Matthias Schmitt wrote...
> Hello,
>
> this night we discovered here a strange behaviour on our servers. Somebody
> managed to get access to the UNIX shell using the 'postgres' db
> administrator account. He logged in some machines with a single try ! The
> password was not part of any dictionary. He tried some other accounts,
> without success. Under the user postgres he installed an 'eggdrop' program
> on the machine, implementing an IRC server.
Yikes. Scary.
The first thing that comes to my mind is a buffer overrun
in the FE/BE protocol.
The second thing that comes to mind is sniffed passwords.
Lots of questions come up:
1) Is your postmaster listening on a TCP/IP socket? I.E. do you have -i as an argument to postmaster when it is
running?
2) Have you had any postmaster crashes? Has anyone out there had any unexpected postmaster crashes? I'd expect if
someonehas an exploit for such a bug that it would not always work due to differences in compilation, probably
resultingin a postmaster crash.
3) Do you do admin work over the net, i.e. from a client machine on a another machine? Would the password go over the
wirethen? I'm not really sure.
4) Do you have a separate account for postmaster, or does it run as 'daemon' (I think this is the default for the
pgsqldistributed by RedHat). If so the compramise may have come from a different service.
5) How secure is your lan.
For now, I'd suggest that people turn off TCP/IP connections unless they
really need it (remove -i). Beyond that they may want to filter port
5432/tcp at a nearby router/firewall. But it is not 100% clear this is
what happened.
Interestinger and interestinger....
-- cary
Cary O'Brien
cobrien@radix.net
