Delete sets matching regex. Code Injection

Hi guys,

We have run into a peculiar problem. Due to a bad legacy code, our cluster was exposed to code injection attack. The adversary was able to breach and ended up creating lots of sets in our namespace. We have plugged the hole in the code that caused this but we have reached the set limit and need to truncate the bogus sets that the adversary created.

However, the problem is not as straightforward as that. The sets that got created have weird alphanumeric names containing injection scripts. For ex :


catFeed_kurta" AND 238=6*8 AND “I2fK”="I2fKfeeed_dataa

catFeed_-1)) OR 638=(SELECT 638 FROM PG_SLEEP(15))–feeed_dataa

Some names are not printable. Some are multiline values.

When we try to use the truncate command on these, the command fails with errors like “ERROR: No closing quotation” or syntax errors.

At the moment, we can’t add new sets to the namespace. Need your help to get rid of the bogus sets asap. Hoping to see a quick response. Thanks in advance.

Edit : The set names above are not showing as they actually are.

Sorry to read this. As I am sure you already figured out, you would need to delete all the records in the set and then cold restart each node, one at a time (likely after wiping them out unless if using the Enterprise Edition and using the truncate command). Here is the knowledge base article with details once passed the ‘delete all the records in the set’ step: How to clear up set names when they exceed the limit.

Now to the delete part, here are some ideas, but not sure which ones would work (if you haven’t tried them):

  • Use a different tool to issue the truncate command: asinfo (which may support escaping) or asadm.
  • Use an expression on top of a primary index query (scan) to go after the records in specific sets (without having to specify the whole set name).
  • Backing up and parsing the back up file to get rid of the records in the bad sets and then restoring (Format of the backup file).

Hope this helps. Finally, off record, I believe the next version will significantly increase the limits for the number of sets allowed. I would assume you would still want to get rid of the bogus ones, but thought I’d still mention this in passing.