2

this is a follow up for this issue Usually, a few hours after a restart we would get a weidly named process like this htop output Turns out it was from out docker postgresql service and the posgres logs are just spams of authentication failure for user postgres, around 3 per second

Connection matched file "/var/lib/postgresql/data/pg_hba.conf" line 170: "host all all all scram-sha-256" 2023-12-10 00:56:21.090 UTC [20986] FATAL: password authentication failed for user "postgres"

I tried some commands from the previous post and this is the output

❯ sudo ls -l /proc/729597/exe
[sudo] password for vchitanu:
lrwxrwxrwx 1 lxd docker 0 Dec 17 16:25 /proc/729597/exe -> '/memfd: (deleted)'

❯ sudo ls -l /proc/729597/cwd
lrwxrwxrwx 1 lxd docker 0 Dec 18 10:04 /proc/729597/cwd -> /proc/37027/fd

❯ sudo ls -l /proc/729597/root
lrwxrwxrwx 1 lxd docker 0 Dec 18 10:04 /proc/729597/root -> /

Chat gpt said the behavior resembles malware. Is the database container under a brute force attack?

Improve this question
2
  • Do not post text as images. There is no way of knowing if your docker container is under attack or if you've misconfigured something. Where do the log-ins come from?
    – Ljm Dullaart
    Commented Dec 18, 2023 at 14:05
  • Docker logs doesn't show an ip address even after enabling log_connections, log_disconnections and log_hostname in the conf file. I tried to look for a log folder or files inside the container but couldn't find it. But if I do a tcp dump on port 5432 I get traffic from unknown ips
    – Iujyrino
    Commented Dec 18, 2023 at 15:27

2 Answers 2

Reset to default
0

3 logins per second for a brute-force attack is strange. The attacker would need to be very patient. It is more likely that the logins come from a misconfigured system. In the comments, you stated that the logins come from an unknown IP. That would mean that you have no way of alerting the system owner of this problem. So, block or monitor and sit it out.

That being said, why would you allow unknown IPs to have access to your database? You should block access from everything outside your organisation. Databases are not meant to be publicly accessible.

Improve this answer
0

Is the database container under a brute force attack?

It might be, but more importantly your database container is very likely the source of some unknown attacks. (Whether those current attacks are actually aimed at your own Postgres is mostly not relevant; if the process is running in that container then the container (and likely the database) is already compromised.)

So as the first thing, stop allowing unknown IP addresses into your DB server. But also, pay attention as to whether the connections you're seeing in tcpdump are inbound or outbound, i.e. whether port 5432 is on your side or on the remote side – it's just as likely that the process is now poking at other people's open Postgres servers to travel further.

I'd do a cp /proc/729597/exe /root/bad_exe to get a copy of the running program. This should work even after the /proc/fd & memfd tricks. You can then try doing strings bad_exe to search it for clues.

(Additionally, gcore -o /root/bad_core 729597 might work to get a copy of the program's memory; again running strings on it might reveal something interesting as well.)

Either way, rebuild it from scratch instead of trying to clean it up.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .