Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uab8O-007NGQ-Fn
	for pgsql-general@arkaria.postgresql.org; Sat, 12 Jul 2025 14:23:24 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1uab8K-008qHP-Dp
	for pgsql-general@arkaria.postgresql.org; Sat, 12 Jul 2025 14:23:21 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1uab8K-008qHG-2X
	for pgsql-general@lists.postgresql.org; Sat, 12 Jul 2025 14:23:20 +0000
Received: from mail-oi1-x235.google.com ([2607:f8b0:4864:20::235])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ronljohnsonjr@gmail.com>)
	id 1uab8I-007CcQ-00
	for pgsql-general@postgresql.org;
	Sat, 12 Jul 2025 14:23:20 +0000
Received: by mail-oi1-x235.google.com with SMTP id 5614622812f47-40b54ee16ddso1837508b6e.1
        for <pgsql-general@postgresql.org>; Sat, 12 Jul 2025 07:23:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1752330195; x=1752934995; darn=postgresql.org;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :from:to:cc:subject:date:message-id:reply-to;
        bh=4hfmyP2/2bKbvMCTNSikOptZrXQ/7MewmV8tNU1Tyog=;
        b=N0MkAmQpAvNVBZh3nsEKf3+bQQkxWEP7urkxJmPb3yx4UOrj6X2HtUnCwk410U2Ki7
         PsgZKzLLFOJBJvicKdydKfl6NPNjuHGVWBa+UUC9vQPes/14eyrKIv95zorVDd9wKdVC
         wF1J0wb5qXMtiiYbnppkvSmdob/wPj34uy1cyj30Dto2RwoBbj7/Bm2J9UoflPdrzKG4
         2c10zti3uwVQri2Z+w6HIPWiQUu66cMT4YM++tTnbVowFlw/mxoUxL7ap7IW1Rl4jnlA
         yAHXxK/9oe+8Hlh5a/3ge6Usq6hYv+b15bHrnE98iF2inxrrel0NsNGI3meICii5aXiF
         XB6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752330195; x=1752934995;
        h=to:subject:message-id:date:from:in-reply-to:references:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=4hfmyP2/2bKbvMCTNSikOptZrXQ/7MewmV8tNU1Tyog=;
        b=ss/8iiC9TIL/8EtTtppD+DUEgS/D/aJQDly34TLK7RApmnZbeU2ZnNvo0YkRRwwiwg
         H/uPk9yOG0wyG9d/OivnLb2KHBIZl4F3fdAgYPZ4Dn43RBkcwkOXTg1Innoi5vgQ8byj
         dvMQPMG01B3V3EnJePUV7njNGA+OMLN7KRuUzVFifmvDoSxUQbZMB7L+iZZFahrxS/Hq
         9jwT8w6g9EsVyLXMl7WGdAY7f8It96hlcJI+LSSOFzJGxCQtunp8qjwC4jnPdhr1Fe5P
         s5Ug8YVJcfAdj9p7BFYGfPmL/6gBYbQy65S7+6xbZOvPu1sd8/w2LTZE7p/GFTbxTgKr
         k5dA==
X-Gm-Message-State: AOJu0YzdnrQgME2hXGitQ0uW/9HucBnQ270/yWQ91eOBrl44Hm5oM8a0
	DhzySncFDjXYODVBFtmm68EmJdOtCvjt4Jsvhnr8q6DptTnvilLTjZSNeG6T+dwJuKRsdcp5LMh
	AVgd2lau+L6Y50WQpz5sP/EnsHurlYVhRsA==
X-Gm-Gg: ASbGncvRVAKLEL39hz5eW127Xnb2vH5feBvge34bc7704Ubohh7YMMceh3z5KXDVTen
	RTcgI7diSLtSUMjHr258nTUcTdkj38DsAJ7dNvTpiMy8Q0vnbqy2d1/rsn3jxHESoPL1UrJDs2X
	CVDCSEk0CmeZXO+zaCMQvUv00XMAJmu51Sy+figUFKwRxWpqGVEGB7GeOmDxpOqHMnpRXcUiLFv
	T/nfr67H56IJcupZGCgAUopDFH6uugSxxSmCdsyFA==
X-Google-Smtp-Source: AGHT+IGeJSRNCxJpIPvMKJ5KQy8lEGtGtgpt8kH9P0PrrIK2RkfKk2I6cN9ZJR9o9hIy1sqN/rfxk8FSoC1EctJ1w1k=
X-Received: by 2002:a05:6808:2212:b0:405:6b13:ca55 with SMTP id
 5614622812f47-4150ff8438fmr5282713b6e.37.1752330194998; Sat, 12 Jul 2025
 07:23:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>
 <CAKAnmm+oCJSL=66ES5nQwWu6bF=P5WAyUmxwgLStsbsng5RREg@mail.gmail.com>
In-Reply-To: <CAKAnmm+oCJSL=66ES5nQwWu6bF=P5WAyUmxwgLStsbsng5RREg@mail.gmail.com>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Sat, 12 Jul 2025 10:23:04 -0400
X-Gm-Features: Ac12FXy_mIP-GZNjQzwuWMcfiThPGLtWI7Qy4NKyb0wTfJ_TuiHLLvZ8t5HGpfg
Message-ID: <CANzqJaCxqcwGqjFsWAwbKCvvCJeEpXyshL68gOnmYpFpJeCcRg@mail.gmail.com>
Subject: Re: I have a suspicious query
To: pgsql-general <pgsql-general@postgresql.org>, edmundo@sw-argos.com
Content-Type: multipart/alternative; boundary="000000000000cd5c970639bc2a23"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CANzqJaCxqcwGqjFsWAwbKCvvCJeEpXyshL68gOnmYpFpJeCcRg%40mail.gmail.com>
Precedence: bulk

--000000000000cd5c970639bc2a23
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 11, 2025 at 2:44=E2=80=AFPM Greg Sabino Mullane <htamfids@gmail=
.com>
wrote:

> Looks like someone testing out the fake Postgres CVE 2019-9193
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-9193
>
> See for example:
>
> https://packetstorm.news/files/id/166540
>
> But certainly the first step is finding out who or what is running this.
>

Next is looking at your pg_hba.conf file.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> lobster!

--000000000000cd5c970639bc2a23
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, Jul 11, 2025 at 2:44=E2=80=AFPM G=
reg Sabino Mullane &lt;<a href=3D"mailto:htamfids@gmail.com">htamfids@gmail=
.com</a>&gt; wrote:</div><div class=3D"gmail_quote gmail_quote_container"><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Looks lik=
e someone testing out the fake Postgres CVE 2019-9193<div><br></div><div><a=
 href=3D"https://nvd.nist.gov/vuln/detail/CVE-2019-9193" target=3D"_blank">=
https://nvd.nist.gov/vuln/detail/CVE-2019-9193</a></div><div><br><div>See f=
or example:</div><div><br></div><div><a href=3D"https://packetstorm.news/fi=
les/id/166540" target=3D"_blank">https://packetstorm.news/files/id/166540</=
a></div><div><br></div><div>But certainly the first step is finding out who=
 or what is running this.</div></div></div></blockquote><div><br></div><div=
>Next is looking at your pg_hba.conf file.</div><div><br></div></div><span =
class=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gm=
ail_signature"><div dir=3D"ltr">Death to &lt;Redacted&gt;, and butter sauce=
.<div>Don&#39;t boil me, I&#39;m still alive.<br><div><div>&lt;Redacted&gt;=
 lobster!</div></div></div></div></div></div>

--000000000000cd5c970639bc2a23--