{"id":31659,"date":"2024-11-01T09:01:24","date_gmt":"2024-11-01T09:01:24","guid":{"rendered":"http:\/\/atmokpo.com\/w\/?p=31659"},"modified":"2024-11-01T09:01:24","modified_gmt":"2024-11-01T09:01:24","slug":"ubuntu-postgres-account-coin-miner-hacking","status":"publish","type":"post","link":"https:\/\/atmokpo.com\/w\/31659\/","title":{"rendered":"Ubuntu Postgres Account Coin Miner Hacking"},"content":{"rendered":"\n<p>When I accidentally typed the top command on the Ubuntu server, I found a strange process consuming a lot of CPU.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Suspicious file searched by md5: 8f96e8b4e9d26884c776c1b42a70bae5<\/p>\n\n\n\n<p><a href=\"https:\/\/otx.alienvault.com\/indicator\/file\/5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4\">https:\/\/otx.alienvault.com\/indicator\/file\/5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Below is the resolution process<\/strong><\/p>\n\n\n\n<p>This process looks suspicious. Paths and filenames like <code>\/tmp\/.\/.kGX8ucb<\/code> are generally not formats used by normal software. This could be part of malware or hacking. Here are some steps to quickly take action in this situation.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Terminate the suspicious process<\/strong>: You can forcibly terminate the process. Use the command <code>kill -9 3785242<\/code> to kill the process.<\/li>\n\n\n\n<li><strong>Delete the suspicious file<\/strong>: After terminating the process, delete the <code>\/tmp\/.\/.kGX8ucb<\/code> file. Execute <code>rm \/tmp\/.\/.kGX8ucb<\/code>.<\/li>\n\n\n\n<li><strong>Check for other suspicious processes<\/strong>: To check if other suspicious processes are running, use a command like <code>ps aux | grep tmp<\/code> to see if there are other processes running in the <code>\/tmp<\/code> directory.<\/li>\n\n\n\n<li><strong>System check<\/strong>: It is advisable to perform additional security checks to confirm whether the system has been infected.\n<ul class=\"wp-block-list\">\n<li>Examine the system using rootkit detection tools like <code>rkhunter<\/code> or <code>chkrootkit<\/code>.<\/li>\n\n\n\n<li>Check system logs (<code>\/var\/log\/auth.log<\/code> or <code>\/var\/log\/syslog<\/code>) for any suspicious activity.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Check network connections<\/strong>: Use the command <code>netstat -tulnp<\/code> to check the network connections and verify if there are any strange processes connected to the external network.<\/li>\n\n\n\n<li><strong>Patch and update<\/strong>: Ensure that your system is up to date and apply all possible security patches. Use <code>sudo apt update &amp;&amp; sudo apt upgrade<\/code> to update the packages.<\/li>\n\n\n\n<li><strong>Change passwords<\/strong>: It is also important to change the passwords of all user accounts on the server to prevent possible account hijacking.<\/li>\n<\/ol>\n\n\n\n<p>Depending on the situation, you might consider backing up and reinstalling the system.<\/p>\n\n\n\n<p>4o<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">My question:<\/h5>\n\n\n\n<p>Can I lock a specific account? The postgres account<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">ChatGPT&#8217;s response:<\/h6>\n\n\n\n<p>Yes, you can restrict access to specific user accounts such as the <code>postgres<\/code> account by locking it in Ubuntu. Here are some ways to lock the account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Lock the account (set to unusable)<\/h3>\n\n\n\n<p>You can lock the account using the <code>passwd<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo passwd -l postgres\n<\/code><\/pre>\n\n\n\n<p>This command changes the password of the <code>postgres<\/code> account to a locked state, making it impossible to log in with that account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Change shell to <code>\/bin\/false<\/code> or <code>\/sbin\/nologin<\/code><\/h3>\n\n\n\n<p>If you want to make login completely impossible, you can also change the shell of the account. For example, setting the shell of the <code>postgres<\/code> account to <code>nologin<\/code> will prevent that account from logging in.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo usermod -s \/sbin\/nologin postgres\n<\/code><\/pre>\n\n\n\n<p>Or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo usermod -s \/bin\/false postgres\n<\/code><\/pre>\n\n\n\n<p>This command prevents the <code>postgres<\/code> user from accessing the shell when attempting to log in.