Thread: Re: iso-8859-1 temp directories and library files
On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > I am observing a new/unknown behavior on some of my instances. My postgres Data > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory > present inside /home/postgres/pgdata which has 100s of directory underneath it > and inside each directory some library files related to Psycopg2. Not sure what > these files are and why it is getting created. I am attaching screenshots for reference. > Can anyone shed some light or direct me to any links to troubleshoot this? I'd say somebody broke into your database and is abusing it for his purposes. If that proves true, rescue what you can of the data and start with a new installation, preferably with better security. Yours, Laurenz Albe
Hi Laurenz,
What kind of security was breached here or you think needs to be tightened up? And how to prove this is a security issue or not ?
Pretty worried,
Priyanka
On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> I am observing a new/unknown behavior on some of my instances. My postgres Data
> directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> present inside /home/postgres/pgdata which has 100s of directory underneath it
> and inside each directory some library files related to Psycopg2. Not sure what
> these files are and why it is getting created. I am attaching screenshots for reference.
> Can anyone shed some light or direct me to any links to troubleshoot this?
I'd say somebody broke into your database and is abusing it for his purposes.
If that proves true, rescue what you can of the data and start with a new
installation, preferably with better security.
Yours,
Laurenz Albe
On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote: > On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote: > > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote: > > > I am observing a new/unknown behavior on some of my instances. My postgres Data > > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory > > > present inside /home/postgres/pgdata which has 100s of directory underneath it > > > and inside each directory some library files related to Psycopg2. Not sure what > > > these files are and why it is getting created. I am attaching screenshots for reference. > > > Can anyone shed some light or direct me to any links to troubleshoot this? > > > > I'd say somebody broke into your database and is abusing it for his purposes. > > > > If that proves true, rescue what you can of the data and start with a new > > installation, preferably with better security. I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp". That looks very much like somebody guessed your superuser password and is hijacking the operating system account. Is that by any event a database accessible on the internet? Did you have a really secure password? Yours, Laurenz Albe
On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.
I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.
But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)
Cheers,
Jeff
My apology for misunderstanding..
On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <jeff.janes@gmail.com> wrote:
On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.
I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)Cheers,Jeff
In that case involving OS admin make sense.
On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <jeff.janes@gmail.com> wrote:
On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.
I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)Cheers,Jeff
It is not pgsql_tmp but a directory two level before the postgres data directory. I tried deleting the files but they reappear in about 10 mins or so, so it is not a sysadmin leftover. I am suspecting it is something that probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g running and some of these require python. However, I am still not sure why they exist and what is creating it.
Regards,
Priyanka
On Fri, Oct 11, 2024 at 11:01 PM Imran Khan <imran.k.23@gmail.com> wrote:
In that case involving OS admin make sense.On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <jeff.janes@gmail.com> wrote:On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.
I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)Cheers,Jeff
Any local connection that serves server operation should be routed to socket connection instead of localhost.. that's first layer of security.. change default port to some thing else .if your application demands default port add loadbalancer to listen on default port
Sent from Outlook for Android
From: Priancka Chatz <pc9926@gmail.com>
Sent: Saturday, October 12, 2024 3:35:57 PM
To: Imran Khan <imran.k.23@gmail.com>
Cc: Jeff Janes <jeff.janes@gmail.com>; Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-admin <pgsql-admin@postgresql.org>
Subject: Re: Unknown temp directories and library files
Sent: Saturday, October 12, 2024 3:35:57 PM
To: Imran Khan <imran.k.23@gmail.com>
Cc: Jeff Janes <jeff.janes@gmail.com>; Laurenz Albe <laurenz.albe@cybertec.at>; pgsql-admin <pgsql-admin@postgresql.org>
Subject: Re: Unknown temp directories and library files
It is not pgsql_tmp but a directory two level before the postgres data directory. I tried deleting the files but they reappear in about 10 mins or so, so it is not a sysadmin leftover. I am suspecting it is something that probably is assisting with some tools maybe: there is Patroni ,pgqd, wal-g running and some of these require python. However, I am still not sure why they exist and what is creating it.
Regards,
Priyanka
On Fri, Oct 11, 2024 at 11:01 PM Imran Khan <imran.k.23@gmail.com> wrote:
In that case involving OS admin make sense.On Fri, Oct 11, 2024, 11:51 PM Jeff Janes <jeff.janes@gmail.com> wrote:On Fri, Oct 11, 2024 at 4:16 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:On Fri, 2024-10-11 at 15:47 +0200, Priancka Chatz wrote:
> On Fri, Oct 11, 2024 at 3:09 PM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
> > On Thu, 2024-10-10 at 12:22 +0200, Priancka Chatz wrote:
> > > I am observing a new/unknown behavior on some of my instances. My postgres Data
> > > directory path is /home/postgres/pgdata/pgroot/data. And I see a temp directory
> > > present inside /home/postgres/pgdata which has 100s of directory underneath it
> > > and inside each directory some library files related to Psycopg2. Not sure what
> > > these files are and why it is getting created. I am attaching screenshots for reference.
> > > Can anyone shed some light or direct me to any links to troubleshoot this?
> >
> > I'd say somebody broke into your database and is abusing it for his purposes.
> >
> > If that proves true, rescue what you can of the data and start with a new
> > installation, preferably with better security.
I have no conclusive proof for abuse, but a library has no business in "pgsql_tmp".
That looks very much like somebody guessed your superuser password and is hijacking
the operating system account.But he didn't say they were in pgsql_tmp, just that they were in some temp directory apparently 3 or 4 levels higher in the directory tree than where I would expect pgsql_tmp to be. To me this looks like some cruft left over from some sysadmin running the python package manager, perhaps while logged in as the wrong user. (Although I suppose that running a package manager as the wrong user is also something a hacker might try to do...)Cheers,Jeff