2

I am facing same issue regularly which happens 1-3 times in a month and mostly on weekends.

To explain, CPU utilization is exceeding past 100% from last 32 hours.

  • EC2 Instance is t3.medium
  • Postgres version is 10.6
  • OS : Amazon Linux 2

I have tried gather all the information I could get using command provided in reference https://severalnines.com/blog/why-postgresql-running-slow-tips-tricks-get-source

But didn't found any inconsistency or leak in my database, although while checking for process consuming all CPU resources I found following command is the culprit running for more than 32 hours.

/var/lib/postgresql/10/main/postgresql -u pg_linux_copy -B

This command is running from 3 separate processes at the moment and running from last 32 hours, 16 hours & 16 hours respectively.

Searching about about this didn't even returned a single result on google which is heartbreaking.

If I kill the process, everything turns back to normal.

What is the issue and what can I do to prevent this from happening again in future?

Improve this question
2
  • 1
    I'm not familiar with EC2 installation of Postgres, but normally this is where data resides, not binaries. Also, all (or most) tools supplied by Postgres use uppercase -U for username and pg_linux_copy looks kinda like username, so I think this is rather fishy. It is possible that you had/have unauthorized access by third party that is either using your computing resources for something or stealing your data. It could also be some custom tool by Amazon so just in case I would contact them about it. Commented Apr 1, 2019 at 12:30
  • Thanks Lukasz, I will try contacting AWS on this to confirm your suspicion. Commented Apr 2, 2019 at 5:00

1 Answer 1

Reset to default
3

I was recently contacted by AWS EC2 Abuse team regarding my instance involved in some intrusion attack to some other server.

To my surprise, I found out that as I had used very week password root for default postgres account for my database and also had the postgres port public, the attacker silently gained access to instance and used my instance to try gaining access to another instance.

I am still not sure, how was he able to try ssh command by gaining access to master database account.

To summarise, One reason for unusual database spikes on server could be someone attacking your system.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank you for asking this question, as it's currently the ONLY Google result for this problem. Today I experienced this issue under the exact same circumstances: EC2 instance, port 5432 open to the world (shame on me!), SSH locked down, mysterious processes killing the CPU. No noticeable rise in network traffic. The running process was /usr/local/pgsql/data/postgresq1 -u pg_linux_copy -B (note the last character is a numeral "1", not an "l"!) and there is also a suspicious /usr/local/pgsql/data/postgres. Will update if I find out more.
I found this mention on a Russian forum as well: translate.google.com/translate?hl=en&sl=ru&u=https://…

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.