Can arbitrary code run in a server if someone's know just the MySQL password?

[Alister]

On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:

> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>
>>> Is it possible for someone that knows the MYSQL password of a server
>>> to run arbitrary code on a linux server?
>>
>> Yes, it is possible.
> 
> Is that what might have happened and someone managed to upload the .html
> file in '~/home/nikos/www/' ?
> 
> Can you think of any other way?


There are many other ways (i am not a hacker so i would not know whre to 
start)
Against my better judgement I am going to give some advise (more to 
protect your customers than you)

1) tie down access to your server, nothing should be accessable from the 
internet unless absolutly necessary.
certainly your database should not be accessible and this should be 
blocked in multiple ways (protection in depth)

you should close down any un-necessary services.
shut your firewall to all trafffix except http & https (ports 80 ,443) 
unless absolutely necessary.
set your database accounts to only allow log in from localhost & and any 
explicit IP addresses that must have access 

& please google for further advise on server security & post questions in 
a suitable forum (not here)

as many have said, security is not our area of expertise & this is the 
wrong place to ask.

when correctly secured knowing your username & password should not be 
enough to allow access to your server.


-- 
I'm not under the alkafluence of inkahol
that some thinkle peep I am.
It's just the drunker I sit here the longer I get.