A database machine I was handling got infected by a malware, potentially a crypto miner, via a feature in Postgres. This feature, due to our recent...
For further actions, you may consider blocking this person and/or reporting abuse
Hey!
Have you looked at the base64 encoded payload at all?
The long string that is being echoed is piped into
base64 -d
which decodes the base64 and the result is piped into bash for execution.The decoded payload that is piped into bash is the following script (click here if gist doesn't load):
To correctly assess your situation and the impact this might have had on your systems and users you should definitely take a look to see what effects on your server and data this script might have had.
A very nice tool for this kind of forensic work is GCHQs CyberChef. It has lot's of functions for encoding and decoding different formats.
For anyone else interested, here is the malicious script after base64 decode and some tidying up:
Thanks Valts, I have added a bit commented (whatever I could understand) version to post itself. Please comment if I might have done anything wrong there.
Thanks Daniel. Don't know why I missed the piping into base64 -d command. Never had seen that command so my brain missed it :D. This has become more interesting. Am looking into what is this script doing
Nice! Hope it's nothing too serious.
I'm also using this corona isolation time to analyze a phishing attempt against me that took place a few weeks ago.
Guess I'll be having a series of articles up over the next days :D
Very interesting stuff! Thanks a lot for sharing your experience.....
Interesting article and nice investigation work! I just checked the CVE you linked to, and it mentions that the exploit only works by connecting as postgres superuser.
Could you figure out how that exploit was executed in your case? Was it a weak postgres password, or maybe a default installation password? What did you do to tighten your server security?
No Thomas, we couldn't figure out how the exploit was executed since we had a strong password in place even though the default postgres port was open. We setup the firewall rules as well as added entry to pg_hba files to allow only trusted machines the access
I know this is an old post, but in case you guys still wanted to know how the exploit was executed I'm going to leave this unit42.paloaltonetworks.com/pgmine....
And thank you again, the post and the comment turned out to be extremely helpful.
Cheers
I had the same issue as well in three different isolated servers!
Thanks for the write up. I spend a couple of hours trying to figure out but still scratching my head as to where is the malware coming from.
Our postgresql is running in a docker environment along with a strong password. On top of it, I am only using it for development.
dev-to-uploads.s3.amazonaws.com/i/...
Do you have any suggestion on strengthening the security?
Thanks for this post. I was hit as well and traced it using the steps above.
Here is the decoded contents of the hidden file
pgsql/.systemd-service.sh
Hi,
Thanks for the info,
i am facing the same malware attack, following up with the articles, try to patch the leak, not sure after you have deleted the files and folders, did the malware find it's way back again ?
I found that we need to delete the cron task as well ,
Scheduled Cron Jobs , for mine , it looks something like this,
by user postgre and run this command , /var/lib/postgresql/.systemd-service.sh > /dev/null 2>&1 &
I am trying to find out why and how it created itself under my cron task.
And need to seal out all the potential leaks.
If any one of you have more info. or advice, please share, thanks a lot.
Excellent investigations. Thank you for sharing it. The same happened to a colleague and I'm trying to remove the malware files. By the way, can you list all files you had to delete?
Thank you, again.
Mauricio
I just want to thank you as this was the clearest path for me to find why postgres was chewing up so many cycles. Not exactly the same (filenames, etc.), but the same pattern.
Thank you!
Hi, thanks a lot for this post. It really help understanding whats going on on my server.