I'm running the TimescaleDB image on Docker on a Windows machine. Somehow that postgres database was accessed and all of the data deleted.<p>There is a readme_to_recover table now, and has a generic extortion mail: "Data is backed up bla bla, pay bitcoin to recover bla bla"<p>Data I can get back, but I'm concerned about how this could have happened?<p>For some reason the pg_hba.conf has the line: "host all all all scram-sha-256", which I think means that it can be accessed from anywhere right?<p>The docker image was running on 5432, and but I had binded that to 5434 on my local machine.<p>Logs have couple of "FATAL: password authentication failed for user "postgres"" lines, so the password was attempted couple of times. I had a very common password though since it was a local instance, so it was easy to crack. And then after that lines for dropping all the databases. And then "FATAL: terminating connection due to administrator command" and "FATAL: terminating background worker "TimescaleDB Background Worker Scheduler" due to administrator command"<p>Do I have some virus on my computer? Does the TimescaleDB Docker image have vulnerability that would cause this? Could some rogue website / ad / extension have accessed my Postgres db running locally like that?
<i>Data I can get back, but I'm concerned about how this could have happened?</i><p>Very good that you have backups, it could have been worse. Were any ports from your app or PG itself exposed to the web and are there associated web application access logs enabled that were relayed somewhere off-host? <i>e.g. port 5432 for postgres</i>.<p><i>Do I have some virus on my computer?</i><p>Yes, that is ransomware. [1]<p>[1] - <a href="https://www.imperva.com/blog/postgresql-database-ransomware-analysis/" rel="nofollow noreferrer">https://www.imperva.com/blog/postgresql-database-ransomware-...</a>
If you used docker run -p 5434:5432, this port is accessible from your network, not just your local machine. Couple that with an IPv6 uplink to your ISP (i.e. typically a gobally reachable IP address for your machine) and a disabled firewall in your home router, and that's one possible way how this could have happened. Of course, home router firewalls are not usually disabled. But it's a possibility.