I have postgres 10.4 set up on a Linux machine, and sometimes there will randomly be rules at the top of pg_hba.conf that only allows an MD5 connection by a user "pgdbadm". I'm not sure if the database got hacked but after changing the password and checking that a pgdbadm doesn't exist, I still see the new rules from time to time. Is it possible that the database is compromised?
The three rules, if I recall correctly are as follows:
local all all 0.0.0.0/0 reject
host all postgres 0.0.0.0/0 reject
host all pgdbadm 0.0.0.0/0 md5
Any explanation as to what is going on would be appreciated, as well as potential solutions.
EDIT: I have discovered that when setting up pg_hba.conf I used a rule where all connections didn't require a password. This probably allowed a bot to log in and create unwanted databases/other things, so I will do a clean install of Ubuntu and backup the databases.
Best Answer
As you seem to have surmised, "pgdbadm" is an account created by hackers. It is the known account created a recent crypto-mining attacker who exploits unsecured postgresql superuser accounts. Changing the pg_hba.conf is also part of his MO.