Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaHJA-0036kw-Hx for pgsql-general@arkaria.postgresql.org; Fri, 11 Jul 2025 17:13:12 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uaHJ8-006Uol-70 for pgsql-general@arkaria.postgresql.org; Fri, 11 Jul 2025 17:13:10 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaHJ7-006Uod-OT for pgsql-general@lists.postgresql.org; Fri, 11 Jul 2025 17:13:10 +0000 Received: from mail-ej1-x62d.google.com ([2a00:1450:4864:20::62d]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uaHJ5-006nQA-2D for pgsql-general@lists.postgresql.org; Fri, 11 Jul 2025 17:13:08 +0000 Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-ae0bde4d5c9so463833466b.3 for ; Fri, 11 Jul 2025 10:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sw-argos-com.20230601.gappssmtp.com; s=20230601; t=1752253985; x=1752858785; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=qe9JtZilK+NcTMjIfIr8xo9qllVZPhcFSPVNyvs5DbE=; b=C6dIODntU0VAGnChVwXAT8N6nZVU1WQwFqOO3VeMJxMNBqpC6t+GlEbK3+I4b8SGkd wwooJSwtXouqKFS1K/yuW8Nie3OL3I8kswrDDIbffODwnDyNdDlakhOl9eYbHerGf1cm JAWAQWrXqu+LKAFASV6slQCjMemqhNnTCoSChUEjgnzHEy9YQMzaNPgxNd7tGCkdj4Sq HGEESvQazakpV3V8z/1vFMTgP/dlnnBnjoNjUvW7HbggdMEFnbP0xXOrFnvG6G6TJ+RN zRf7BS95hnXI92mp3eHkRKgst7y5E22zISQboSmT11wSSI0u9T/Tm8KQqQFORPPcxnfT dxpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752253985; x=1752858785; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=qe9JtZilK+NcTMjIfIr8xo9qllVZPhcFSPVNyvs5DbE=; b=o+q7f9MV9YmdkbxlN8zZ9AZ43bzbmL+1WfS0KG0T/4THgbV6DBG+CVu2m7N2xCePNw xHngM9ISVVBO8UIOJbleq9LLtwOrEYEA+y3yGLZwuj54jRGJDf+I35BQiPyWTBtnuQ7P QYUjnpJ8sgXAzQ9P/LseDVay2cNeZz7FTx6hcQa4g7du4EHR/ET8AXeojS13G24IAGOE cv5GZDVbM3wDPTRbbxUmZEihbAPE3FpZc1iRlz/2wzUn+gyyL0hP4LzZGlp+NJHgMA8H x2WevUS7RYnf8C81UGx+PkW05LDwlxbE1vtIJ6eyHLj9i1g8CSLfn0Mkwiuxo+ynIxBQ N70g== X-Gm-Message-State: AOJu0YwnAjrMNtAZm+5ux3IoMF38kD0Mv7SYbLLn/z8KpvIhuLZFcJ7I se1cMhPzK+sMLnadyTeauMqDlaOp+RGlSnQU41qiixhWhe+1sdqKnaO1La3qjfNBMhQqRZbJ1+/ VCJzWz5uxy7M8GyUSsaQilBfpLL7cX8N9JFaRqBpC4QELegmMDhiRUrg= X-Gm-Gg: ASbGnctKaOocw2DIbm0f9o2Y/hca7HMPXQzlVsTpDTIO325/jkcf6p6TeOFO/4rpRx7 k/fByF2JQRc8xcbt8q1+2rDxQjJixnHSSEqqrrak5ow9ryXJSzjzCKimqym5zQpBrZxH8m5k12L p+BVI9Ym2A25fzessjbJpkuK+xvRrcQUF4fpTInIGg1PHeGl57vCHj3lIoMW7adHXbHBvy5FL44 WkPRcVFkoXotxi/b4Ohx7q5iq0ofzNVZho3PzsBIMeWsEskxw4= X-Google-Smtp-Source: AGHT+IEdXKq96ZiyPPAPYgmRg2vAMtt6RN9caA6r+YzB6x7K4oOa/psznzN+d4UaPx8oBe341iGjtUm1QIUGnKwRg9A= X-Received: by 2002:a17:907:e98a:b0:ae3:cac0:f497 with SMTP id a640c23a62f3a-ae6fbfaa655mr404099266b.39.1752253984453; Fri, 11 Jul 2025 10:13:04 -0700 (PDT) MIME-Version: 1.0 From: Edmundo Robles Date: Fri, 11 Jul 2025 11:12:38 -0600 X-Gm-Features: Ac12FXwRnW6hBcq85N_mI-Kz3jnRMS5ckQcW__ry2ilR0CKj0SB3tHZpVw6Q1ys Message-ID: Subject: I have a suspicious query To: pgsql-general@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000004cd0630639aa6c08" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000004cd0630639aa6c08 Content-Type: text/plain; charset="UTF-8" Hi i have (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1) While monitoring active queries, I came across the following: `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'` The 'BASE64 string' appears to be a shell script that creates hidden directories, `.xdiag` and `.xperf`, in `/tmp`. Could you please help me locate and clean these? I apologize if this is not the appropriate contact for this issue. Thanks, Edmundo -- --0000000000004cd0630639aa6c08 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi=C2=A0

i have=C2=A0 (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
While monitoring active queries, I came across the following:
`DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREAT= E TABLE _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY _145e28902= 6a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
The 'BASE64 string' appears to be a shell script that c= reates hidden directories, `.xdiag` and `.xperf`, in `/tmp`.

=
Could you please help me locate and clean these? I apologize if = this is not the appropriate contact for this issue.

Thanks,
Edmundo

--

=
--0000000000004cd0630639aa6c08--