> On Jun 8, 2018, at 1:09 PM, Alvaro Herrera <alvherre@xxxxxxxxxxxxxxx> wrote:
>
> On 2018-Jun-08, Miguel Angel Sanchez Sandoval wrote:
>
>> Hi guys, migrate from 8.4 to 9.5, all OK except that 2-3 days pass and the
>> database experiences slowness, I execute the linux top command and it shows
>> me a postgres user process executing a strange command (2yhdgrfrt63788)
>> that I consume a lot of CPU, I see the querys active and encounter select
>> fun ('./ 2yhdgrfrt63788') , this did not happen in version 8.4, any help
>> would appreciate it.
>
> Hmm, has your database been compromised? You may have an intruder there --
> beware.
Definitely.
The machine is compromised and doing Bad Things.
Image it if possible; save the compromise payload you know about if not.
Treat it as compromised and unsafe to attach to a network until you completely wipe and reinstall it.
It's probably a compromise via postgresql open to the network with insecure settings. I've seen several of those reported recently, and this one is saving it's payload to the postgresql data directory - somewhere no other user or app will have access to, but which a compromised postgresql can easily write to.
Check the pg_hba.conf and packet filter / firewall settings and see what the issue may be. Do the same checks on all your other postgresql servers, test and production. If there's a configuration mistake that let one server be compromised it's may well be there on others too.
Unless you are positive the server was not attacked, don't trust it unless you can be absolutely certain it is clean. Best bet is to backup any critical data (and check it for trustworthiness), wipe and rebuild.
Cheers,
Steve
