gotchasqlMinor
Why does pg_hba.conf sometimes have random rules added to it? (postgresql)
Viewed 0 times
sometimesconfwhyrandompostgresqladdedpg_hbadoesruleshave
Problem
I have postgres 10.4 set up on a Linux machine, and sometimes there will randomly be rules at the top of pg_hba.conf that only allows an MD5 connection by a user "pgdbadm". I'm not sure if the database got hacked but after changing the password and checking that a pgdbadm doesn't exist, I still see the new rules from time to time. Is it possible that the database is compromised?
The three rules, if I recall correctly are as follows:
Any explanation as to what is going on would be appreciated, as well as potential solutions.
EDIT: I have discovered that when setting up pg_hba.conf I used a rule where all connections didn't require a password. This probably allowed a bot to log in and create unwanted databases/other things, so I will do a clean install of Ubuntu and backup the databases.
The three rules, if I recall correctly are as follows:
local all all 0.0.0.0/0 reject
host all postgres 0.0.0.0/0 reject
host all pgdbadm 0.0.0.0/0 md5Any explanation as to what is going on would be appreciated, as well as potential solutions.
EDIT: I have discovered that when setting up pg_hba.conf I used a rule where all connections didn't require a password. This probably allowed a bot to log in and create unwanted databases/other things, so I will do a clean install of Ubuntu and backup the databases.
Solution
As you seem to have surmised, "pgdbadm" is an account created by hackers. It is the known account created a recent crypto-mining attacker who exploits unsecured postgresql superuser accounts. Changing the pg_hba.conf is also part of his MO.
Context
StackExchange Database Administrators Q#215294, answer score: 6
Revisions (0)
No revisions yet.