Downloads
Home   >   mailing lists

Thread: I have a suspicious query

I have a suspicious query

From
Edmundo Robles
Date:
Hi 

i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
While monitoring active queries, I came across the following:

`DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`

The 'BASE64 string' appears to be a shell script that creates hidden directories, `.xdiag` and `.xperf`, in `/tmp`.

Could you please help me locate and clean these? I apologize if this is not the appropriate contact for this issue.

Thanks,
Edmundo

--


Re: I have a suspicious query

From
Adrian Klaver
Date:

On 7/11/25 10:12 AM, Edmundo Robles wrote:
> Hi
> 
> i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
> While monitoring active queries, I came across the following:
> 
> `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE 
> _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY 
> _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
> 
> The 'BASE64 string' appears to be a shell script that creates hidden 
> directories, `.xdiag` and `.xperf`, in `/tmp`.
> 
> Could you please help me locate and clean these? I apologize if this is 
> not the appropriate contact for this issue.

Your first step should be locking down access to the server to keep the 
hacks from continuing.

You already seem to know what directories are involved. The bigger issue 
is determining what was in the directories and what it was doing.

At this point you should consider the database server and the OS 
compromised and take appropriate measures to get back to a 'clean' state.

> 
> Thanks,
> Edmundo
> 
> -- 
> 
> 

-- 
Adrian Klaver
adrian.klaver@aklaver.com

Re: I have a suspicious query

From
Greg Sabino Mullane
Date:
Looks like someone testing out the fake Postgres CVE 2019-9193


See for example:


But certainly the first step is finding out who or what is running this.

Cheers,
Greg

Re: I have a suspicious query

From
Merlin Moncure
Date:
On Fri, Jul 11, 2025 at 11:13 AM Edmundo Robles <edmundo@sw-argos.com> wrote:
Hi 

i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
While monitoring active queries, I came across the following:

`DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`

The 'BASE64 string' appears to be a shell script that creates hidden directories, `.xdiag` and `.xperf`, in `/tmp`.

Could you please help me locate and clean these? I apologize if this is not the appropriate contact for this issue.


this looks like a hack. something or someone has ability to run arbitrary sql.  shut the server down and start taking steps to secure.  is this server behind a firewall?