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Set account expiration<\/h3>\n\n\n\n<p>You can restrict usage by expiring the account itself.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo usermod -e 1 postgres\n<\/code><\/pre>\n\n\n\n<p>This command makes the <code>postgres<\/code> account expired, making it impossible to log in anymore.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Check processes and services, then take action<\/h3>\n\n\n\n<p>If the <code>postgres<\/code> account has been exploited, it may be related to processes or services running within the system, so it&#8217;s important to check and terminate those processes with the following command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>ps aux | grep postgres\n<\/code><\/pre>\n\n\n\n<p>Using this command, you can check the processes running under the <code>postgres<\/code> account and forcibly terminate any suspicious processes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo kill -9 &lt;PID&gt;\n<\/code><\/pre>\n\n\n\n<p>With the above methods, you can effectively lock the <code>postgres<\/code> account.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>How to log out the account immediately<\/strong><\/p>\n\n\n\n<p>Yes, you can immediately log out the <code>postgres<\/code> account and terminate all processes of that account. You can forcibly terminate all sessions running under the <code>postgres<\/code> account using the following command.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Check processes of the <code>postgres<\/code> account<\/h3>\n\n\n\n<p>First, check the processes running under the <code>postgres<\/code> account.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>ps -u postgres\n<\/code><\/pre>\n\n\n\n<p>This command will show a list of all processes running under the <code>postgres<\/code> account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Force terminate all processes of the <code>postgres<\/code> account<\/h3>\n\n\n\n<p>The following command will immediately terminate all processes running under the <code>postgres<\/code> account.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo pkill -u postgres\n<\/code><\/pre>\n\n\n\n<p>This command forcibly terminates all processes that the <code>postgres<\/code> account is running. This will log out all sessions that are running under that account.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Additional checks<\/h3>\n\n\n\n<p>After termination, check the processes again to see if the <code>postgres<\/code> account is still running.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>ps -u postgres\n<\/code><\/pre>\n\n\n\n<p>Through this process, you can immediately log out the <code>postgres<\/code> account.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Can I view the login information of the postgres account in Ubuntu?<\/strong><\/p>\n\n\n\n<p>To check the login history of a specific account (e.g., <code>postgres<\/code>) in Ubuntu, you can use some log files and commands. The login history is typically stored in <code>\/var\/log\/wtmp<\/code> and <code>\/var\/log\/auth.log<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Using the <code>last<\/code> command<\/h3>\n\n\n\n<p>You can check the login history of users on the system using the <code>last<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>last postgres\n<\/code><\/pre>\n\n\n\n<p>This command will show all the records of logins by the <code>postgres<\/code> account. This includes login and logout times, locations from which the logins occurred (e.g., IP addresses).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Check the <code>auth.log<\/code> file<\/h3>\n\n\n\n<p>The <code>\/var\/log\/auth.log<\/code> file records authentication-related events. This includes records of user login attempts, both successful and failed. You can filter for login-related information for the <code>postgres<\/code> account using the <code>grep<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo grep 'postgres' \/var\/log\/auth.log\n<\/code><\/pre>\n\n\n\n<p>Executing this command will allow you to see information about login attempts related to the <code>postgres<\/code> account, whether successful or failed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Using the <code>journalctl<\/code> command<\/h3>\n\n\n\n<p>On systems using <code>systemd<\/code>, you can use the <code>journalctl<\/code> command to check for login events related to the <code>postgres<\/code> account.