Why does pg_hba.conf sometimes have random rules added to it? (postgresql)

As you seem to have surmised, "pgdbadm" is an account created by hackers. It is the known account created a recent crypto-mining attacker who exploits unsecured postgresql superuser accounts. Changing the pg_hba.conf is also part of his MO.


In a standard Postgres installation, no rules are added to pg_hba.conf by any program whatsoever. All editing of this file is done manually.

You either have some person doing this or someone has added a program - either with benevolent or malicious intent - to do this for them.

You should solve this

  1. in your organisation by determining who is doing this; and
  2. by changing passwords and removing/revoking any SSH keys

Tags:

Postgresql