Interesting article and nice investigation work! I just checked the CVE you linked to, and it mentions that the exploit only works by connecting as postgres superuser.
Could you figure out how that exploit was executed in your case? Was it a weak postgres password, or maybe a default installation password? What did you do to tighten your server security?
No Thomas, we couldn't figure out how the exploit was executed since we had a strong password in place even though the default postgres port was open. We setup the firewall rules as well as added entry to pg_hba files to allow only trusted machines the access
I know this is an old post, but in case you guys still wanted to know how the exploit was executed I'm going to leave this unit42.paloaltonetworks.com/pgmine....
And thank you again, the post and the comment turned out to be extremely helpful.
Interesting article and nice investigation work! I just checked the CVE you linked to, and it mentions that the exploit only works by connecting as postgres superuser.
Could you figure out how that exploit was executed in your case? Was it a weak postgres password, or maybe a default installation password? What did you do to tighten your server security?
No Thomas, we couldn't figure out how the exploit was executed since we had a strong password in place even though the default postgres port was open. We setup the firewall rules as well as added entry to pg_hba files to allow only trusted machines the access
I know this is an old post, but in case you guys still wanted to know how the exploit was executed I'm going to leave this unit42.paloaltonetworks.com/pgmine....
And thank you again, the post and the comment turned out to be extremely helpful.
Cheers
I had the same issue as well in three different isolated servers!
Thanks for the write up. I spend a couple of hours trying to figure out but still scratching my head as to where is the malware coming from.
Our postgresql is running in a docker environment along with a strong password. On top of it, I am only using it for development.
dev-to-uploads.s3.amazonaws.com/i/...
Do you have any suggestion on strengthening the security?