Re: posgresql.log

[Ron <ronljohnsonjr@xxxxxxxxx>]

On 05/21/2018 04:40 PM, Bartosz Dmytrak wrote:

Hi Gurus,

Looking into my postgresql.log on one of my test servers I found scary entry:

 

--2018-05-19 05:28:21--  http://207.148.79.161/post0514/post

Connecting to 207.148.79.161:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1606648 (1.5M) [application/octet-stream]

Saving to: ‘/var/lib/postgresql/10/main/postgresq1’

 

     0K .......... .......... .......... .......... ..........  3% 71.0K 21s

    50K .......... .......... .......... .......... ..........  6%  106K 17s

   100K .......... .......... .......... .......... ..........  9%  213K 13s

   150K .......... .......... .......... .......... .......... 12%  213K 11s

[snip]

  1500K .......... .......... .......... .......... .......... 98% 11.8M 0s

  1550K .......... ........                                   100% 12.5M=2.6s

 

2018-05-19 05:28:25 (598 KB/s) - ‘/var/lib/postgresql/10/main/postgresq1’ saved [1606648/1606648]

 

Downloaded file is not posgresql but postgresq1(one).

 

It was pure pg instalation without any contrib modules addons etc, istalled on ubuntu box by apt manager using repos:

http://apt.postgresql.org/pub/repos/apt xenial-pgdg/main

http://apt.postgresql.org/pub/repos/apt xenial-pgdg

 

I have never seen such entry on other my other servers…

Could you be so kind and explain me what is it? I am afraid my postgres has been hacekd.

This looks like what happens when the adobe flash player package downloads the closed-source binary installer.  Thus, I wouldn't be surprised if the repository package isn't downloading the installation binaries from http://207.148.79.161/post0514/post.

--
Angular momentum makes the world go 'round.