On Fri, 15 Sep 2006, Michael Fuhr wrote:

> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>> Can anybody else with a Linux box test the above command?
>>
>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>
>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>> context=user_u:system_r:unconfined_t
>
> That's what I'd expect. David's box appears to be behaving oddly,
> which could be signs of tampering if he has indeed been hacked. If
> that's happened then commands like "ls" and "ps" can't be trusted.
>
> Can anybody think of a way for David to be seeing the behavior he's
> seeing that doesn't involve a tampered-with system?

It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
them to see if there is a problem. Might also be worthwhile to run the ps and
ls from the install CD to see if there are any suprising results.

--
Jeff Frost, Owner <jeff@frostconsultingllc.com>
Frost Consulting, LLC http://www.frostconsultingllc.com/
Phone: 650-780-7908 FAX: 650-649-1954

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Did you get a copy of chkrootkit and/or rkhunter and run them on this machine?
If so, let us know if it find a rootkit. If so, that's your problem. I think
you may have to ask on one of the linux system administration lists.

Which linux distribution and version did you indicate this is again?

On Sat, 16 Sep 2006, david.lao@sharpasia.com.mo wrote:

>
> is there any way to correct this problem? please help.
>
> On Fri, 15 Sep 2006, Michael Fuhr wrote:
>
>> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>>> Can anybody else with a Linux box test the above command?
>>>
>>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>>
>>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>>> context=user_u:system_r:unconfined_t
>>
>> That's what I'd expect. David's box appears to be behaving oddly,
>> which could be signs of tampering if he has indeed been hacked. If
>> that's happened then commands like "ls" and "ps" can't be trusted.
>>
>> Can anybody think of a way for David to be seeing the behavior he's
>> seeing that doesn't involve a tampered-with system?
>
> It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
> them to see if there is a problem. Might also be worthwhile to run the ps and
> ls from the install CD to see if there are any suprising results.
>
>

--
Jeff Frost, Owner <jeff@frostconsultingllc.com>
Frost Consulting, LLC http://www.frostconsultingllc.com/
Phone: 650-780-7908 FAX: 650-649-1954

---------------------------(end of broadcast)---------------------------
TIP 3: Have you checked our extensive FAQ?

http://www.postgresql.org/docs/faq

Hi,

I am running postgresql 7.2.2-1.

Best,
David

On Fri, Sep 15, 2006 at 09:20:28AM +0800, david.lao@sharpasia.com.mo wrote:
> this is the command output
>
> lrwxrwxrwx 1 root root 4 Apr 3 2003 /bin/sh -> bash
> -rwxr-xr-x 1 root root 9468 Sep 5 2002 /usr/bin/pg_ctl
> -rwxr-xr-x 1 root root 3074760 Sep 5 2002 /usr/bin/postgres
> lrwxrwxrwx 1 root root 8 Oct 29 2005 /usr/bin/postmaster -> postgres

What version of PostgreSQL are you running? If those dates are
correct then I'd guess 7.2.x or earlier.

What about the output of the su command?

--
Michael Fuhr



---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

this is the command output

lrwxrwxrwx 1 root root 4 Apr 3 2003 /bin/sh -> bash
-rwxr-xr-x 1 root root 9468 Sep 5 2002 /usr/bin/pg_ctl
-rwxr-xr-x 1 root root 3074760 Sep 5 2002 /usr/bin/postgres
lrwxrwxrwx 1 root root 8 Oct 29 2005 /usr/bin/postmaster -> postgres

Best,
David

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

On Thu, Sep 14, 2006 at 11:13:43PM +0800, david.lao@sharpasia.com.mo wrote:
> I starting my postgres with standard startup script /etc/rc.d/init.d/postgressql

I didn't notice anything wrong with the script you posted. What
happens if you run the "su" command that starts the postmaster
directly from the command line? That is, the "su" on line 151
(you'll have to set the PGDATA environment variable or replace it
with the path to your data directory):

su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmaster start

What's the output of the following command?

ls -l /bin/sh /usr/bin/pg_ctl /usr/bin/postmaster /usr/bin/postgres

--
Michael Fuhr



---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Hi,

Thanks, I will try to upgrade new viersion, the ouput of <su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmaster start> is
<
postmaster successfully started
/usr/bin/postmaster: real and effective user ids must match
>

the problem start after I restart the postgres service, there are nothing change in postmaster since last time.

