On Sun, 13 Feb 2011, Keith Roberts wrote:
> To: CentOS mailing list <centos@xxxxxxxxxx>
> From: Keith Roberts <keith@xxxxxxxxxxxx>
> Subject: Re: CentOS 64 bit php 5.2 huge problem
>
> On Sat, 12 Feb 2011, Lamar Owen wrote:
>
>> To: CentOS mailing list <centos@xxxxxxxxxx>
>> From: Lamar Owen <lowen@xxxxxxxx>
>> Subject: Re: CentOS 64 bit php 5.2 huge problem
>>
>> On Saturday, February 12, 2011 07:03:59 pm Peter Ivanov wrote:
>>> My mysql.so is about 50K .. is that nornal
>>
>> No; the ones here are three times that size:
>> [root@localhost ~]# ls -l
>> /usr/lib64/mysql/libmysqlclient*.so.15.0.0 -rwxr-xr-x 1
>> root root 1517784 Nov 3 19:54
>> /usr/lib64/mysql/libmysqlclient_r.so.15.0.0 -rwxr-xr-x 1
>> root root 1510224 Nov 3 19:54
>> /usr/lib64/mysql/libmysqlclient.so.15.0.0
>
> That doesn't sound too good. Is it possible that an attacker
> has uploaded replacement libraries with an evil payload -
> possibly to harvest your database contents?
Sorry - I thought it was Peter's libraries that are three
time the normal size. Hence my reply.
Kind Regards,
Keith
> Maybe running Wireshark on the corrupted system will give
> you some clues as to whether data is being sent to a remote
> IP location, whenever a mysql query is executing? There
> could be *anything* in that payload to retrieve *all*
> the data from your database.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
