On Sun, 13 Feb 2011, Keith Roberts wrote: > To: CentOS mailing list <centos at centos.org> > From: Keith Roberts <keith at karsites.net> > Subject: Re: [CentOS] CentOS 64 bit php 5.2 huge problem > > On Sat, 12 Feb 2011, Lamar Owen wrote: > >> To: CentOS mailing list <centos at centos.org> >> From: Lamar Owen <lowen at pari.edu> >> Subject: Re: [CentOS] CentOS 64 bit php 5.2 huge problem >> >> On Saturday, February 12, 2011 07:03:59 pm Peter Ivanov wrote: >>> My mysql.so is about 50K .. is that nornal >> >> No; the ones here are three times that size: >> [root at localhost ~]# ls -l >> /usr/lib64/mysql/libmysqlclient*.so.15.0.0 -rwxr-xr-x 1 >> root root 1517784 Nov 3 19:54 >> /usr/lib64/mysql/libmysqlclient_r.so.15.0.0 -rwxr-xr-x 1 >> root root 1510224 Nov 3 19:54 >> /usr/lib64/mysql/libmysqlclient.so.15.0.0 > > That doesn't sound too good. Is it possible that an attacker > has uploaded replacement libraries with an evil payload - > possibly to harvest your database contents? Sorry - I thought it was Peter's libraries that are three time the normal size. Hence my reply. Kind Regards, Keith > Maybe running Wireshark on the corrupted system will give > you some clues as to whether data is being sent to a remote > IP location, whenever a mysql query is executing? There > could be *anything* in that payload to retrieve *all* > the data from your database.