On Sat, 12 Feb 2011, Lamar Owen wrote:
> To: CentOS mailing list <centos@xxxxxxxxxx>
> From: Lamar Owen <lowen@xxxxxxxx>
> Subject: Re: CentOS 64 bit php 5.2 huge problem
>
> On Saturday, February 12, 2011 07:03:59 pm Peter Ivanov wrote:
>> My mysql.so is about 50K .. is that nornal
>
> No; the ones here are three times that size:
> [root@localhost ~]# ls -l
> /usr/lib64/mysql/libmysqlclient*.so.15.0.0 -rwxr-xr-x 1
> root root 1517784 Nov 3 19:54
> /usr/lib64/mysql/libmysqlclient_r.so.15.0.0 -rwxr-xr-x 1
> root root 1510224 Nov 3 19:54
> /usr/lib64/mysql/libmysqlclient.so.15.0.0
That doesn't sound too good. Is it possible that an attacker
has uploaded replacement libraries with an evil payload -
possibly to harvest your database contents?
Maybe running Wireshark on the corrupted system will give
you some clues as to whether data is being sent to a remote
IP location, whenever a mysql query is executing? There
could be *anything* in that payload to retrieve *all*
the data from your database.
Kind Regards,
Keith
-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
