Hello,
I am using directadmin for many years and right now I have no clue what is going on.
Centos 7 eol, DA legacy.
I have one use account with one mariadb database. There are 2 mariadb users, let say: user and user_db.
And randomly appears a new user like user_uidsniduenjnfndurujdUuYgGyhNj.
This new user has access to user_db database and host is set to localhost and %. The server is binding to 127.0.0.1 only so the access from outside is not possible.
I remove the user and it appears in 1-8 hours.
No rootkit found, no suspect processes found for that user.
No other user with this issue.
I started to log all query and it seems the user is not appearing anymore, so I guess the malware is checking if general log is enabled or not.
OS reinstall in programmed soon.
Any other ideea?
I would like to find the problem before reinstall.
Thank you.
I am using directadmin for many years and right now I have no clue what is going on.
Centos 7 eol, DA legacy.
I have one use account with one mariadb database. There are 2 mariadb users, let say: user and user_db.
And randomly appears a new user like user_uidsniduenjnfndurujdUuYgGyhNj.
This new user has access to user_db database and host is set to localhost and %. The server is binding to 127.0.0.1 only so the access from outside is not possible.
I remove the user and it appears in 1-8 hours.
No rootkit found, no suspect processes found for that user.
No other user with this issue.
I started to log all query and it seems the user is not appearing anymore, so I guess the malware is checking if general log is enabled or not.
OS reinstall in programmed soon.
Any other ideea?
I would like to find the problem before reinstall.
Thank you.