Best,
David

On Fri, Sep 15, 2006 at 09:49:42AM +0800, david.lao@sharpasia.com.mo wrote:
> I am running postgresql 7.2.2-1.

If you're going to run 7.2 then you should run the latest version,
7.2.8, because earlier versions have serious data-loss bugs. But
since 7.2 is no longer supported, I'd recommend upgrading to a
modern version like 8.1.4 as soon as possible.

As for getting the postmaster running, what's the output of the su
command that I've requested a couple of times? When did this problem
start? What has changed since the last time the postmaster started
successfully?

--
Michael Fuhr



---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

Hi,

su -l postgres -s /bin/sh -c id output:
uid=0(root) gid=26 euid=26(postgres) groups=26

su -l postgres -s /bin/sh -c "/usr/bin/postmaster -D $PGDATA" output
/usr/bin/postmaster: real and effective user ids must match

I am running Redhat 8, it is same way to start the postgres "/etc/rc.d/init.d/postgresql start",


>When was the last time you successfully started the postmaster the
>same way you're trying now? How long had you been running PostgreSQL
>without any problems? If it used to work then something has changed.

I am running Redhat 8, it is same way to start the postgres "/etc/rc.d/init.d/postgresql start", I running postgre about 2 years ago, maybe it is the hacker do it, because before I found one unknown user and delect it, and then I restart the service with error.

David



---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

>Do you have sudo? If so then what does "sudo -u postgres id" show?
>If uid and euid are the same (both postgres) then you might be able
>to start the postmaster with sudo instead of su.

"sudo -u postgres id" show
uid=0(root) gid=26 euid=26(postgres) groups=26


>What do you mean by "the hacker"? Do you know or suspect that
>you've been hacked? If so then I'd recommend that you reinstall
>your system from trustworthy media, make sure you have current
>security patches, and close any configuration holes that might have
>let an intruder in.

Yes, I have been hacked, because I found a new unknown a/c in my system. and in log file get this message:
Sep 3 22:55:00 TWeb su(pam_unix)[24299]: session opened for user root by (uid=0)
Sep 3 22:55:17 TWeb su(pam_unix)[24299]: session closed for user root

David


---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

is there any way to correct this problem? please help.

On Fri, 15 Sep 2006, Michael Fuhr wrote:

> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>> Can anybody else with a Linux box test the above command?
>>
>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>
>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>> context=user_u:system_r:unconfined_t
>
> That's what I'd expect. David's box appears to be behaving oddly,
> which could be signs of tampering if he has indeed been hacked. If
> that's happened then commands like "ls" and "ps" can't be trusted.
>
> Can anybody think of a way for David to be seeing the behavior he's
> seeing that doesn't involve a tampered-with system?

It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
them to see if there is a problem. Might also be worthwhile to run the ps and
ls from the install CD to see if there are any suprising results.

--
Jeff Frost, Owner <jeff@frostconsultingllc.com>
Frost Consulting, LLC http://www.frostconsultingllc.com/
Phone: 650-780-7908 FAX: 650-649-1954



---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match

On Mon, Sep 18, 2006 at 02:09:34AM +0800, david.lao@sharpasia.com.mo wrote:
> it find SHV4 and SHV5 rootkit, is there any way to easy and fast move
> db to new system, I am using Redhat 8.0

If the new system has the same major release of PostgreSQL as the
infected system then you could copy the $PGDATA directory from the
infected system to the new one. Be careful how you communicate
between the two systems or you could end up infecting the new system.

--
Michael Fuhr

---------------------------(end of broadcast)---------------------------
TIP 2: Don't 'kill -9' the postmaster