Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaMj1-004LDQ-7c for pgsql-general@arkaria.postgresql.org; Fri, 11 Jul 2025 23:00:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uaMiz-007bAB-6R for pgsql-general@arkaria.postgresql.org; Fri, 11 Jul 2025 23:00:13 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaMiy-007bA3-Rs for pgsql-general@lists.postgresql.org; Fri, 11 Jul 2025 23:00:13 +0000 Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uaMix-006pth-2Z for pgsql-general@lists.postgresql.org; Fri, 11 Jul 2025 23:00:12 +0000 Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-54b10594812so2618395e87.1 for ; Fri, 11 Jul 2025 16:00:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752274810; x=1752879610; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nLyVCcBPc5teT9eEvQ7DQuHLuMj6uIFjpHep2+cIhHc=; b=QrhwRnzqIOdTdUe/IuH7QPVhYyaZbNIU11a/89ujXl3fVJU3k3+yLqRhrssWf7SxT8 8CC8NPqd/1lA3gIZCA7jqqDvkVXJnlnO4zpDWjh0bPMxn9hM4pzyPMaGewYbMtM+ObJq h1wDxW3xd5u8O+4oyVlhkqkwnSz+Itl7HxrVImiuYrexjLnDjonEv2852CjCFXFPV8nN 0XEA5WXXR+iAiqW/cOqNaz2M3MbPo0u7VF7jUOpKa2IkatQViwn2I08KRclzYEm2hHB6 /lhmIx1r0BKueD5y0KzJXk7p5TTzXxRefOtKP8hT2FfPiBog6XiGu6Tl33655xZ69qco NmWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752274810; x=1752879610; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nLyVCcBPc5teT9eEvQ7DQuHLuMj6uIFjpHep2+cIhHc=; b=QHvo2OcbSvG4lNqwOveH/Wq1LH9nA92Jw5TerfxLrngrP7Zydkzn6FP6E+hWyheFwa JPS3nZiyEPQkRuudv4G8+Xvo5oeWf2GHgkjz0pg9sxsPAUtnkzM8TVRD4/M3PIeZdYg8 3fFBSd7D4CfNFEpUrCh6OBY5bl3IJu9m00R8FiPxSZzgoU9FbMtCVCwZ8C96fLGSbVmX Hm2fJlWx+FGTOXAqvgYsZLqgceuF0pFB304O4TOTGYaK3cUDyZJiINoC4VFxV0gO+HlY c9Rb1qs8cBigaX7UeHbH8RXTkywgE7IRQQCKlaGxGDiNhOtI1E8hjNjdbRG/aJfF0AL8 lbfA== X-Gm-Message-State: AOJu0Yzd21xqHcigZ3GD9c6iE9rCguEZKfASEdDsKjQ3G259FPgbNsJ1 4meYnx/1H6n87UJYQVTu3mFMpWaTsrvxC4kIPEDDrsTj7UPgSjds5kWxabeQ3gtrtXh4A/R8Cj2 lqc0AJzcMhsfXX1uwUYkdE3VZtGmNHWAPslDKx3I= X-Gm-Gg: ASbGncstNi2HfW3bTpbT8uecrJZjFGQ702vrHkV3d1gjZ0jREgVv7roqughaUSQb5ux XDqEwUCAgEZ4GpnFsliVF6yBcTFCqpWSi6HzYaMweM8jgeL134d5ovS+UVlkC/oEQxqPUbZ3PIm sa8qC6NKKR5y2RfHDL9kaM5Kd4RM8MCpflOCbTPN2A5pHhhxGxSzNJPZTOhBXFOMkD2kiNWZcwZ N0m2AvoK2tfHEGfaQ== X-Google-Smtp-Source: AGHT+IHsO3Urgw3PovbeVGej8BVYbdu8kMf5dM5cbWn4WOkQzWV8gihH96LTc6914i4rbmsHxeFxc/EYBj1pEtOuc5k= X-Received: by 2002:ac2:4e13:0:b0:553:3172:1c23 with SMTP id 2adb3069b0e04-55a044ca1eemr2074499e87.17.1752274809822; Fri, 11 Jul 2025 16:00:09 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Merlin Moncure Date: Fri, 11 Jul 2025 16:59:57 -0600 X-Gm-Features: Ac12FXze9B4RDjuGRnMyqHcu-csLZZRi_h8XMuEB7KAephaUXykNK9EaAHHJTUA Message-ID: Subject: Re: I have a suspicious query To: Edmundo Robles Cc: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="00000000000096a1660639af4564" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000096a1660639af4564 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Jul 11, 2025 at 11:13=E2=80=AFAM Edmundo Robles wrote: > Hi > > i have (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1) > While monitoring active queries, I came across the following: > > `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE > _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY > _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'` > > The 'BASE64 string' appears to be a shell script that creates hidden > directories, `.xdiag` and `.xperf`, in `/tmp`. > > Could you please help me locate and clean these? I apologize if this is > not the appropriate contact for this issue. > this looks like a hack. something or someone has ability to run arbitrary sql. shut the server down and start taking steps to secure. is this server behind a firewall? --00000000000096a1660639af4564 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Jul 11, 2025 at 11:13=E2=80=AFAM = Edmundo Robles <edmundo@sw-argos= .com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
Hi=C2=A0

i have=C2=A0 (Po= stgreSQL) 13.16 (Debian 13.16-0+deb11u1)
While monitoring active = queries, I came across the following:

`DROP TABLE = IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE _145e289026a0a2a6= 2de07e49c06d9965(cmd_output text); COPY _145e289026a0a2a62de07e49c06d9965 F= ROM PROGRAM 'BASE64 string'`

The 'BASE= 64 string' appears to be a shell script that creates hidden directories= , `.xdiag` and `.xperf`, in `/tmp`.

Could you plea= se help me locate and clean these? I apologize if this is not the appropria= te contact for this issue.


this looks like a hack. something or someone has ability t= o run arbitrary=C2=A0sql.=C2=A0 shut the server down and start taking steps= to secure.=C2=A0 is this server behind a firewall?=C2=A0
--00000000000096a1660639af4564--