Can arbitrary code run in a server if someone's know just the MySQL password?
Νίκος Ακεξόπουλος
nikos.gr33k at gmail.com
Wed Oct 2 13:06:24 EDT 2013
Στις 2/10/2013 6:13 μμ, ο/η Ravi Sahni έγραψε:
> On Wed, Oct 2, 2013 at 8:04 PM, Alister <alister.ware at ntlworld.com> wrote:
>> On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote:
>>
>>> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε:
>>>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote:
>>>>
>>>>> Is it possible for someone that knows the MYSQL password of a server
>>>>> to run arbitrary code on a linux server?
>>>>
>>>> Yes, it is possible.
>>>
>>> Is that what might have happened and someone managed to upload the .html
>>> file in '~/home/nikos/www/' ?
>>>
>>> Can you think of any other way?
>>
>>
>> There are many other ways (i am not a hacker so i would not know whre to
>> start)
>> Against my better judgement I am going to give some advise (more to
>> protect your customers than you)
>>
>> 1) tie down access to your server, nothing should be accessable from the
>> internet unless absolutly necessary.
>> certainly your database should not be accessible and this should be
>> blocked in multiple ways (protection in depth)
>>
>> you should close down any un-necessary services.
>> shut your firewall to all trafffix except http & https (ports 80 ,443)
>> unless absolutely necessary.
>> set your database accounts to only allow log in from localhost & and any
>> explicit IP addresses that must have access
>>
>> & please google for further advise on server security & post questions in
>> a suitable forum (not here)
>>
>> as many have said, security is not our area of expertise & this is the
>> wrong place to ask.
>>
>> when correctly secured knowing your username & password should not be
>> enough to allow access to your server.
>
>
> Thank you Alister for ansering the needs of needy persons.
> I am also needy. Please be kind to me as well:
>
> There is poverty and injustice in the world. Why?? I NEED to know
> People suffer and die. How come? I MUST know
> And there are morons... Why?? PLEASE TELL
You are failing trying to mimic me. I have a reason when i ask because i
did explanation for some matter.
As for morons, yes they are lots of them in this world, including you
trying to make fun out of this by impersonating me.
You fail also as acting as a newbie, while you are a regular here.
--
What is now proved was at first only imagined! & WebHost
<http://superhost.gr>
More information about the Python-list
mailing list