Re: PGSQL 10, many Random named DB - Mailing list pgsql-general

From Merlin Moncure
Subject Re: PGSQL 10, many Random named DB
Date
Msg-id CAHyXU0zO4VV92CUiZq1B2YW7eQY68DQ-ZW5iwL+qS2rXp436wg@mail.gmail.com
Whole thread Raw
In response to Re: PGSQL 10, many Random named DB  (Durumdara <durumdara@gmail.com>)
List pgsql-general
On Thu, Jan 25, 2018 at 3:38 AM, Durumdara <durumdara@gmail.com> wrote:
> Dear Members!
>
> Thank you for the suggestions.
> Yes, the sysadmin allowed incoming connections from net.
> We will check your list when we are there.

Don't bother.  We have a confirmed attack, time to take immediate remediation.

1. Disconnect machine from network _immediately_ and move to DMZ
2. Create new server and dump/restore data to the new machine
3. Determine if hacker was able to compromise to the rest of your
network. Warning signs:
  *) installed extensions you didn't install dblink, plsh, plperl, etc
  *) strange errors in database log
  *) starnge errors syslog (is this linux/unix?)
4. Poor network security (hands free ps access to other boxes, etc)

Put short, you have to assume your network is compromised and only
change that assumption when disproven.  These days, if hacker has
shell access you pretty much have reinstall the box from the ground
up.  Root escalation is a thing (there are probably meltdown related
escalations out there) and once the hacker has root it's game over.
In fact, in some cases you have to throw out the hardware too.

merlin


pgsql-general by date:

Previous
From: Martin Marques
Date:
Subject: Re: pg 10.1 missing libpq in postgresql-devel
Next
From: Ian Harding
Date:
Subject: Re: AFTER UPDATE trigger updating other records