[email protected]<mailto:[email protected]>> wrote:
On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <[email protected]<mailto:[email protected]>> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.

I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.

But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)

Cheers,

Jeff

view thread (10+ messages)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: Unknown temp directories and library files
  In-Reply-To: <MN0PR20MB49123389E5DFF5A2F907997D87452@MN0PR20MB4912.namprd20.prod.outlook.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox