On Wed, 02 Oct 2013 16:41:40 +0300, Νίκος wrote: > Στις 2/10/2013 4:25 μμ, ο/η Steven D'Aprano έγραψε: >> On Wed, 02 Oct 2013 15:20:00 +0300, Νίκος wrote: >> >>> Is it possible for someone that knows the MYSQL password of a server >>> to run arbitrary code on a linux server? >> >> Yes, it is possible. > > Is that what might have happened and someone managed to upload the .html > file in '~/home/nikos/www/' ? > > Can you think of any other way?
There are many other ways (i am not a hacker so i would not know whre to start) Against my better judgement I am going to give some advise (more to protect your customers than you) 1) tie down access to your server, nothing should be accessable from the internet unless absolutly necessary. certainly your database should not be accessible and this should be blocked in multiple ways (protection in depth) you should close down any un-necessary services. shut your firewall to all trafffix except http & https (ports 80 ,443) unless absolutely necessary. set your database accounts to only allow log in from localhost & and any explicit IP addresses that must have access & please google for further advise on server security & post questions in a suitable forum (not here) as many have said, security is not our area of expertise & this is the wrong place to ask. when correctly secured knowing your username & password should not be enough to allow access to your server. -- I'm not under the alkafluence of inkahol that some thinkle peep I am. It's just the drunker I sit here the longer I get. -- https://mail.python.org/mailman/listinfo/python-list