Re: CPU 100% usage caused by iso-8859-1 postgres process..

On Wed, Dec 13, 2017 at 11:36:11AM +0100, Laurenz Albe wrote:
> Dinesh Chandra 12108 wrote:
> > My CPU utilization is going to 100% in PostgreSQL because of one unknown process /x3303400001 is running from
postgresuser.
 
> >  
> > PID   USER      PR  NI    VIRT    RES    SHR S %CPU %MEM   TIME+   COMMAND
> > 19885 postgres 20   0  192684   3916   1420 S 99.3  0.1   5689:04  x3303400001 
> >  
> > The same file is automatically created in Postgres Cluster also. I am using Postgresql-9.3.
> >  
> > Kindly suggest how can I resolve this issue.
> 
> I don't know, but the same problem has been reported on Stackoverflow:
> https://stackoverflow.com/q/46617329/6464308
> 
> If your queries look similar, then you might indeed be the victim of an attack.
> 
> Figure out where the function and the executable come from.
> 
> In case of doubt, disconnect the server from the network.

Looks suspicious; I would look at (and save) things like these:

ls -l /proc/19885/exe
ls -l /proc/19885/fd
ls -l /proc/19885/cwd

sudo lsof -n -p 19885
sudo netstat -anpe |grep 19885

Stacktrace with gcore/gdb is a good idea.
Save a copy of your log/postgres logfiles and try to figure out where it came
from.  Since an attacker seems to control the postgres process, your data may
have been compromized (leaked or tampered with).

Justin