5

Why postgres user generates over > 1000 processes of tracepath command?
And this uses a lot of CPU resources - up to 40% usage of my process core.

My application on ASP.NET Core 3.1 and PostgreSQL v10 server is on one VPS server.
Application using host 127.0.0.1 for connect to PostgreSQL server.

And what this command doing?

htop output:

htop output screenshot here

UPD: 21.01.2010

I have detected a massive DDoS attack on my server. Attackers used root and other names that I don’t have.

I installed fail2ban and after 1-2 hours I saw this:

enter image description here

And count of bans is growing...

UPD: 22.01.2020

I have another problem: creating phantom process on postgresql username. It's using all my CPU and RAM...

enter image description here

broomba
  • 109
  • 7
TheRealFaner
  • 55
  • 5

1 Answers1

3

I don't think you are under DDOS. You have been hacked, and maybe are now being used to commit DDOS against other people. They have dropped a shell launcher which lets them connect to postgresql and then call a function which launches any arbitrary shell script they want.

You said "Application using host 127.0.0.1 for connect to PostgreSQL server", but what is the attacker using? Is anyone other than 127.0.0.1 allowed to connect?

I am install fail2ban and after 1-2 hours i see this:

Any server open on port 22 and running fail2ban is going to build a list of banned IP. You didn't notice it before because you weren't running fail2ban before. It is unlikely this has anything to do with anything else you are seeing. Attacks on 22 are so ubiquitous that logging them is probably not useful.

jjanes
  • 37,812
  • 5
  • 27
  • 34
  • I use 127.0.0.1 only in my connection string. I do not know how to check access for the local IP address for other processes and programs (because I am a noob in sysadmining :`) ) – TheRealFaner Jan 22 '20 at 11:01
  • But this situation gives me a lot of experience in configure server security. I am reinstalled my server OS and now I configuring security first. Thanks fo reply! – TheRealFaner Jan 22 '20 at 11:05
  • I am facing similar issue with Hashicorp Consul but since its only with hashicorp consul, if I kill the process it is not an issue, and its fine. – Ciasto piekarz Nov 17 '22 at 21:29