mysqld in Linux hacked
Check for crap in /var/lib/mysql like this
ls -al /var/lib/mysql/
total 20888
drwxr-xr-x 24 mysql mysql 4096 Oct 3 18:30 .
drwxr-xr-x 20 root root 4096 Oct 3 04:23 ..
-rw-rw-rw- 1 mysql mysql 11776 Oct 3 17:10 c:\exp.exe
-rw-rw-rw- 1 mysql mysql 48128 Oct 3 17:10 c:\exp1.exe
-rw-rw-rw- 1 mysql mysql 55296 Oct 3 17:10 c:\exp2.exe
-rw-rw-rw- 1 mysql mysql 33812 Oct 3 17:10 c:\tan.exe
-rw-rw-rw- 1 mysql mysql 45056 Oct 3 17:10 c:\tan1.exe
This happened to a client who didn't firewall their port 3306 and had a weak root password.
Tags:
mysqld, linux, hackedcheck, var, lib, mysql, ls, drwxr, xr, oct, rw, exp, exe, tan, didn, firewall, password,