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo journalctl _COMM=postgres\n<\/code><\/pre>\n\n\n\n<p>This command will display all logs related to the <code>postgres<\/code> service or account. You can identify login attempts or related activities here.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Check the <code>\/var\/log\/wtmp<\/code> file<\/h3>\n\n\n\n<p>The <code>wtmp<\/code> file is a binary file that stores the records of all logins, logouts, and system reboots. The <code>last<\/code> command refers to this file by default. To check the <code>wtmp<\/code> file directly:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>last -f \/var\/log\/wtmp | grep postgres\n<\/code><\/pre>\n\n\n\n<p>This command will display the login\/logout records related to the <code>postgres<\/code> account from the <code>wtmp<\/code> file.<\/p>\n\n\n\n<p>You can use these commands to check the login information for the <code>postgres<\/code> account, which can help identify suspicious login activity.<\/p>\n\n\n\n<p><strong>Strange files keep appearing, but is it possible to analyze them? It seems like hacking tools.<\/strong><\/p>\n\n\n\n<p>If suspicious files are being created on your Ubuntu system, you can analyze those files to determine whether they are malware (hacking tools). You can follow several methods to analyze files. Here are some steps you can take.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Check basic information about the file<\/strong><\/h3>\n\n\n\n<p>First, you can check the basic properties of the file to determine what type it is, who created it, and when it was created.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>ls -l \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<p>This command displays the file&#8217;s owner, permissions, creation time, and more.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>file \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<p>This command checks the file type. For example, you can determine whether it is a binary file or a script file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Generate a hash value for the file (integrity check)<\/strong><\/h3>\n\n\n\n<p>You can generate a hash value to verify the file&#8217;s integrity or to search for a similar file on other systems. By creating hash values such as MD5 or SHA256, you can check if that file is present in malware databases.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>md5sum \/path\/to\/suspicious_file\nsha256sum \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<p>You can use these hash values to verify the file with online services like VirusTotal.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Use online malware scanning tools (such as VirusTotal)<\/strong><\/h3>\n\n\n\n<p>You can also directly upload the files to check for malware. Services like <code>VirusTotal<\/code> analyze files using multiple antivirus engines.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Download the suspicious file and upload it to <a href=\"https:\/\/www.virustotal.com\/\">VirusTotal<\/a> via a secure network.<\/li>\n\n\n\n<li>Alternatively, you can enter the hash value of the file into VirusTotal to check if it has been analyzed before.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>Inspect the contents of the file with the <code>strings<\/code> command<\/strong><\/h3>\n\n\n\n<p>Even for binary files, you can use the <code>strings<\/code> command to check for human-readable text information within the file. This can help you find clues of malware.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>strings \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<p>This command will display text within the file (e.g., URLs, commands, etc.). You can identify URLs or scripts that might indicate malware.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. <strong>Check file usage with the <code>lsof<\/code> command<\/strong><\/h3>\n\n\n\n<p>You can use the <code>lsof<\/code> command to check which processes are currently using the file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>lsof \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<p>This command shows the processes or network connections that have the suspicious file open. If this file is in use by a malicious process, you can terminate that process and isolate the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. <strong>Check network activity of the file<\/strong><\/h3>\n\n\n\n<p>If the file is running, you can check for network activity. Use <code>netstat<\/code> or <code>ss<\/code> to determine if malware is sending data externally.