Thread

  1. I have a suspicious query

    Edmundo Robles <edmundo@sw-argos.com> — 2025-07-11T17:12:38Z

    Hi
    
    i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
    While monitoring active queries, I came across the following:
    
    `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
    _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
    _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
    
    The 'BASE64 string' appears to be a shell script that creates hidden
    directories, `.xdiag` and `.xperf`, in `/tmp`.
    
    Could you please help me locate and clean these? I apologize if this is not
    the appropriate contact for this issue.
    
    Thanks,
    Edmundo
    
    --
    
  2. Re: I have a suspicious query

    Adrian Klaver <adrian.klaver@aklaver.com> — 2025-07-11T17:23:15Z

    
    On 7/11/25 10:12 AM, Edmundo Robles wrote:
    > Hi
    > 
    > i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
    > While monitoring active queries, I came across the following:
    > 
    > `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE 
    > _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY 
    > _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
    > 
    > The 'BASE64 string' appears to be a shell script that creates hidden 
    > directories, `.xdiag` and `.xperf`, in `/tmp`.
    > 
    > Could you please help me locate and clean these? I apologize if this is 
    > not the appropriate contact for this issue.
    
    Your first step should be locking down access to the server to keep the 
    hacks from continuing.
    
    You already seem to know what directories are involved. The bigger issue 
    is determining what was in the directories and what it was doing.
    
    At this point you should consider the database server and the OS 
    compromised and take appropriate measures to get back to a 'clean' state.
    
    > 
    > Thanks,
    > Edmundo
    > 
    > -- 
    > 
    > 
    
    -- 
    Adrian Klaver
    adrian.klaver@aklaver.com
    
    
    
    
  3. Re: I have a suspicious query

    Greg Sabino Mullane <htamfids@gmail.com> — 2025-07-11T18:43:36Z

    Looks like someone testing out the fake Postgres CVE 2019-9193
    
    https://nvd.nist.gov/vuln/detail/CVE-2019-9193
    
    See for example:
    
    https://packetstorm.news/files/id/166540
    
    But certainly the first step is finding out who or what is running this.
    
    Cheers,
    Greg
    
  4. Re: I have a suspicious query

    Merlin Moncure <mmoncure@gmail.com> — 2025-07-11T22:59:57Z

    On Fri, Jul 11, 2025 at 11:13 AM Edmundo Robles <edmundo@sw-argos.com>
    wrote:
    
    > Hi
    >
    > i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
    > While monitoring active queries, I came across the following:
    >
    > `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
    > _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
    > _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
    >
    > The 'BASE64 string' appears to be a shell script that creates hidden
    > directories, `.xdiag` and `.xperf`, in `/tmp`.
    >
    > Could you please help me locate and clean these? I apologize if this is
    > not the appropriate contact for this issue.
    >
    
    
    this looks like a hack. something or someone has ability to run
    arbitrary sql.  shut the server down and start taking steps to secure.  is
    this server behind a firewall?
    
  5. Re: I have a suspicious query

    Matthias Apitz <guru@unixarea.de> — 2025-07-12T13:23:28Z

    El día viernes, julio 11, 2025 a las 11:12:38a. m. -0600, Edmundo Robles escribió:
    
    > Hi
    > 
    > i have  (PostgreSQL) 13.16 (Debian 13.16-0+deb11u1)
    > While monitoring active queries, I came across the following:
    > 
    > `DROP TABLE IF EXISTS _145e289026a0a2a62de07e49c06d9965; CREATE TABLE
    > _145e289026a0a2a62de07e49c06d9965(cmd_output text); COPY
    > _145e289026a0a2a62de07e49c06d9965 FROM PROGRAM 'BASE64 string'`
    > 
    > The 'BASE64 string' appears to be a shell script that creates hidden
    > directories, `.xdiag` and `.xperf`, in `/tmp`.
    
    The COPY ... FROM PROGRAM is estricted to superusers or roles with
    the pg_execute_server_program permission, which is not granted to
    users by default. The PROGRAM is executed on UNIX type systems as
    the user 'postgres' (don't know about servers on Windows) and is
    extremely dangerous because theoretically the full cluster could
    be exported or purged by PRGOGRAM.
    
    	matthias
    
    -- 
    Matthias Apitz, ✉ guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
    Public GnuPG key: http://www.unixarea.de/key.pub
    
    An die deutsche Bundesregierung: Nein, meine Söhne geb' ich nicht für Ihren Krieg!
    Al Gobierno alemán: ¡No, no doy mis hijos para su guerra!
    To the German Government: No, I will not give my sons for your war!
    
    
    
    
  6. Re: I have a suspicious query

    Ron <ronljohnsonjr@gmail.com> — 2025-07-12T14:23:04Z

    On Fri, Jul 11, 2025 at 2:44 PM Greg Sabino Mullane <htamfids@gmail.com>
    wrote:
    
    > Looks like someone testing out the fake Postgres CVE 2019-9193
    >
    > https://nvd.nist.gov/vuln/detail/CVE-2019-9193
    >
    > See for example:
    >
    > https://packetstorm.news/files/id/166540
    >
    > But certainly the first step is finding out who or what is running this.
    >
    
    Next is looking at your pg_hba.conf file.
    
    -- 
    Death to <Redacted>, and butter sauce.
    Don't boil me, I'm still alive.
    <Redacted> lobster!