On Sat, 12 Feb 2011, Lamar Owen wrote:
To: CentOS mailing list centos@centos.org From: Lamar Owen lowen@pari.edu Subject: Re: [CentOS] CentOS 64 bit php 5.2 huge problem
On Saturday, February 12, 2011 07:03:59 pm Peter Ivanov wrote:
My mysql.so is about 50K .. is that nornal
No; the ones here are three times that size: [root@localhost ~]# ls -l /usr/lib64/mysql/libmysqlclient*.so.15.0.0 -rwxr-xr-x 1 root root 1517784 Nov 3 19:54 /usr/lib64/mysql/libmysqlclient_r.so.15.0.0 -rwxr-xr-x 1 root root 1510224 Nov 3 19:54 /usr/lib64/mysql/libmysqlclient.so.15.0.0
That doesn't sound too good. Is it possible that an attacker has uploaded replacement libraries with an evil payload - possibly to harvest your database contents?
Maybe running Wireshark on the corrupted system will give you some clues as to whether data is being sent to a remote IP location, whenever a mysql query is executing? There could be *anything* in that payload to retrieve *all* the data from your database.
Kind Regards,
Keith
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------