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>netstat -tulnp\n<\/code><\/pre>\n\n\n\n<p>This command checks for currently open network connections to look for suspicious connections. You can also confirm if the suspicious file is connecting to an external server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7. <strong>Use malware sandbox analysis tools<\/strong><\/h3>\n\n\n\n<p>If you want to perform more specialized malware analysis, you can use sandbox analysis tools. These tools run the file in a safe environment to track its behavior. An open-source sandbox tool is <strong>Cuckoo Sandbox<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cuckoosandbox.org\/\">Cuckoo Sandbox<\/a> runs suspicious files in a virtual environment to observe the actions the file performs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8. <strong>Use antivirus tools like ClamAV<\/strong><\/h3>\n\n\n\n<p>You can use the open-source antivirus program <strong>ClamAV<\/strong> to scan your system in Ubuntu.<\/p>\n\n\n\n<p>To install and scan with ClamAV:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo apt update\nsudo apt install clamav\nsudo freshclam  # Update virus database\nsudo clamscan -r \/path\/to\/directory\n<\/code><\/pre>\n\n\n\n<p>This command scans the specified directory or file and detects malware.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9. <strong>Remove execution permissions and delete the file<\/strong><\/h3>\n\n\n\n<p>If a file is confirmed to be malware or is suspicious, you can remove its execution permissions, isolate it, or delete it.<\/p>\n\n\n\n<p>To remove execution permissions:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>chmod -x \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<p>To delete the file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>rm \/path\/to\/suspicious_file\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Summary<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Check the basic information of the file (<code>ls<\/code>, <code>file<\/code>).<\/li>\n\n\n\n<li>Generate a hash value for the file and check it with online tools (VirusTotal).<\/li>\n\n\n\n<li>Use the <code>strings<\/code> command to inspect text contents of the file.<\/li>\n\n\n\n<li>Check if the file is in use with the <code>lsof<\/code> command.<\/li>\n\n\n\n<li>Check network connections (<code>netstat<\/code>, <code>ss<\/code>).<\/li>\n\n\n\n<li>Analyze file behavior using sandbox tools (Cuckoo Sandbox).<\/li>\n\n\n\n<li>Scan the system with antivirus tools like ClamAV.<\/li>\n\n\n\n<li>If confirmed as a malicious file, remove execution permissions and delete it.<\/li>\n<\/ol>\n\n\n\n<p>This procedure allows you to verify whether suspicious files are malware and take appropriate action.<\/p>\n\n\n\n<p><strong>It seems to be Trojan:Linux\/CoinMiner.K, what should I do?<\/strong><\/p>\n\n\n\n<p><code>Trojan:Linux\/CoinMiner.K<\/code> is a Trojan that mines cryptocurrency on Linux systems. This Trojan utilizes the resources of the infected system to mine cryptocurrency, which can degrade system performance and lead to excessive power consumption. To remove it and secure the system, follow the steps below.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Terminate suspicious processes<\/strong><\/h3>\n\n\n\n<p>The cryptocurrency mining Trojan may run processes with names like <code>coinminer<\/code>, <code>xmrig<\/code>, <code>minerd<\/code>. Check and terminate all suspicious processes that are running.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>ps aux | grep -i 'coinminer\\|xmrig\\|minerd'\n<\/code><\/pre>\n\n\n\n<p>Find the PID of the suspicious process using the command above and terminate it with the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo kill -9 &lt;PID&gt;\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Delete files<\/strong><\/h3>\n\n\n\n<p>This Trojan often creates executable files in the <code>\/tmp<\/code> directory or hidden directories. Check <code>\/tmp<\/code>, <code>\/var\/tmp<\/code>, and hidden files in the user&#8217;s home directory and delete any suspicious files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo rm -rf \/tmp\/* \/var\/tmp\/*\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Check user accounts<\/strong><\/h3>\n\n\n\n<p>If the Trojan was installed with root privileges, there is a possibility that a malicious user account has been added to allow access to the system. Use the following command to check for suspicious user accounts and delete them.