2

I am running PostgreSQL 10.10 (Ubuntu 10.10-0ubuntu0.18.04.1) on an AWS EC2 micro instance. Previously, I had allowed remote connections to postgres db from anywhere. After some days, I am seeing an unknown process run by the postgres user is taking 100% of CPU usage. Running top command gives similar output.

8092 postgres  20   0  302872 266776      0 S 99.3 26.5   2574:21 WI0oUt

There is no active query that is running long in the background. I stopped the postgres DB, even then that ghost process is running. I got probable answer of the problem here. But I need to know which parent process is starting the execution of such ghost child processes? If I run ps with the PID, I get PPID as 1. I need to know what is the infected program that is running those child processes?

I already tried running man,appros for the processname, I tried resetting the postgres user password to tackle the compromise,but no effect. Anyway to find out which infected program is causing this? or how can I handle this situation without formatting the server?

MLu
  • 24,849
  • 5
  • 59
  • 86
Subhankar Mukherjee
  • 23
  • 4

1 Answers1

2

It’s very hard to un-compromise a server. Best bet is to:

  • dump your database (using pg_dump),
  • delete the EC2 instance,
  • create new instance,
  • reinstall postgres, and
  • reload the data.

Lesson: Never ever leave database servers open to the world. Use Security Group to restrict access only to the IPs that actually need access. And ideally use AWS RDS that can automatically patch your database to mitigate security issues.

MLu
  • 24,849
  • 5
  • 59
  • 86