I have some hacker connecting to a database. I am trying to find out how he does this. In the mysql general log, I have detected that when I connect normally from the php pages, the log saves this:

111111 Connect user@localhost on
111111 Init DB dbname

But when this hacker connects, it opens his own connection and saves like this:

222222 Connect user@localhost on dbname

All in one step, not Init DB.

Does this give any hint as to the method he is using to connect? I have been searching and I don't find information about this. Any help will be greatly appreciated.

After he connects, he does show databases, show tables, field list, which seem automatic. Then commands space out, as if a human were typing them.

Thanks for any help.