Re: Compromised postgresql instances

> On Jun 8, 2018, at 1:47 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>
> Andrew Dunstan <andrew.dunstan@2ndquadrant.com> writes:
>> On 06/08/2018 04:34 PM, Steve Atkins wrote:
>>> I've noticed a steady trickle of reports of postgresql servers being compromised via being left available to the
internetwith insecure or default configuration, or brute-forced credentials. The symptoms are randomly named binaries
beinguploaded to the data directory and executed with the permissions of the postgresql user, apparently via an
extensionor an untrusted PL. 
>>>
>>> Is anyone tracking or investigating this?
>
>> Please cite actual instances of such reports. Vague queries like this
>> help nobody.
>
> I imagine Steve is reacting to this report from today:
> https://www.postgresql.org/message-id/CANozSKLGgWDpzfua2L=OGFN=Dg3Po98UjqJJ18gBVFR1-yK5+A@mail.gmail.com
>
> I recall something similar being reported a few weeks ago,

https://www.postgresql.org/message-id/020901d3f14c%24512a46d0%24f37ed470%24%40gmail.com

> but am
> too lazy to trawl the archives right now.

Yes, plus I recall a couple of discussions on IRC with similar behaviour, and
a few more details about how the binaries were being uploaded.

>
>> Furthermore, security concerns are best addressed to the security
>> mailing list.
>
> Unless there's some evidence that these attacks are getting in through
> a heretofore unknown PG security vulnerability, rather than user
> misconfiguration (such as weak/no password), I'm not sure what the
> security list would have to offer.  Right now it seems like Steve's move
> to try to gather more evidence is quite the right thing to do.

Yeah. It's not a security issue with postgresql itself, I don't believe, so not
really something that has to go to the security alias. It's more of an ops
issue, but I thought I'd ask here to see if anyone was already looking at it,
and to raise a flag if they weren't.

Cheers,
  Steve