I'm running Ubuntu with plesk. After noticing some suspicious data i started logging all queries. A few hours later... Looks like someone created a database and attempted to insert a new user into mysql.user table.
Since then I've created new passwords for Plesk and updated Plesk. I noticed in Plesk update notes that they fixed a security issue. Maybe that was how someone got in?
I hope I'm just being paranoid
750 Connect admin@localhost on
750 Query SELECT VERSION()
748 Query select `name`,`version` from Components
750 Query create database `BUG115166_19826690404F97A4DB6CCAB` /*!40101 default charset=utf8 */
750 Query create database `bug115166_19826690404f97a4db6ccab` /*!40101 default charset=utf8 */
750 Query insert into mysql.user (Host, User, Password) values ('%', 'bug115166_29609', password('BUG115166_19826690404F97A4DB6CCAB'))
750 Query FLUSH PRIVILEGES
750 Query GRANT ALL ON `BUG115166_19826690404F97A4DB6CCAB`.* to 'bug115166_29609'
751 Connect bug115166_29609@localhost on
751 Query USE `BUG115166_19826690404F97A4DB6CCAB`
751 Query USE `bug115166_19826690404f97a4db6ccab`
751 Init DB Access denied for user 'bug115166_29609'@'%' to database 'bug115166_19826690404f97a4db6ccab'
750 Query REVOKE ALL ON `BUG115166_19826690404F97A4DB6CCAB`.* FROM 'bug115166_29609'
750 Query DELETE FROM mysql.user WHERE User='bug115166_29609'
750 Query FLUSH PRIVILEGES
750 Query drop database if exists `bug115166_19826690404f97a4db6ccab`
750 Query drop database if exists `bug115166_19826690404f97a4db6ccab`
750 Query drop database if exists `BUG115166_19826690404F97A4DB6CCAB`
750 Query drop database if exists `BUG115166_19826690404F97A4DB6CCAB`
751 Quit
750 Query show databases like 'd21193485464f97a4db6c8a9'
750 Query create database `d21193485464f97a4db6c8a9` /*!40101 default charset=utf8 */
750 Query drop database if exists `d21193485464f97a4db6c8a9`
750 Query drop database if exists `d21193485464f97a4db6c8a9`