An attacker exploited a SQL injection or buffer overflow flaw in Apache+PHP+MySQL (which they have no idea about), installed a Java based coin miner (gross, I know), and deleted /var/log to cover up their tracks. But it was Col. Kernel that killed MySQL for using up too much memory. Ruby is just there because of some obscure distro dependency nobody uses.
My guess:
spoiler
An attacker exploited a SQL injection or buffer overflow flaw in Apache+PHP+MySQL (which they have no idea about), installed a Java based coin miner (gross, I know), and deleted /var/log to cover up their tracks. But it was Col. Kernel that killed MySQL for using up too much memory. Ruby is just there because of some obscure distro dependency nobody uses.