Re: I have a suspicious query

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Matthias Apitz <[email protected]>
To: Edmundo Robles <[email protected]>
Cc: [email protected]
Subject: Re: I have a suspicious query
Date: Sat, 12 Jul 2025 15:23:28 +0200
Message-ID: <aHJh0AhPQZQTfXYG@c720-1400094> (raw)
In-Reply-To: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>
References: <CAOXzpYDdNrTNE3rj4nvVfvyN=QHdAX6+P7HHR0akkEafxZ6_fw@mail.gmail.com>

El día viernes, julio 11, 2025 a las 11:12:38a. m. -0600, Edmundo Robles escribió:

> Hi
> 
> i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
> While monitoring active queries, I came across the following:
> 
> `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
> _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
> _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
> 
> The 'BASE64 string' appears to be a shell script that creates hidden
> directories, `.xdiag` and `.xperf`, in `/tmp`.

The COPY ... FROM PROGRAM is estricted to superusers or roles with
the pg_execute_server_program permission, which is not granted to
users by default. The PROGRAM is executed on UNIX type systems as
the user 'postgres' (don't know about servers on Windows) and is
extremely dangerous because theoretically the full cluster could
be exported or purged by PRGOGRAM.

	matthias

-- 
Matthias Apitz, ✉ [email protected], http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

An die deutsche Bundesregierung: Nein, meine Söhne geb' ich nicht für Ihren Krieg!
Al Gobierno alemán: ¡No, no doy mis hijos para su guerra!
To the German Government: No, I will not give my sons for your war!

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: I have a suspicious query
  In-Reply-To: <aHJh0AhPQZQTfXYG@c720-1400094>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox