Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
| От | Pavel Borisov |
|---|---|
| Тема | Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL |
| Дата | |
| Msg-id | CALT9ZEFN+jAbaLs12p-np8VXVMYswV7uU03xHjPXAZugaa1ehQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL (Magnus Hagander <magnus@hagander.net>) |
| Ответы |
Re: [OT] Microsoft: Kubernetes clusters hacked in malware campaign via PostgreSQL
|
| Список | pgsql-bugs |
On Tue, 10 Jan 2023 at 18:07, Magnus Hagander <magnus@hagander.net> wrote: > > > > On Tue, Jan 10, 2023 at 4:00 PM Pavel Borisov <pashkin.elfe@gmail.com> wrote: >> >> On Tue, 10 Jan 2023 at 17:54, Jeffrey Walton <noloader@gmail.com> wrote: >> > >> > On Tue, Jan 10, 2023 at 9:46 AM Magnus Hagander <magnus@hagander.net> wrote: >> > > >> > > On Tue, Jan 10, 2023, 15:42 Jeffrey Walton <noloader@gmail.com> wrote: >> > >> >> > >> https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/ >> > > >> > > I think the most impressive part in that article is that they found and linked to the postgresql 7 documentation... >> > >> > It looks like the article used an older version of the docs because >> > the link is broken for the newer version. When following the link to >> > the latest version of the docs, its results in a "Page not found". > > > The page simply doesn't exist, because the information is sperad out across multiple places. There is indeed a bug in thata link is generated to /current/ even if that page does not exist. But the information that's on there is also wildlyout of date. This page was removed from the documentation in 2001, over 20 years ago. Linking to such obsolete pagesin an article from 2023 doesn't exactly inspire confidence. > > > >> I wonder what was the vulnerability in Postgres that enabled "hackers" >> to run malware? I've read the article and the linked ones and found no >> causative link between Postgres and malware inside. Sorry, it seems >> like baseless warnings, not a description of vulnerability. Maybe I >> haven't got something? > > > There is no vulnerability in postgres. They are exploiting incorrectly *configured* postgres instances that allow unauthenticatedusers to log in as superuser, which by definition means the system is configured to allow arbitrary usersto upload and run arbitrary code -- which they did. Similar to leaving the ssh port open to the world for a user witha default name and no password. > Oh, I see then. They edited pg_hba.conf (in the link https://www.bigbinary.com/blog/how-my-server-got-infected-with-a-crypto-mining-malware-and-how-I-fixed-it from the article by OP) but stopped short not describing how exactly. That's the clue. Thanks! Regards, Pavel
В списке pgsql-bugs по дате отправления: