On Wed, Jan 24, 2018 at 4:52 AM, Durumdara <durumdara@gmail.com> wrote:
> Hello!
>
> Somewhere the system administrator (who don't know the PG really) installed
> a PGSQL server (10.x) with a database.
> He couldn't manage the server well.
>
> Yesterday my colleague saw 21 databases in this server with random names.
> He checked it with built in PGAdmin IV.
> Today we checked it again, and we saw 33 databases.
>
> The first name is "ahucli" for example - like an aztec king... :-).
>
> The server OS is Windows, the PGSQL is 10.x.
>
> What can cause this strange thing?
>
> 1.) PGAdmin IV bug?
> 2.) Their server is hacked/cracked from outside?
> 3.) A wrong configured tool, or an automation?
> 4.) "Alien invasion", etc.
>
> Did you see same thing anywhere?
>
> Thank you for any advice in this theme!
You could be looking at a very serious situation. Random data stored
without your knowledge can be symptom of a hack or simple bug.
Figuring out which is which is a very urgent consideration. You may
want to consider:
*) poke around created database and try to determine if the created
databases point to something you created or more suspicious things.
this is URGENT
*) review firewall and network configuration
*) review pg_hba.conf
*) generally check logs everywhere, be advised hackers are often smart
and covert tracks
*) log all connections. adjust logging to also capture client ip and
pid if not already
*) log all queries (also with ajustments above). this is expensive,
so be prepared to turn off when problem is found
merlin
