Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u004F-009p8S-Q0 for pgsql-general@arkaria.postgresql.org; Wed, 02 Apr 2025 15:31:52 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1u004E-00ErRs-Dm for pgsql-general@arkaria.postgresql.org; Wed, 02 Apr 2025 15:31:50 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1u004D-00ErPa-IQ for pgsql-general@lists.postgresql.org; Wed, 02 Apr 2025 15:31:50 +0000 Received: from fout-b7-smtp.messagingengine.com ([202.12.124.150]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1u004A-002zRP-0z for pgsql-general@postgresql.org; Wed, 02 Apr 2025 15:31:48 +0000 Received: from phl-compute-09.internal (phl-compute-09.phl.internal [10.202.2.49]) by mailfout.stl.internal (Postfix) with ESMTP id 99BDD114010F; Wed, 2 Apr 2025 11:31:43 -0400 (EDT) Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-09.internal (MEProxy); Wed, 02 Apr 2025 11:31:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1743607903; x=1743694303; bh=qyjqNFBK7ysoCSuCjg7S6dzzdZ5sE8yVydcknZxWkwI=; b= fHkz9+8jZM7Z5+PoR1lmJb/jbygFdF8mz0AR66LxuFqheiIlZdGWZ6dQhhrSByd3 E6KjXQkemO1yOUfbOrGOrzPPcDPOz6G8W3Z4R6AryooEKjhtrhqFIqQO+TYkn42c s9w9zYS19jqsyzP2Ytbo191yUCuGC9ZVufI8v1oiYxcwBWsZLUkVS3AQmSdCaVEf covenS+GgoLo7zfYN2/tupq6RMoRNral3he9LM0/No+ncnNui+BjU59Wd8Fg2LWd mhx5pZkGUsmZgs8cfyrfw1sG3UPmSndULCJHMGY54wgZtk11LDlQSjU7TOdN4fjO 3vhjQHOoiu03wgppE+4kLw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1743607903; x=1743694303; bh=q yjqNFBK7ysoCSuCjg7S6dzzdZ5sE8yVydcknZxWkwI=; b=nK821dooRy89FYH0B 9T14JOJkqZjh/eHggtALj6Sbxi6YwhpupqXX5cHAJG3cNqP4xpTvZTKVJYi7jjcS /T2kbkL4hmxjZ/AzBe03EmWFC14m9skvd7WzZWARgjBr+Vcj/x7APIZPw5o/3okp Hn8Ts/XsxFWLqTGegKk8C9Ui5h1MNRNQWWQ7g6TqJtQMbmwmW/93eEdE8F2Whfi8 DtkBAGeTqFtNWey0zNLcS5lkZrPXbD6NlAGc9FXpXwwrCXl/APddgSVOTE3V0r84 IocSFEN+tQB2wQIyrvIvFatXQv1NeHiDe5q2wUjTaiRDzAoi6Oqm/5ZXhEU4CSpk 4L2kQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeeitdefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepkfffgggfuffvfhfhjggtgfesthekredttddv jeenucfhrhhomheptegurhhirghnucfmlhgrvhgvrhcuoegrughrihgrnhdrkhhlrghvvg hrsegrkhhlrghvvghrrdgtohhmqeenucggtffrrghtthgvrhhnpeeufeettedvjeevgffg udeivddtuddtjedtvedtgedtgeejfeevteevhfdvffekieenucffohhmrghinheprghquh grshgvtgdrtghomhdpphhoshhtghhrvghsqhhlrdhorhhgnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomheprggurhhirghnrdhklhgrvhgvrhesrg hklhgrvhgvrhdrtghomhdpnhgspghrtghpthhtohepgedpmhhouggvpehsmhhtphhouhht pdhrtghpthhtohepvghsthgvvghmsghsvhdqfhhorhhumheshigrhhhoohdrtghomhdprh gtphhtthhopehhthgrmhhfihgushesghhmrghilhdrtghomhdprhgtphhtthhopehrohhn lhhjohhhnhhsohhnjhhrsehgmhgrihhlrdgtohhmpdhrtghpthhtohepphhgshhqlhdqgh gvnhgvrhgrlhesphhoshhtghhrvghsqhhlrdhorhhg X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 2 Apr 2025 11:31:42 -0400 (EDT) Message-ID: <48b5c3db-5836-4353-8131-a9e5bedea1ac@aklaver.com> Date: Wed, 2 Apr 2025 08:31:42 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Any industry best practise to overcome this specific malware "pg_mem" To: Bharani SV-forum , Greg Sabino Mullane , Ron Johnson , "pgsql-general@postgresql.org" References: <0558ddd4d71641bdb41fa49b2425f73c@safrangroup.com> <132487461.4068668.1737741687606@mail.yahoo.com> <0dc06cb7-33cc-43ba-a95f-535fdf0a0439@aklaver.com> <1751608443.5432365.1738081421269@mail.yahoo.com> <74599d1d-c8a2-4e59-a50d-019dcc973de8@aklaver.com> <200665967.5560583.1738095230696@mail.yahoo.com> <21b5d62a-19d1-413f-9d5e-d681cd2bb91b@aklaver.com> <47454513.6047834.1738179914107@mail.yahoo.com> <1841861276.9581730.1738888679871@mail.yahoo.com> <56243553.9616888.1738893835649@mail.yahoo.com> <940531722.732202.1739711614045@mail.yahoo.com> <6f44101c-ce01-478e-9fb1-138a10f358d9@aklaver.com> <688728245.763369.1739723234892@mail.yahoo.com> <1530912903.785341.1739727814631@mail.yahoo.com> <1995396392.4440995.1740508041256@mail.yahoo.com> <849879720.83739.1741119882239@mail.yahoo.com> <80651822.852134.1743607125222@mail.yahoo.com> Content-Language: en-US From: Adrian Klaver In-Reply-To: <80651822.852134.1743607125222@mail.yahoo.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 4/2/25 08:18, Bharani SV-forum wrote: > Hello MVP's > Good Morning > Any industry best practise to overcome this specific malware "pg_mem". > > url = > https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/ From above: "The first stage is a simple brute force attack. We observe several login attempts to the PostgreSQL database being refused until the brute force attack successfully guesses the honeypot’s username and password (which were intentionally set to be easy to guess)." After the threat actor successfully guess the user and password, the attack sequence commenced. The following set of SQL commands, were executed: ... " The first command being creating a role with SUPERUSER privileges which depends the hacked role being a SUPERUSER itself. So the solution is basic practices: 1) Don't expose the database anymore then necessary. It other words keep access to the instance as restricted as possible, e.g. behind firewall. 2) Don't use easy passwords or use one or more of the auth methods shown here: https://www.postgresql.org/docs/current/client-authentication.html 3) Try to avoid using SUPERUSER roles as login roles. Keeping up to date is good practice, but in and of itself it will not prevent the attack shown. > > We are up to date with the respective postgres server major version 13 > and minor patch as .20 > i.e 13.20 > Also working on the steps for db migration from ver 13.X to ver 14.X > We are also update with respective AWS based EC2 server based OS patches -- Adrian Klaver adrian.klaver@aklaver.com