public inbox for [email protected]
help / color / mirror / Atom feedFrom: Adrian Klaver <[email protected]>
To: Edmundo Robles <[email protected]>
To: [email protected]
Subject: Re: I have a suspicious query
Date: Fri, 11 Jul 2025 10:23:15 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>
References: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>
On 7/11/25 10:12 AM, Edmundo Robles wrote:
> Hi
>
> i haveĀ (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
> While monitoring active queries, I came across the following:
>
> `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
> _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
> _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
>
> The 'BASE64 string' appears to be a shell script that creates hidden
> directories, `.xdiag` and `.xperf`, in `/tmp`.
>
> Could you please help me locate and clean these? I apologize if this is
> not the appropriate contact for this issue.
Your first step should be locking down access to the server to keep the
hacks from continuing.
You already seem to know what directories are involved. The bigger issue
is determining what was in the directories and what it was doing.
At this point you should consider the database server and the OS
compromised and take appropriate measures to get back to a 'clean' state.
>
> Thanks,
> Edmundo
>
> --
>
>
--
Adrian Klaver
[email protected]
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: I have a suspicious query
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox