Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #55358
| Path | csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.mixmin.net!eweka.nl!hq-usenetpeers.eweka.nl!xlned.com!feeder7.xlned.com!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <ganeshsahni07@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.063 |
| X-Spam-Evidence | '*H*': 0.87; '*S*': 0.00; 'charset:iso-8859-7': 0.04; 'subject:password': 0.05; 'explicit': 0.07; 'subject:code': 0.07; 'http': 0.09; 'cc:addr:python-list': 0.11; '4:25': 0.16; 'blocked': 0.16; 'https': 0.16; 'localhost': 0.16; 'ravi': 0.16; 'subject: \n ': 0.16; 'subject:run': 0.16; 'wrote:': 0.18; '(not': 0.18; 'wed,': 0.18; 'server,': 0.19; '>>>': 0.22; 'cc:addr:python.org': 0.22; 'certainly': 0.24; 'necessary.': 0.24; 'server.': 0.24; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; 'post': 0.26; 'header:In-Reply-To:1': 0.27; 'said,': 0.30; 'message-id:@mail.gmail.com': 0.30; 'code': 0.31; "skip:' 10": 0.31; '>>>>': 0.31; "d'aprano": 0.31; 'firewall': 0.31; 'hacker': 0.31; 'steven': 0.31; 'username': 0.31; 'way?': 0.31; 'file': 0.32; 'run': 0.32; 'linux': 0.33; 'addresses': 0.33; 'subject:the': 0.34; 'except': 0.35; 'knows': 0.35; 'possible.': 0.35; 'received:google.com': 0.35; 'google': 0.35; 'there': 0.35; 'accessible': 0.36; 'possible': 0.36; 'subject:?': 0.36; 'should': 0.36; 'wrong': 0.37; 'area': 0.37; 'server': 0.38; 'thank': 0.38; 'pm,': 0.38; 'enough': 0.39; 'how': 0.40; 'subject:Can': 0.60; 'tell': 0.60; 'forum': 0.61; 'world.': 0.61; 'further': 0.61; 'kind': 0.63; 'our': 0.64; 'accounts': 0.64; 'customers': 0.66; 'close': 0.67; 'services.': 0.70; 'internet': 0.71; 'protect': 0.79; 'here)': 0.84; 'poverty': 0.84; 'secured': 0.84; 'subject:know': 0.84; 'tie': 0.84; 'to:addr:ntlworld.com': 0.84; 'absolutely': 0.87; 'suffer': 0.93; '2013': 0.98 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=o1EZGeKlALPuRpy4u3lGwQzjeqVpUUOpM7hyl5mMncI=; b=QzGpZDAErTtssG2eoD11Oq8mbxSoLDYbXAo999B59gdpACVTwHAbFrM7yGoazPNpfy uMK2IhCgFAq6RC6hnVL1lHLtkfzdG1QVjN2rmwQkj2ivsAPMelp9Baby6D7Rdhj2TgNR wplsc8QJgKVbZucBeXDbtYq3OCm0zntYfEbznfsYGIv8hEmQcqUf1a5UgmX5MlhsCwvF Y5fOPZ2ZKB//q6UQEOjm9itHlEqexX7cICrFD9V4WL5PrKQYAD+G59b7nEozI+eU7VVe 43PQt8YC5TSi9W5gkrNU+rkvvoiriD3lRqAUJCXkUF/zFUYVJ/fqZY/BYLM80UZ20xCF nnOg== |
| MIME-Version | 1.0 |
| X-Received | by 10.67.24.7 with SMTP id ie7mr3752103pad.112.1380726799655; Wed, 02 Oct 2013 08:13:19 -0700 (PDT) |
| In-Reply-To | <N9W2u.10684$eW3.6172@fx23.am4> |
| References | <l2h31g$q96$1@dont-email.me> <524c1ee6$0$29984$c3e8da3$5496439d@news.astraweb.com> <l2h7qj$gqt$2@dont-email.me> <N9W2u.10684$eW3.6172@fx23.am4> |
| Date | Wed, 2 Oct 2013 20:43:19 +0530 |
| Subject | Re: Can arbitrary code run in a server if someone's know just the MySQL password? |
| From | Ravi Sahni <ganeshsahni07@gmail.com> |
| To | Alister <alister.ware@ntlworld.com> |
| Content-Type | text/plain; charset=ISO-8859-7 |
| Content-Transfer-Encoding | quoted-printable |
| X-Mailman-Approved-At | Wed, 02 Oct 2013 18:13:12 +0200 |
| Cc | python-list@python.org |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.640.1380730392.18130.python-list@python.org> (permalink) |
| Lines | 53 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1380730392 news.xs4all.nl 15975 [2001:888:2000:d::a6]:46589 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:55358 |
Show key headers only | View raw
On Wed, Oct 2, 2013 at 8:04 PM, Alister <alister.ware@ntlworld.com> wrote: > On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote: > >> Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε: >>> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote: >>> >>>> Is it possible for someone that knows the MYSQL password of a server >>>> to run arbitrary code on a linux server? >>> >>> Yes, it is possible. >> >> Is that what might have happened and someone managed to upload the .html >> file in '~/home/nikos/www/' ? >> >> Can you think of any other way? > > > There are many other ways (i am not a hacker so i would not know whre to > start) > Against my better judgement I am going to give some advise (more to > protect your customers than you) > > 1) tie down access to your server, nothing should be accessable from the > internet unless absolutly necessary. > certainly your database should not be accessible and this should be > blocked in multiple ways (protection in depth) > > you should close down any un-necessary services. > shut your firewall to all trafffix except http & https (ports 80 ,443) > unless absolutely necessary. > set your database accounts to only allow log in from localhost & and any > explicit IP addresses that must have access > > & please google for further advise on server security & post questions in > a suitable forum (not here) > > as many have said, security is not our area of expertise & this is the > wrong place to ask. > > when correctly secured knowing your username & password should not be > enough to allow access to your server. Thank you Alister for ansering the needs of needy persons. I am also needy. Please be kind to me as well: There is poverty and injustice in the world. Why?? I NEED to know People suffer and die. How come? I MUST know And there are morons... Why?? PLEASE TELL -- Ravi
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 15:20 +0300
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Antoon Pardon <antoon.pardon@rece.vub.ac.be> - 2013-10-02 14:37 +0200
Re: Can arbitrary code run in a server if someone's know just the MySQL password? feedthetroll@gmx.de - 2013-10-02 05:38 -0700
Re: Killing threads with TB (was: Can arbitrary code run in a server if someone's know just the MySQL password?) Tim Chase <python.list@tim.thechases.com> - 2013-10-02 08:21 -0500
Re: Killing threads with TB Terry Reedy <tjreedy@udel.edu> - 2013-10-02 18:34 -0400
Re: Killing threads with TB Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-10-02 23:48 +0100
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-10-02 13:25 +0000
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 16:41 +0300
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ned Batchelder <ned@nedbatchelder.com> - 2013-10-02 09:58 -0400
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 17:46 +0300
Re: Can arbitrary code run in a server if someone's know just the MySQL password? ishish <ishish@domhain.de> - 2013-10-02 15:55 +0100
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ned Batchelder <ned@nedbatchelder.com> - 2013-10-02 11:15 -0400
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Denis McMahon <denismfmcmahon@gmail.com> - 2013-10-02 16:02 +0000
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ethan Furman <ethan@stoneleaf.us> - 2013-10-02 09:59 -0700
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Alister <alister.ware@ntlworld.com> - 2013-10-02 14:34 +0000
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ravi Sahni <ganeshsahni07@gmail.com> - 2013-10-02 20:43 +0530
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος Ακεξόπουλος <nikos.gr33k@gmail.com> - 2013-10-02 20:06 +0300
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-10-02 17:39 +0000
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος Αλεξόπουλος <nikos.gr33k@gmail.com> - 2013-10-02 21:02 +0300
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-10-02 20:02 -0400
Re: Can arbitrary code run in a server if someone's know just the MySQL password? Tony the Tiger <tony@tiger.invalid> - 2013-10-04 15:19 -0500
csiph-web