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo cat \/etc\/passwd\nsudo userdel -r &lt;username&gt;\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>Check scheduled tasks (Crontab)<\/strong><\/h3>\n\n\n\n<p>Trojan tasks are often added to <code>cron<\/code> jobs to ensure they run persistently after infection. Check for suspicious tasks registered in <code>cron<\/code> and remove them.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check user-specific <code>crontab<\/code>:bash code copy<code>sudo crontab -l sudo crontab -u postgres -l<\/code><\/li>\n\n\n\n<li>Check system <code>cron<\/code>:bash code copy<code>sudo cat \/etc\/crontab sudo ls \/etc\/cron.*<\/code><\/li>\n<\/ul>\n\n\n\n<p>If there are any suspicious jobs, delete them using the following command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo crontab -e\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">5. <strong>Perform a full system scan with ClamAV<\/strong><\/h3>\n\n\n\n<p>By installing ClamAV, you can scan the entire system and remove malicious files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo apt update\nsudo apt install clamav\nsudo freshclam  # Update virus database\nsudo clamscan -r --remove \/  # Full system scan and remove infected files\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">6. <strong>Check and block suspicious network connections<\/strong><\/h3>\n\n\n\n<p>Trojan may connect to an external server to perform operations. Check network connections using the <code>netstat<\/code> command and block any suspicious IP addresses.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo netstat -tulnp\n<\/code><\/pre>\n\n\n\n<p>If any suspicious IP address is found, you can block it using <code>iptables<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo iptables -A OUTPUT -d &lt;suspicious IP address&gt; -j DROP\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">7. <strong>Check system logs<\/strong><\/h3>\n\n\n\n<p>To track traces of penetration and activity, check <code>\/var\/log\/auth.log<\/code>, <code>\/var\/log\/syslog<\/code>, etc.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo cat \/var\/log\/auth.log\nsudo cat \/var\/log\/syslog\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">8. <strong>Update packages and security patches<\/strong><\/h3>\n\n\n\n<p>Update all packages to the latest version to block any security vulnerabilities in the system.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo apt update &amp;&amp; sudo apt upgrade -y\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">9. <strong>Change passwords<\/strong><\/h3>\n\n\n\n<p>Change the passwords of all user accounts to minimize the possibility of external intrusion.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10. <strong>Additional protective measures<\/strong><\/h3>\n\n\n\n<p>For security, set up security groups and consider reinstalling the OS after backup if necessary.<\/p>\n\n\n\n<p>If suspicious activity persists even after these measures, it is advisable to back up and reset the system as infection may still exist.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>How to delete the postgres account, the database, and all related data?<\/strong><\/p>\n\n\n\n<p>To completely delete the PostgreSQL account, database, and all related data, perform the steps below in order. This process will delete the PostgreSQL server and all data files, so caution is necessary.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. <strong>Stop the PostgreSQL service<\/strong><\/h3>\n\n\n\n<p>First, stop the PostgreSQL server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo systemctl stop postgresql\n<\/code><\/pre>\n\n\n\n<p>Alternatively, you can use the command below depending on the service name.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo service postgresql stop\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">2. <strong>Delete the <code>postgres<\/code> account<\/strong><\/h3>\n\n\n\n<p>Delete the system user account <code>postgres<\/code> created during PostgreSQL installation. Deleting this account will also delete any files owned by this account.