Hello,
this night we discovered here a strange behaviour on our servers. Somebody
managed to get access to the UNIX shell using the 'postgres' db
administrator account. He logged in some machines with a single try ! The
password was not part of any dictionary. He tried some other accounts,
without success. Under the user postgres he installed an 'eggdrop' program
on the machine, implementing an IRC server.
If you want to look on your servers, look for an ".elm/..." directory in
the postgres home directory. You may discover too some processes named
"./..." or "../ -m" running under the postgres user.
Is there any chanche, that the postgres database contains a bug giving
shell access ? Is there any chance to trace what happens on the postgres
port ?
Matthias Schmitt
------------------------------------------------------------------
Matthias Schmitt
magic moving pixel s.a. Phone: +352 54 75 75 - 0
Technoport Schlassgoart Fax : +352 54 75 75 - 54
66, rue de Luxembourg URL : http://www.mmp.lu
L-4221 Esch-sur-Alzette Email: info@mmp.lu
