Home > mailing lists

Re: I have a suspicious query - Mailing list pgsql-general

From	Merlin Moncure
Subject	Re: I have a suspicious query
Date	July 12 01:59:57
Msg-id	CAHyXU0w0dYku-QrfugeMQ2pjeWXucC46zSDxg0UUbOj_JUCaEQ@mail.gmail.com Whole thread Raw
In response to	I have a suspicious query (Edmundo Robles <edmundo@sw-argos.com>)
List	pgsql-general

Tree view

On Fri, Jul 11, 2025 at 11:13 AM Edmundo Robles <edmundo@sw-argos.com> wrote:

Hi

i have (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
While monitoring active queries, I came across the following:

`DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`

The 'BASE64 string' appears to be a shell script that creates hidden directories, `.xdiag` and `.xperf`, in `/tmp`.

Could you please help me locate and clean these? I apologize if this is not the appropriate contact for this issue.

this looks like a hack. something or someone has ability to run arbitrary sql. shut the server down and start taking steps to secure. is this server behind a firewall?

pgsql-general by date:

From: Merlin Moncure
Date: 12 July, 01:57:11
Subject: Re: Aggregate versions of hashing functions (md5, sha1, etc...)

Re: I have a suspicious query - Mailing list pgsql-general

Previous