Local Postgres database hacked, how?

6 pointsKkoala2y ago5 comments

I'm running the TimescaleDB image on Docker on a Windows machine. Somehow that postgres database was accessed and all of the data deleted.

There is a readme_to_recover table now, and has a generic extortion mail: "Data is backed up bla bla, pay bitcoin to recover bla bla"

Data I can get back, but I'm concerned about how this could have happened?

For some reason the pg_hba.conf has the line: "host all all all scram-sha-256", which I think means that it can be accessed from anywhere right?

The docker image was running on 5432, and but I had binded that to 5434 on my local machine.

Logs have couple of "FATAL: password authentication failed for user "postgres"" lines, so the password was attempted couple of times. I had a very common password though since it was a local instance, so it was easy to crack. And then after that lines for dropping all the databases. And then "FATAL: terminating connection due to administrator command" and "FATAL: terminating background worker "TimescaleDB Background Worker Scheduler" due to administrator command"

Do I have some virus on my computer? Does the TimescaleDB Docker image have vulnerability that would cause this? Could some rogue website / ad / extension have accessed my Postgres db running locally like that?

5 comments

LinuxBender2y ago

Data I can get back, but I'm concerned about how this could have happened?

Very good that you have backups, it could have been worse. Were any ports from your app or PG itself exposed to the web and are there associated web application access logs enabled that were relayed somewhere off-host? e.g. port 5432 for postgres.

Do I have some virus on my computer?

Yes, that is ransomware. [1]

[1] - https://www.imperva.com/blog/postgresql-database-ransomware-...

mjochim2y ago

If you used docker run -p 5434:5432, this port is accessible from your network, not just your local machine. Couple that with an IPv6 uplink to your ISP (i.e. typically a gobally reachable IP address for your machine) and a disabled firewall in your home router, and that's one possible way how this could have happened. Of course, home router firewalls are not usually disabled. But it's a possibility.

KkoalaOP2y ago

Oh well, looks like this is the answer, there was an allow rule for Docker for all incoming traffic... Don't remember setting that one..., but definitely changed that to a "block" now.

Thanks!

agilob2y ago

What other software do you run in your network? I got affected by this too, nothing of value was lost so I'm going to create DB from 0. Logs point me to home-assistant trying to bruteforce the postgres database. I'm not running windows.

alexfromapex2y ago

Windows is not very secure my dude. No one knows if you have a virus, you should get a scanner and scan the machine.

j / k navigate · click thread line to collapse