Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!news.mixmin.net!eweka.nl!hq-usenetpeers.eweka.nl!xlned.com!feeder7.xlned.com!newsfeed.xs4all.nl!newsfeed3.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <ganeshsahni07@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.063
X-Spam-Evidence: '*H*': 0.87; '*S*': 0.00; 'charset:iso-8859-7': 0.04; 'subject:password': 0.05; 'explicit': 0.07; 'subject:code': 0.07; 'http': 0.09; 'cc:addr:python-list': 0.11; '4:25': 0.16; 'blocked': 0.16; 'https': 0.16; 'localhost': 0.16; 'ravi': 0.16; 'subject: \n ': 0.16; 'subject:run': 0.16; 'wrote:': 0.18; '(not': 0.18; 'wed,': 0.18; 'server,': 0.19; '>>>': 0.22; 'cc:addr:python.org': 0.22; 'certainly': 0.24; 'necessary.': 0.24; 'server.': 0.24; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; 'post': 0.26; 'header:In-Reply-To:1': 0.27; 'said,': 0.30; 'message-id:@mail.gmail.com': 0.30; 'code': 0.31; "skip:' 10": 0.31; '>>>>': 0.31; "d'aprano": 0.31; 'firewall': 0.31; 'hacker': 0.31; 'steven': 0.31; 'username': 0.31; 'way?': 0.31; 'file': 0.32; 'run': 0.32; 'linux': 0.33; 'addresses': 0.33; 'subject:the': 0.34; 'except': 0.35; 'knows': 0.35; 'possible.': 0.35; 'received:google.com': 0.35; 'google': 0.35; 'there': 0.35; 'accessible': 0.36; 'possible': 0.36; 'subject:?': 0.36; 'should': 0.36; 'wrong': 0.37; 'area': 0.37; 'server': 0.38; 'thank': 0.38; 'pm,': 0.38; 'enough': 0.39; 'how': 0.40; 'subject:Can': 0.60; 'tell': 0.60; 'forum': 0.61; 'world.': 0.61; 'further': 0.61; 'kind': 0.63; 'our': 0.64; 'accounts': 0.64; 'customers': 0.66; 'close': 0.67; 'services.': 0.70; 'internet': 0.71; 'protect': 0.79; 'here)': 0.84; 'poverty': 0.84; 'secured': 0.84; 'subject:know': 0.84; 'tie': 0.84; 'to:addr:ntlworld.com': 0.84; 'absolutely': 0.87; 'suffer': 0.93; '2013': 0.98
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=o1EZGeKlALPuRpy4u3lGwQzjeqVpUUOpM7hyl5mMncI=; b=QzGpZDAErTtssG2eoD11Oq8mbxSoLDYbXAo999B59gdpACVTwHAbFrM7yGoazPNpfy uMK2IhCgFAq6RC6hnVL1lHLtkfzdG1QVjN2rmwQkj2ivsAPMelp9Baby6D7Rdhj2TgNR wplsc8QJgKVbZucBeXDbtYq3OCm0zntYfEbznfsYGIv8hEmQcqUf1a5UgmX5MlhsCwvF Y5fOPZ2ZKB//q6UQEOjm9itHlEqexX7cICrFD9V4WL5PrKQYAD+G59b7nEozI+eU7VVe 43PQt8YC5TSi9W5gkrNU+rkvvoiriD3lRqAUJCXkUF/zFUYVJ/fqZY/BYLM80UZ20xCF nnOg==
MIME-Version: 1.0
X-Received: by 10.67.24.7 with SMTP id ie7mr3752103pad.112.1380726799655; Wed, 02 Oct 2013 08:13:19 -0700 (PDT)
In-Reply-To: <N9W2u.10684$eW3.6172@fx23.am4>
References: <l2h31g$q96$1@dont-email.me> <524c1ee6$0$29984$c3e8da3$5496439d@news.astraweb.com> <l2h7qj$gqt$2@dont-email.me> <N9W2u.10684$eW3.6172@fx23.am4>
Date: Wed, 2 Oct 2013 20:43:19 +0530
Subject: Re: Can arbitrary code run in a server if someone's know just the MySQL password?
From: Ravi Sahni <ganeshsahni07@gmail.com>
To: Alister <alister.ware@ntlworld.com>
Content-Type: text/plain; charset=ISO-8859-7
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 02 Oct 2013 18:13:12 +0200
Cc: python-list@python.org
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.640.1380730392.18130.python-list@python.org>
Lines: 53
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1380730392 news.xs4all.nl 15975 [2001:888:2000:d::a6]:46589
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:55358

On Wed, Oct 2, 2013 at 8:04 PM, Alister <alister.ware@ntlworld.com> wrote:
> On Wed, 02 Oct 2013 16:41:40 +0300, =CD=DF=EA=EF=F2 wrote:
>
>> =D3=F4=E9=F2 2/10/2013 4:25 =EC=EC, =EF/=E7 Steven D'Aprano =DD=E3=F1=E1=
=F8=E5:
>>> On Wed, 02 Oct 2013 15:20:00 +0300, =CD=DF=EA=EF=F2 wrote:
>>>
>>>> Is it possible for someone that knows the MYSQL password of a server
>>>> to run arbitrary code on a linux server?
>>>
>>> Yes, it is possible.
>>
>> Is that what might have happened and someone managed to upload the .html
>> file in '~/home/nikos/www/' ?
>>
>> Can you think of any other way?
>
>
> There are many other ways (i am not a hacker so i would not know whre to
> start)
> Against my better judgement I am going to give some advise (more to
> protect your customers than you)
>
> 1) tie down access to your server, nothing should be accessable from the
> internet unless absolutly necessary.
> certainly your database should not be accessible and this should be
> blocked in multiple ways (protection in depth)
>
> you should close down any un-necessary services.
> shut your firewall to all trafffix except http & https (ports 80 ,443)
> unless absolutely necessary.
> set your database accounts to only allow log in from localhost & and any
> explicit IP addresses that must have access
>
> & please google for further advise on server security & post questions in
> a suitable forum (not here)
>
> as many have said, security is not our area of expertise & this is the
> wrong place to ask.
>
> when correctly secured knowing your username & password should not be
> enough to allow access to your server.


Thank you Alister for ansering the needs of needy persons.
I am also needy. Please be kind to me as well:

There is poverty and injustice in the world. Why?? I NEED to know
People suffer and die. How come? I MUST know
And there are morons... Why?? PLEASE TELL

--=20
Ravi