Postgres Copy From Program Command Execution

Uses PostgreSQL’s COPY FROM PROGRAM feature to execute an external system command and ingest its output into a table. In a honeypot context, this primitive is a high-confidence indicator of remote command execution, where the database is being abused as an execution primitive rather than for data storage. The presence of shell pipelines and decoding stages (for example base64 decoding piped into a shell) is characteristic of automated exploitation, payload staging, and post-compromise execution chains targeting misconfigured or overly privileged PostgreSQL instances.

Observed IPs

Avg Confidence

99%

Protocol

POSTGRES

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
208.97.53.150	100%	27,926	4,227	🇺🇸 US	AS30247	2026-02-24
212.113.98.30	100%	14,038	3,292	🇷🇺 RU	AS206134	2026-03-02
178.250.186.28	99%	11,101	2,009	🇷🇺 RU	AS207957	2026-02-24
157.230.55.143	100%	6,821	2,907	🇺🇸 US	AS14061	2026-03-02
164.90.155.248	100%	6,777	2,810	🇺🇸 US	AS14061	2026-03-02
157.230.250.115	100%	6,686	2,858	🇸🇬 SG	AS14061	2026-03-02
144.217.252.80	100%	6,544	2,785	🇨🇦 CA	AS16276	2026-03-02
143.198.94.28	100%	6,511	2,914	🇸🇬 SG	AS14061	2026-03-02
209.15.110.13	100%	6,489	2,860	🇹🇭 TH	AS135566	2026-03-02
103.81.100.222	100%	6,466	2,755	🇮🇩 ID	AS58475	2026-03-02
77.222.63.226	100%	6,441	2,843	🇷🇺 RU	AS44112	2026-03-02
103.236.108.25	100%	6,419	2,846	🇮🇳 IN	AS132925	2026-03-02
167.172.104.27	100%	6,409	2,801	🇩🇪 DE	AS14061	2026-03-02
62.217.122.251	100%	6,391	2,829	🇬🇷 GR	AS5408	2026-03-02
137.184.65.234	100%	6,335	2,759	🇺🇸 US	AS14061	2026-03-02
91.90.213.175	100%	6,278	2,852	🇷🇺 RU	AS57487	2026-03-02
45.55.174.23	100%	6,272	2,822	🇺🇸 US	AS14061	2026-03-02
128.199.197.130	100%	6,268	2,852	🇸🇬 SG	AS14061	2026-03-02
83.212.174.61	100%	6,262	2,823	🇬🇷 GR	AS5408	2026-03-02
165.227.211.162	100%	6,232	2,825	🇺🇸 US	AS14061	2026-03-02