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo userdel -r postgres\n<\/code><\/pre>\n\n\n\n<p>The <code>-r<\/code> option will delete the home directory and files owned by the <code>postgres<\/code> account as well.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. <strong>Delete PostgreSQL data directory and log files<\/strong><\/h3>\n\n\n\n<p>All databases and data for PostgreSQL are typically stored in the <code>\/var\/lib\/postgresql\/<\/code> directory. After deleting PostgreSQL, remove this directory to delete the database files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo rm -rf \/var\/lib\/postgresql\/\n<\/code><\/pre>\n\n\n\n<p>Moreover, if PostgreSQL log files are in <code>\/var\/log\/postgresql\/<\/code>, you can also delete those log files.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo rm -rf \/var\/log\/postgresql\/\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">4. <strong>Uninstall PostgreSQL software<\/strong><\/h3>\n\n\n\n<p>Uninstall PostgreSQL package to remove all related files.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Remove PostgreSQL on Ubuntu\/Debian-based systems<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo apt-get --purge remove postgresql*\n<\/code><\/pre>\n\n\n\n<p>The <code>--purge<\/code> option removes settings files associated with PostgreSQL as well.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Remove PostgreSQL on CentOS\/RHEL-based systems<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo yum remove postgresql*\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">5. <strong>Check and delete remaining configuration files<\/strong><\/h3>\n\n\n\n<p>Configuration or related files of PostgreSQL may still reside in <code>\/etc\/postgresql\/<\/code>. If this directory exists, delete it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>sudo rm -rf \/etc\/postgresql\/\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">6. <strong>Verify PostgreSQL removal from the system<\/strong><\/h3>\n\n\n\n<p>Check if PostgreSQL has been completely removed. If the <code>psql<\/code> command does not work, PostgreSQL has been successfully removed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">bash code copy<code>psql\n<\/code><\/pre>\n\n\n\n<p>If PostgreSQL-related files or processes are still found, please check and delete each directory again.<\/p>\n\n\n\n<p>Following these steps will completely remove all data, user accounts, and database files related to PostgreSQL.<\/p>\n\n\n\n<p>Note<\/p>\n\n\n\n<p><a href=\"https:\/\/si.mpli.st\/dev\/2018-04-15-cryptominer-inside-postgres\">https:\/\/si.mpli.st\/dev\/2018-04-15-cryptominer-inside-postgres<\/a><\/p>\n\n\n\n<p><strong>Ultimately, in my case, I deleted the postgres account, the db, deleted all related files, and ran clamscan on the entire computer, removing even the suspicious files found in tmp, changed passwords, and strengthened the firewall.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When I accidentally typed the top command on the Ubuntu server, I found a strange process consuming a lot of CPU. Suspicious file searched by md5: 8f96e8b4e9d26884c776c1b42a70bae5 https:\/\/otx.alienvault.com\/indicator\/file\/5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4 Below is the resolution process This process looks suspicious. Paths and filenames like \/tmp\/.\/.kGX8ucb are generally not formats used by normal software. This could be part of &hellip; <a href=\"https:\/\/atmokpo.com\/w\/31659\/\" class=\"more-link\">\ub354 \ubcf4\uae30<span class=\"screen-reader-text\"> &#8220;Ubuntu Postgres Account Coin Miner Hacking&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-31659","post","type-post","status-publish","format-standard","hentry","category-4"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ubuntu Postgres Account Coin Miner Hacking - \ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/atmokpo.com\/w\/31659\/\" \/>\n<meta property=\"og:locale\" content=\"ko_KR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ubuntu Postgres Account Coin Miner Hacking - \ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8\" \/>\n<meta property=\"og:description\" content=\"When I accidentally typed the top command on the Ubuntu server, I found a strange process consuming a lot of CPU. Suspicious file searched by md5: 8f96e8b4e9d26884c776c1b42a70bae5 https:\/\/otx.alienvault.com\/indicator\/file\/5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4 Below is the resolution process This process looks suspicious. Paths and filenames like \/tmp\/.