DEV Community

Discussion on: Investigation into Postgres malware (hack?)

Collapse
 
tiguchi profile image
Thomas Werner

Interesting article and nice investigation work! I just checked the CVE you linked to, and it mentions that the exploit only works by connecting as postgres superuser.

Could you figure out how that exploit was executed in your case? Was it a weak postgres password, or maybe a default installation password? What did you do to tighten your server security?

Collapse
 
sanchitsharma profile image
sanchitsharma

No Thomas, we couldn't figure out how the exploit was executed since we had a strong password in place even though the default postgres port was open. We setup the firewall rules as well as added entry to pg_hba files to allow only trusted machines the access

Collapse
 
luisomar3 profile image
Luis Omar

I know this is an old post, but in case you guys still wanted to know how the exploit was executed I'm going to leave this unit42.paloaltonetworks.com/pgmine....

And thank you again, the post and the comment turned out to be extremely helpful.

Cheers

Collapse
 
komorebisan profile image
komorebi • Edited

I had the same issue as well in three different isolated servers!

Thanks for the write up. I spend a couple of hours trying to figure out but still scratching my head as to where is the malware coming from.

Our postgresql is running in a docker environment along with a strong password. On top of it, I am only using it for development.

dev-to-uploads.s3.amazonaws.com/i/...

Do you have any suggestion on strengthening the security?