On Sun, 13 Feb 2011, Keith Roberts wrote:
To: CentOS mailing list centos@centos.org From: Keith Roberts keith@karsites.net Subject: Re: [CentOS] CentOS 64 bit php 5.2 huge problem
On Sat, 12 Feb 2011, Lamar Owen wrote:
To: CentOS mailing list centos@centos.org From: Lamar Owen lowen@pari.edu Subject: Re: [CentOS] CentOS 64 bit php 5.2 huge problem
On Saturday, February 12, 2011 07:03:59 pm Peter Ivanov wrote:
My mysql.so is about 50K .. is that nornal
No; the ones here are three times that size: [root@localhost ~]# ls -l /usr/lib64/mysql/libmysqlclient*.so.15.0.0 -rwxr-xr-x 1 root root 1517784 Nov 3 19:54 /usr/lib64/mysql/libmysqlclient_r.so.15.0.0 -rwxr-xr-x 1 root root 1510224 Nov 3 19:54 /usr/lib64/mysql/libmysqlclient.so.15.0.0
That doesn't sound too good. Is it possible that an attacker has uploaded replacement libraries with an evil payload - possibly to harvest your database contents?
Sorry - I thought it was Peter's libraries that are three time the normal size. Hence my reply.
Kind Regards,
Keith
Maybe running Wireshark on the corrupted system will give you some clues as to whether data is being sent to a remote IP location, whenever a mysql query is executing? There could be *anything* in that payload to retrieve *all* the data from your database.