> On Jun 8, 2018, at 1:47 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > > Andrew Dunstan <andrew.duns...@2ndquadrant.com> writes: >> On 06/08/2018 04:34 PM, Steve Atkins wrote: >>> I've noticed a steady trickle of reports of postgresql servers being >>> compromised via being left available to the internet with insecure or >>> default configuration, or brute-forced credentials. The symptoms are >>> randomly named binaries being uploaded to the data directory and executed >>> with the permissions of the postgresql user, apparently via an extension or >>> an untrusted PL. >>> >>> Is anyone tracking or investigating this? > >> Please cite actual instances of such reports. Vague queries like this >> help nobody. > > I imagine Steve is reacting to this report from today: > https://www.postgresql.org/message-id/CANozSKLGgWDpzfua2L=OGFN=dg3po98ujqjj18gbvfr1-yk...@mail.gmail.com > > I recall something similar being reported a few weeks ago,
https://www.postgresql.org/message-id/020901d3f14c%24512a46d0%24f37ed470%24%40gmail.com > but am > too lazy to trawl the archives right now. Yes, plus I recall a couple of discussions on IRC with similar behaviour, and a few more details about how the binaries were being uploaded. > >> Furthermore, security concerns are best addressed to the security >> mailing list. > > Unless there's some evidence that these attacks are getting in through > a heretofore unknown PG security vulnerability, rather than user > misconfiguration (such as weak/no password), I'm not sure what the > security list would have to offer. Right now it seems like Steve's move > to try to gather more evidence is quite the right thing to do. Yeah. It's not a security issue with postgresql itself, I don't believe, so not really something that has to go to the security alias. It's more of an ops issue, but I thought I'd ask here to see if anyone was already looking at it, and to raise a flag if they weren't. Cheers, Steve
