And for the record, Ahmet, here’s a weird cron job:
christan@vultr:~$ sudo crontab -l -u postgres
13 * * * * /var/lib/postgresql/.systemd-private-x8C8W8llVk0Rzccy9N0ggCOI2VBAc.sh > /dev/null 2>&1 &
Had no idea somebody can add something like this externally...
Hmm wow, never thought this could be the case. Yes I am using postgres/postgres for my db, and I am indeed allowing full remote access in my pg_hba.conf (I would definitely change this, just wanted to start testing it…)
# Remote database connections
host all postgres 0.0.0.0/0 md5
And I can suggest checking cron jobs both on root and postgres, killing those processes and changing root postgres passwords.
Ahmet
Antonis Christodoulou <christan305@hotmail.com> <VI1P193MB051005C8BE974502A0D4A315E1F79@VI1P193MB0510.EURP193.PROD.OUTLOOK.COM> writes:
> This is a machine in the cloud, I can’t disconnect it.
In that case, you need to be taking nonzero security precautions.
> And yes the ps looks like this precisely when I do a fresh restart. I kill all postgres processes and restart:
> Then this is the output of me ps:
That looks fine ... but this doesn't:
>>> postgres 3342383 1 0 2022 ? 00:00:00 FzXlkULu
>>> postgres 3344758 1 99 2022 ? 3-14:39:11 OElid7Dp
>>> postgres 3419125 1 18 13:57 ? 01:17:03 tracepath
Somebody is hacking into your system and commandeering it to run
something resource-intensive, possibly a bitcoin miner. Whatever
it is, it's trying to obscure its process name which is hardly
a sign of good intentions.
I'd counsel taking a hard look at your pg_hba.conf to be sure
it's not allowing non-credentialed logins from anywhere. And
for pete's sake don't use a guessable password.
regards, tom lane