And for the record, Ahmet, here’s a weird cron job: christan@vultr:~$ sudo crontab -l -u postgres 13 * * * * /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh > /dev/null 2>&1 &
Had no idea somebody can add something like this externally... > On 2 Jan 2023, at 8:34 AM, Antonis Christodoulou <christan...@hotmail.com> > wrote: > > Hmm wow, never thought this could be the case. Yes I am using > postgres/postgres for my db, and I am indeed allowing full remote access in > my pg_hba.conf (I would definitely change this, just wanted to start testing > it…) > > # Remote database connections > host all postgres 0.0.0.0/0 md5 > >> On 2 Jan 2023, at 8:29 AM, Ahmet Demir <dbade...@gmail.com >> <mailto:dbade...@gmail.com>> wrote: >> >> And I can suggest checking cron jobs both on root and postgres, killing >> those processes and changing root postgres passwords. >> >> Ahmet >> >> On Mon, 2 Jan 2023 at 09:19, Tom Lane <t...@sss.pgh.pa.us >> <mailto:t...@sss.pgh.pa.us>> wrote: >> Antonis Christodoulou <christan...@hotmail.com >> <mailto:christan...@hotmail.com>> >> <vi1p193mb051005c8be974502a0d4a315e1...@vi1p193mb0510.eurp193.prod.outlook.com >> >> <mailto:vi1p193mb051005c8be974502a0d4a315e1...@vi1p193mb0510.eurp193.prod.outlook.com>> >> writes: >> > This is a machine in the cloud, I can’t disconnect it. >> >> In that case, you need to be taking nonzero security precautions. >> >> > And yes the ps looks like this precisely when I do a fresh restart. I kill >> > all postgres processes and restart: >> > Then this is the output of me ps: >> >> That looks fine ... but this doesn't: >> >> >>> postgres 3342383 1 0 2022 ? 00:00:00 FzXlkULu >> >>> postgres 3344758 1 99 2022 ? 3-14:39:11 OElid7Dp >> >>> postgres 3419125 1 18 13:57 ? 01:17:03 tracepath >> >> Somebody is hacking into your system and commandeering it to run >> something resource-intensive, possibly a bitcoin miner. Whatever >> it is, it's trying to obscure its process name which is hardly >> a sign of good intentions. >> >> I'd counsel taking a hard look at your pg_hba.conf to be sure >> it's not allowing non-credentialed logins from anywhere. And >> for pete's sake don't use a guessable password. >> >> regards, tom lane >> >> >
