by Kkoala on 11/13/23, 10:36 PM with 5 comments
There is a readme_to_recover table now, and has a generic extortion mail: "Data is backed up bla bla, pay bitcoin to recover bla bla"
Data I can get back, but I'm concerned about how this could have happened?
For some reason the pg_hba.conf has the line: "host all all all scram-sha-256", which I think means that it can be accessed from anywhere right?
The docker image was running on 5432, and but I had binded that to 5434 on my local machine.
Logs have couple of "FATAL: password authentication failed for user "postgres"" lines, so the password was attempted couple of times. I had a very common password though since it was a local instance, so it was easy to crack. And then after that lines for dropping all the databases. And then "FATAL: terminating connection due to administrator command" and "FATAL: terminating background worker "TimescaleDB Background Worker Scheduler" due to administrator command"
Do I have some virus on my computer? Does the TimescaleDB Docker image have vulnerability that would cause this? Could some rogue website / ad / extension have accessed my Postgres db running locally like that?
by LinuxBender on 11/13/23, 10:41 PM
Very good that you have backups, it could have been worse. Were any ports from your app or PG itself exposed to the web and are there associated web application access logs enabled that were relayed somewhere off-host? e.g. port 5432 for postgres.
Do I have some virus on my computer?
Yes, that is ransomware. [1]
[1] - https://www.imperva.com/blog/postgresql-database-ransomware-...
by mjochim on 11/13/23, 11:12 PM
by alexfromapex on 11/14/23, 1:28 AM