Re: High CPU usage

Поиск
Список
Период
Сортировка
От Thomas Guyot
Тема Re: High CPU usage
Дата
Msg-id 6f47c3b9-27db-2116-0c45-fcd5a17e3b37@gmail.com
обсуждение исходный текст
Ответ на High CPU usage  (<ertan.kucukoglu@1nar.com.tr>)
Список pgsql-general
Дерево обсуждения 
On 2022-10-20 15:59, ertan.kucukoglu@1nar.com.tr wrote:
> Hello,
>
> I am using PostgreSQL v14.5 on Linux Debian 11.5. I recently observe very
> high CPU usage on my Linux system as below
>
>      PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+
> COMMAND
> 2357756 postgres  20   0 2441032   2,3g      4 S 298,7  67,9   2114:58
> Tspjzj2Z
>
> I could not find any file named Tspjzj2Z on the file system. I could not
> find PID number using below SQL

Hi,

I'm not an expert in PostgreSQL but that looks like a rogue app, if 
you're lucky just a miner running as the prostgres user, likely the 
result of a postgres RCE exploited successfully... The more worring case 
would be a program exfiltrating and/or encrypting the database in a 
ransomware attack.

The executable has most likely been removed to hide traces, or cleaned 
up automatically from ex. /tmp, however if the process is still running 
you should be able to cat the executable, and any other open files, 
directly from /proc/<pid>/ (look for exe and fd/*).

I strongly recommend you check other postgres servers you have, make a 
copy of any process file found (for later investigation), then isolate 
or shutdown these servers and proceed with a proper investigation from a 
livecd or revovery OS.

> There is no replication of any kind. This is a single instance server which
> alows certification login only.

Is is even available from the outside world? Else you should likely 
audit any internal hosts that could have accessed your postgresql 
server. If you have firewall logs looks for unusual connection attempts, 
any evidence of scanning, etc.

Hackers will often spend quite some time once inside to gather as much 
information as possible before doing any real damage, although if this 
is effectively a miner it would be less likely to be that kind of attack 
as they would probably not risk getting discovered with something that 
will at best make them pennies...

If you see the process having any open database files, it's possible 
it's either compressing them to exfiltrate the data or encrypting them, 
or both....

Hope this helps...

--
Thomas

В списке pgsql-general по дате отправления:

Предыдущее
От: Ron
Дата:
Сообщение: Re: pg_restore 12 "permission denied for schema" errors
Следующее
От: Matthias Apitz
Дата:
Сообщение: Re: Mysterious performance degradation in exceptional cases