On Sat, 12 Feb 2011, Lamar Owen wrote: > To: CentOS mailing list <centos at centos.org> > From: Lamar Owen <lowen at pari.edu> > Subject: Re: [CentOS] CentOS 64 bit php 5.2 huge problem > > On Saturday, February 12, 2011 07:03:59 pm Peter Ivanov wrote: >> My mysql.so is about 50K .. is that nornal > > No; the ones here are three times that size: > [root at localhost ~]# ls -l > /usr/lib64/mysql/libmysqlclient*.so.15.0.0 -rwxr-xr-x 1 > root root 1517784 Nov 3 19:54 > /usr/lib64/mysql/libmysqlclient_r.so.15.0.0 -rwxr-xr-x 1 > root root 1510224 Nov 3 19:54 > /usr/lib64/mysql/libmysqlclient.so.15.0.0 That doesn't sound too good. Is it possible that an attacker has uploaded replacement libraries with an evil payload - possibly to harvest your database contents? Maybe running Wireshark on the corrupted system will give you some clues as to whether data is being sent to a remote IP location, whenever a mysql query is executing? There could be *anything* in that payload to retrieve *all* the data from your database. Kind Regards, Keith ----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------