\/.kGX8ucb are generally not formats used by normal software. This could be part of &hellip; \ub354 \ubcf4\uae30 &quot;Ubuntu Postgres Account Coin Miner Hacking&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/atmokpo.com\/w\/31659\/\" \/>\n<meta property=\"og:site_name\" content=\"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-01T09:01:24+00:00\" \/>\n<meta name=\"author\" content=\"root\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@bebubo4\" \/>\n<meta name=\"twitter:site\" content=\"@bebubo4\" \/>\n<meta name=\"twitter:label1\" content=\"\uae00\uc4f4\uc774\" \/>\n\t<meta name=\"twitter:data1\" content=\"root\" \/>\n\t<meta name=\"twitter:label2\" content=\"\uc608\uc0c1 \ub418\ub294 \ud310\ub3c5 \uc2dc\uac04\" \/>\n\t<meta name=\"twitter:data2\" content=\"13\ubd84\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/atmokpo.com\/w\/31659\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/atmokpo.com\/w\/31659\/\"},\"author\":{\"name\":\"root\",\"@id\":\"https:\/\/atmokpo.com\/w\/#\/schema\/person\/91b6b3b138fbba0efb4ae64b1abd81d7\"},\"headline\":\"Ubuntu Postgres Account Coin Miner Hacking\",\"datePublished\":\"2024-11-01T09:01:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/atmokpo.com\/w\/31659\/\"},\"wordCount\":2168,\"publisher\":{\"@id\":\"https:\/\/atmokpo.com\/w\/#organization\"},\"articleSection\":[\"\uae30\uc220\uad00\ub828\"],\"inLanguage\":\"ko-KR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/atmokpo.com\/w\/31659\/\",\"url\":\"https:\/\/atmokpo.com\/w\/31659\/\",\"name\":\"Ubuntu Postgres Account Coin Miner Hacking - \ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8\",\"isPartOf\":{\"@id\":\"https:\/\/atmokpo.com\/w\/#website\"},\"datePublished\":\"2024-11-01T09:01:24+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/atmokpo.com\/w\/31659\/#breadcrumb\"},\"inLanguage\":\"ko-KR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/atmokpo.com\/w\/31659\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/atmokpo.com\/w\/31659\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\ud648\",\"item\":\"https:\/\/atmokpo.com\/w\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ubuntu Postgres Account Coin Miner Hacking\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/atmokpo.com\/w\/#website\",\"url\":\"https:\/\/atmokpo.com\/w\/\",\"name\":\"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/atmokpo.com\/w\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/atmokpo.com\/w\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ko-KR\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/atmokpo.com\/w\/#organization\",\"name\":\"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8\",\"url\":\"https:\/\/atmokpo.com\/w\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ko-KR\",\"@id\":\"https:\/\/atmokpo.com\/w\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/atmokpo.com\/w\/wp-content\/uploads\/2024\/11\/logo.png\",\"contentUrl\":\"https:\/\/atmokpo.com\/w\/wp-content\/uploads\/2024\/11\/logo.png\",\"width\":400,\"height\":400,\"caption\":\"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8\"},\"image\":{\"@id\":\"https:\/\/atmokpo.com\/w\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/bebubo4\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/atmokpo.com\/w\/#\/schema\/person\/91b6b3b138fbba0efb4ae64b1abd81d7\",\"name\":\"root\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ko-KR\",\"@id\":\"https:\/\/atmokpo.com\/w\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/708197b41fc6435a7ce22d951b25d4a47e9e904270cb1f04682d4f025066f80c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/708197b41fc6435a7ce22d951b25d4a47e9e904270cb1f04682d4f025066f80c?s=96&d=mm&r=g\",\"caption\":\"root\"},\"sameAs\":[\"http:\/\/atmokpo.com\/w\"],\"url\":\"https:\/\/atmokpo.com\/w\/author\/root\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ubuntu Postgres Account Coin Miner Hacking - \ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/atmokpo.com\/w\/31659\/","og_locale":"ko_KR","og_type":"article","og_title":"Ubuntu Postgres Account Coin Miner Hacking - \ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8","og_description":"When I accidentally typed the top command on the Ubuntu server, I found a strange process consuming a lot of CPU. Suspicious file searched by md5: 8f96e8b4e9d26884c776c1b42a70bae5 https:\/\/otx.alienvault.com\/indicator\/file\/5e5fd0bc5f1bd663d7ccc2695c2b56bd382df3c7fdac605eb0ce3c0d5df24dc4 Below is the resolution process This process looks suspicious. Paths and filenames like \/tmp\/.