On Tue, 10 Jan 2023 at 18:07, Magnus Hagander <magnus@hagander.net> wrote:
>
>
>
> On Tue, Jan 10, 2023 at 4:00 PM Pavel Borisov <pashkin.elfe@gmail.com> wrote:
>>
>> On Tue, 10 Jan 2023 at 17:54, Jeffrey Walton <noloader@gmail.com> wrote:
>> >
>> > On Tue, Jan 10, 2023 at 9:46 AM Magnus Hagander <magnus@hagander.net> wrote:
>> > >
>> > > On Tue, Jan 10, 2023, 15:42 Jeffrey Walton <noloader@gmail.com> wrote:
>> > >>
>> > >>
https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/
>> > >
>> > > I think the most impressive part in that article is that they found and linked to the postgresql 7
documentation...
>> >
>> > It looks like the article used an older version of the docs because
>> > the link is broken for the newer version. When following the link to
>> > the latest version of the docs, its results in a "Page not found".
>
>
> The page simply doesn't exist, because the information is sperad out across multiple places. There is indeed a bug in
thata link is generated to /current/ even if that page does not exist. But the information that's on there is also
wildlyout of date. This page was removed from the documentation in 2001, over 20 years ago. Linking to such obsolete
pagesin an article from 2023 doesn't exactly inspire confidence.
>
>
>
>> I wonder what was the vulnerability in Postgres that enabled "hackers"
>> to run malware? I've read the article and the linked ones and found no
>> causative link between Postgres and malware inside. Sorry, it seems
>> like baseless warnings, not a description of vulnerability. Maybe I
>> haven't got something?
>
>
> There is no vulnerability in postgres. They are exploiting incorrectly *configured* postgres instances that allow
unauthenticatedusers to log in as superuser, which by definition means the system is configured to allow arbitrary
usersto upload and run arbitrary code -- which they did. Similar to leaving the ssh port open to the world for a user
witha default name and no password.
>
Oh, I see then. They edited pg_hba.conf (in the link
https://www.bigbinary.com/blog/how-my-server-got-infected-with-a-crypto-mining-malware-and-how-I-fixed-it
from the article by OP) but stopped short not describing how exactly.
That's the clue. Thanks!
Regards,
Pavel
