Re: [HACKERS] Hacker found bug in Postgres ?
| От | Cary O'Brien |
|---|---|
| Тема | Re: [HACKERS] Hacker found bug in Postgres ? |
| Дата | |
| Msg-id | 199904281304.JAA16421@saltmine.radix.net обсуждение исходный текст |
| Список | pgsql-hackers |
Matthias Schmitt wrote... > Hello, > > this night we discovered here a strange behaviour on our servers. Somebody > managed to get access to the UNIX shell using the 'postgres' db > administrator account. He logged in some machines with a single try ! The > password was not part of any dictionary. He tried some other accounts, > without success. Under the user postgres he installed an 'eggdrop' program > on the machine, implementing an IRC server. Yikes. Scary. The first thing that comes to my mind is a buffer overrun in the FE/BE protocol. The second thing that comes to mind is sniffed passwords. Lots of questions come up: 1) Is your postmaster listening on a TCP/IP socket? I.E. do you have -i as an argument to postmaster when it is running? 2) Have you had any postmaster crashes? Has anyone out there had any unexpected postmaster crashes? I'd expect if someonehas an exploit for such a bug that it would not always work due to differences in compilation, probably resultingin a postmaster crash. 3) Do you do admin work over the net, i.e. from a client machine on a another machine? Would the password go over the wirethen? I'm not really sure. 4) Do you have a separate account for postmaster, or does it run as 'daemon' (I think this is the default for the pgsqldistributed by RedHat). If so the compramise may have come from a different service. 5) How secure is your lan. For now, I'd suggest that people turn off TCP/IP connections unless they really need it (remove -i). Beyond that they may want to filter port 5432/tcp at a nearby router/firewall. But it is not 100% clear this is what happened. Interestinger and interestinger.... -- cary Cary O'Brien cobrien@radix.net
В списке pgsql-hackers по дате отправления: