public inbox for [email protected]
help / color / mirror / Atom feedFrom: Merlin Moncure <[email protected]>
To: Edmundo Robles <[email protected]>
Cc: [email protected]
Subject: Re: I have a suspicious query
Date: Fri, 11 Jul 2025 16:59:57 -0600
Message-ID: <CAHyXU0w0dYku-QrfugeMQ2pjeWXucC46zSDxg0UUbOj_JUCaEQ@mail.gmail.com> (raw)
In-Reply-To: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>
References: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>
On Fri, Jul 11, 2025 at 11:13 AM Edmundo Robles <[email protected]>
wrote:
> Hi
>
> i have (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
> While monitoring active queries, I came across the following:
>
> `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
> _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
> _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
>
> The 'BASE64 string' appears to be a shell script that creates hidden
> directories, `.xdiag` and `.xperf`, in `/tmp`.
>
> Could you please help me locate and clean these? I apologize if this is
> not the appropriate contact for this issue.
>
this looks like a hack. something or someone has ability to run
arbitrary sql. shut the server down and start taking steps to secure. is
this server behind a firewall?
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: I have a suspicious query
In-Reply-To: <CAHyXU0w0dYku-QrfugeMQ2pjeWXucC46zSDxg0UUbOj_JUCaEQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox