Can arbitrary code run in a server if someone's know just the MySQL password?

[Ravi Sahni]

On Wed, Oct 2, 2013 at 8:04 PM, Alister <alister.ware at ntlworld.com> wrote:
> On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:
>
>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>
>>>> Is it possible for someone that knows the MYSQL password of a server
>>>> to run arbitrary code on a linux server?
>>>
>>> Yes, it is possible.
>>
>> Is that what might have happened and someone managed to upload the .html
>> file in '~/home/nikos/www/' ?
>>
>> Can you think of any other way?
>
>
> There are many other ways (i am not a hacker so i would not know whre to
> start)
> Against my better judgement I am going to give some advise (more to
> protect your customers than you)
>
> 1) tie down access to your server, nothing should be accessable from the
> internet unless absolutly necessary.
> certainly your database should not be accessible and this should be
> blocked in multiple ways (protection in depth)
>
> you should close down any un-necessary services.
> shut your firewall to all trafffix except http & https (ports 80 ,443)
> unless absolutely necessary.
> set your database accounts to only allow log in from localhost & and any
> explicit IP addresses that must have access
>
> & please google for further advise on server security & post questions in
> a suitable forum (not here)
>
> as many have said, security is not our area of expertise & this is the
> wrong place to ask.
>
> when correctly secured knowing your username & password should not be
> enough to allow access to your server.


Thank you Alister for ansering the needs of needy persons.
I am also needy. Please be kind to me as well:

There is poverty and injustice in the world. Why?? I NEED to know
People suffer and die. How come? I MUST know
And there are morons... Why?? PLEASE TELL

-- 
Ravi