\/.kGX8ucb are generally not formats used by normal software. This could be part of &hellip; \ub354 \ubcf4\uae30 \"Ubuntu Postgres Account Coin Miner Hacking\"","og_url":"https:\/\/atmokpo.com\/w\/31659\/","og_site_name":"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8","article_published_time":"2024-11-01T09:01:24+00:00","author":"root","twitter_card":"summary_large_image","twitter_creator":"@bebubo4","twitter_site":"@bebubo4","twitter_misc":{"\uae00\uc4f4\uc774":"root","\uc608\uc0c1 \ub418\ub294 \ud310\ub3c5 \uc2dc\uac04":"13\ubd84"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/atmokpo.com\/w\/31659\/#article","isPartOf":{"@id":"https:\/\/atmokpo.com\/w\/31659\/"},"author":{"name":"root","@id":"https:\/\/atmokpo.com\/w\/#\/schema\/person\/91b6b3b138fbba0efb4ae64b1abd81d7"},"headline":"Ubuntu Postgres Account Coin Miner Hacking","datePublished":"2024-11-01T09:01:24+00:00","mainEntityOfPage":{"@id":"https:\/\/atmokpo.com\/w\/31659\/"},"wordCount":2168,"publisher":{"@id":"https:\/\/atmokpo.com\/w\/#organization"},"articleSection":["\uae30\uc220\uad00\ub828"],"inLanguage":"ko-KR"},{"@type":"WebPage","@id":"https:\/\/atmokpo.com\/w\/31659\/","url":"https:\/\/atmokpo.com\/w\/31659\/","name":"Ubuntu Postgres Account Coin Miner Hacking - \ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8","isPartOf":{"@id":"https:\/\/atmokpo.com\/w\/#website"},"datePublished":"2024-11-01T09:01:24+00:00","breadcrumb":{"@id":"https:\/\/atmokpo.com\/w\/31659\/#breadcrumb"},"inLanguage":"ko-KR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/atmokpo.com\/w\/31659\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/atmokpo.com\/w\/31659\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\ud648","item":"https:\/\/atmokpo.com\/w\/en\/"},{"@type":"ListItem","position":2,"name":"Ubuntu Postgres Account Coin Miner Hacking"}]},{"@type":"WebSite","@id":"https:\/\/atmokpo.com\/w\/#website","url":"https:\/\/atmokpo.com\/w\/","name":"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8","description":"","publisher":{"@id":"https:\/\/atmokpo.com\/w\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/atmokpo.com\/w\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ko-KR"},{"@type":"Organization","@id":"https:\/\/atmokpo.com\/w\/#organization","name":"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8","url":"https:\/\/atmokpo.com\/w\/","logo":{"@type":"ImageObject","inLanguage":"ko-KR","@id":"https:\/\/atmokpo.com\/w\/#\/schema\/logo\/image\/","url":"https:\/\/atmokpo.com\/w\/wp-content\/uploads\/2024\/11\/logo.png","contentUrl":"https:\/\/atmokpo.com\/w\/wp-content\/uploads\/2024\/11\/logo.png","width":400,"height":400,"caption":"\ub77c\uc774\ube0c\uc2a4\ub9c8\ud2b8"},"image":{"@id":"https:\/\/atmokpo.com\/w\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/bebubo4"]},{"@type":"Person","@id":"https:\/\/atmokpo.com\/w\/#\/schema\/person\/91b6b3b138fbba0efb4ae64b1abd81d7","name":"root","image":{"@type":"ImageObject","inLanguage":"ko-KR","@id":"https:\/\/atmokpo.com\/w\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/708197b41fc6435a7ce22d951b25d4a47e9e904270cb1f04682d4f025066f80c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/708197b41fc6435a7ce22d951b25d4a47e9e904270cb1f04682d4f025066f80c?s=96&d=mm&r=g","caption":"root"},"sameAs":["http:\/\/atmokpo.com\/w"],"url":"https:\/\/atmokpo.com\/w\/author\/root\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/posts\/31659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/comments?post=31659"}],"version-history":[{"count":1,"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/posts\/31659\/revisions"}],"predecessor-version":[{"id":31660,"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/posts\/31659\/revisions\/31660"}],"wp:attachment":[{"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/media?parent=31659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/categories?post=31659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/atmokpo.com\/w\/wp-json\/wp\/v2\/tags?post=31659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}