My guess:
spoiler
An attacker exploited a SQL injection or buffer overflow flaw in Apache+PHP+MySQL (which they have no idea about), installed a Java based coin miner (gross, I know), and deleted /var/log to cover up their tracks. But it was Col. Kernel that killed MySQL for using up too much memory. Ruby is just there because of some obscure distro dependency nobody uses.
Why is Apache running on root?
Easier to push updates without all the red tape.
In some setups where each vhost run as its own user, the main apache process has to run as root.
Kernel did … OoM
Nice one
My money’s on the sysop being guilty of
manprocessslaughter or at least gross negligence for not putting enough RAM in the box.Injection attack submitted through apache, processed by an outdated PHP, forwarded to fat java who’s running a ye olde ass library to do sql input sanitization (it failed lol), and passed onto MySQL via a ruby script, which had a stroke because the request was to write to /var/log because someone was screwing around in sqlmap
Oh and /var/log “accidentally” had 777 perms lmao
The bundler did it.