>>>>> "Tom" == Tom Lane <t...@sss.pgh.pa.us> writes:
> Andrew Dunstan <andrew.duns...@2ndquadrant.com> writes: >> Please cite actual instances of such reports. Vague queries like >> this help nobody. We do also get them on the IRC channel every once in a while, not very frequently but enough to notice (maybe 2-3 so far this year?). Tom> Unless there's some evidence that these attacks are getting in Tom> through a heretofore unknown PG security vulnerability, rather Tom> than user misconfiguration (such as weak/no password), I'm not Tom> sure what the security list would have to offer. Right now it Tom> seems like Steve's move to try to gather more evidence is quite Tom> the right thing to do. Right. All the instances on IRC that I'm personally aware of have followed this pattern: either the user has used "host all all 0.0.0.0/0 trust", or they used "host all all 0.0.0.0/0 md5" where the password for the postgres user has been one where it's plausible that a simple automated dictionary attack could have guessed it (e.g. "654321" in one report). Excuses for doing this have varied (but I'm pretty sure I've heard "we put that in while trying to fix a problem and forgot to take it out" more than once - so it's worth a reminder that one should never, ever, suggest this on any help forum). The reports are similar enough and generic enough that it seems pretty certain that the scanning and subsequent compromise is all automated; some reports have included a (failed) attempt to use local root exploits to escalate from the postgres user to root access. Compromised systems have been reportedly used as DDoS traffic sources and for cryptocurrency mining, but obviously other uses can't be ruled out. I don't know of any reports of data being exfiltrated or modified, but that doesn't mean it doesn't happen. I have (private) logs of the channel going back a while, but I haven't made any attempt to track how often it happens - the above is basically all from memory. -- Andrew (irc:RhodiumToad)
