7

I have postgres 10.4 set up on a Linux machine, and sometimes there will randomly be rules at the top of pg_hba.conf that only allows an MD5 connection by a user "pgdbadm". I'm not sure if the database got hacked but after changing the password and checking that a pgdbadm doesn't exist, I still see the new rules from time to time. Is it possible that the database is compromised?

The three rules, if I recall correctly are as follows:

local all all 0.0.0.0/0 reject
host all postgres 0.0.0.0/0 reject
host all pgdbadm 0.0.0.0/0 md5

Any explanation as to what is going on would be appreciated, as well as potential solutions.

EDIT: I have discovered that when setting up pg_hba.conf I used a rule where all connections didn't require a password. This probably allowed a bot to log in and create unwanted databases/other things, so I will do a clean install of Ubuntu and backup the databases.

asked Aug 19, 2018 at 5:49
2
  • 2
    I’d back the database up & reinstall the OS from scratch. If the machine has been compromised there could be a root kit (or similar) Commented Aug 19, 2018 at 6:20
  • I described how I replicated the hack with no shell access - remotely through pgAdmin 4 here: stackoverflow.com/questions/52197486/… Commented Oct 12, 2018 at 10:56

2 Answers 2

6

As you seem to have surmised, "pgdbadm" is an account created by hackers. It is the known account created a recent crypto-mining attacker who exploits unsecured postgresql superuser accounts. Changing the pg_hba.conf is also part of his MO.

answered Aug 29, 2018 at 12:30
2
  • Just encountered this issue recently. I believe it can only happen if the hacker has access to my EC2 host, which means my SSH key is compromised? Commented Mar 17, 2019 at 2:37
  • 1
    @c2 If they have access to a PostgreSQL superuser account, they can use that to get access to the files of the EC2 host account which is running the PostgreSQL server. They don't need to have compromised your ssh key to do this. Of course if you left your private key lying around, they could have nabbed it. But usually an EC2 host will only have the public key, not the private one. Commented Mar 17, 2019 at 12:10
2

In a standard Postgres installation, no rules are added to pg_hba.conf by any program whatsoever. All editing of this file is done manually.

You either have some person doing this or someone has added a program - either with benevolent or malicious intent - to do this for them.

You should solve this

  1. in your organisation by determining who is doing this; and
  2. by changing passwords and removing/revoking any SSH keys
answered Aug 19, 2018 at 5:59
5
  • I was going to ask, before anything, what the pgdbadm user is...there's nothing on google about it Commented Aug 19, 2018 at 6:34
  • @ethanc: pgdbadm is not a "standard" Postgres (or Linux if I'm not mistaken) user. Someone in your organization must have added that user Commented Aug 19, 2018 at 7:30
  • @a_horse_with_no_name As I'm writing this I'm backing up my databases, but yeah, I'm the only one who uses the server so it must have been a bot. Commented Aug 19, 2018 at 7:41
  • I just came across the same symptoms, with the same pgdbadm user etc.. not sure if it's simply a matter of bots Commented Aug 26, 2018 at 7:33
  • Do either of you have any Postgres admin tools of any sort installed? Commented Aug 26, 2018 at 10:23

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.