Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaaCX-007BtC-Le for pgsql-general@arkaria.postgresql.org; Sat, 12 Jul 2025 13:23:38 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uaaCV-008Uku-NE for pgsql-general@arkaria.postgresql.org; Sat, 12 Jul 2025 13:23:36 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uaaCV-008Ug9-6W for pgsql-general@lists.postgresql.org; Sat, 12 Jul 2025 13:23:35 +0000 Received: from ms-10.1blu.de ([178.254.4.101]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1uaaCT-006vbs-27 for pgsql-general@lists.postgresql.org; Sat, 12 Jul 2025 13:23:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=unixarea.de ; s=blu3434000; h=In-Reply-To:Content-Transfer-Encoding:Content-Type: MIME-Version:References:Reply-To:Message-ID:Subject:Cc:To:From:Date:Sender: Content-ID:Content-Description; bh=LOAEi0SxCd7EWKWBbl5FXBkT+p/CmRd6ANS/btqyQrY=; b=qbrAvP60v27RWzciHXvMD99pu+ pEVsF++d/4cTE9dtfM3q7GSqNoFwLJ137qabudcBHtkP8uHLa8B578nqSuHi74ZEM8ccdqF69ci8Y Q1x0yK8XVXBLAh9kZ5HxcD+gilo45u8U/e+KEnnYyhNn0ztbO0TPos+Pteq7FhG5hqZqCrI7RhPdZ +nDneztkmvl260WDsSCaZ9fckebZXN38g36xreDlmo3RuSU2iMmCGkV1Jt2Orna5uwXGunqRrcoYo lmRyoC5KaxcJ3xI6zCJBR2Il9Hwd/1xtzmNu+MjEnqyb3AcrAD20GejhJww+802zdaonWOO+PYreh 1WdECMrw==; Received: from [80.130.219.32] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uaaCQ-003oYT-6k; Sat, 12 Jul 2025 15:23:30 +0200 Received: from c720-1400094.speedport.ip (c720-1400094 [127.0.0.1]) by localhost.unixarea.de (8.17.1/8.14.9) with ESMTP id 56CDNTCV007541; Sat, 12 Jul 2025 15:23:29 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by c720-1400094.speedport.ip (8.17.1/8.14.9/Submit) id 56CDNTov007540; Sat, 12 Jul 2025 15:23:29 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: c720-1400094.speedport.ip: guru set sender to guru@unixarea.de using -f Date: Sat, 12 Jul 2025 15:23:28 +0200 From: Matthias Apitz To: Edmundo Robles Cc: pgsql-general@lists.postgresql.org Subject: Re: I have a suspicious query Message-ID: Reply-To: Matthias Apitz References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: FreeBSD 14.0-CURRENT r1400094 (amd64) X-message-flag: Mails in HTML will not be read! Please, only plain text. X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 80.130.219.32 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk El día viernes, julio 11, 2025 a las 11:12:38a. m. -0600, Edmundo Robles escribió: > Hi > > i have (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1) > While monitoring active queries, I came across the following: > > `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE > _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY > _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'` > > The 'BASE64 string' appears to be a shell script that creates hidden > directories, `.xdiag` and `.xperf`, in `/tmp`. The COPY ... FROM PROGRAM is estricted to superusers or roles with the pg_execute_server_program permission, which is not granted to users by default. The PROGRAM is executed on UNIX type systems as the user 'postgres' (don't know about servers on Windows) and is extremely dangerous because theoretically the full cluster could be exported or purged by PRGOGRAM. matthias -- Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub An die deutsche Bundesregierung: Nein, meine Söhne geb' ich nicht für Ihren Krieg! Al Gobierno alemán: ¡No, no doy mis hijos para su guerra! To the German Government: No, I will not give my sons for your war!