Re: Shell Shocking
On Tue, 13 Feb 2001, Donald Korth wrote: The hosting company has given me a user name and passwd . When i log into my own site thro' a telnet session i 'm able to view all the databases created in the server that includes DBs not created by me . I also did a "USE DB" command to connect to a DB that wasn't mine . Also "Show tables" faithfully listed all the tables in the DB . I even was able to run a "SELECT " on a login table table to list all the user names and passeords listed with the company . What do i make of it An admin lapse or a inherent limitation of MySQL as the support guy makes it out . But the latter is hard to believe. Any suggestions on how to make my DB invisible on other Logins ? Any help will be deeply appreciated . If your db is anywhere near critical, I would change to an ISP with a competent DBA, if I were you. -- /"\ \ /ASCII RIBBON CAMPAIGN X AGAINST HTML EMAIL / \AND POSTINGS
Re: Shell Shocking
Problem is that most ISPs can't afford a competent DBA...;( clay bond wrote: On Tue, 13 Feb 2001, Donald Korth wrote: The hosting company has given me a user name and passwd . When i log into my own site thro' a telnet session i 'm able to view all the databases created in the server that includes DBs not created by me . I also did a "USE DB" command to connect to a DB that wasn't mine . Also "Show tables" faithfully listed all the tables in the DB . I even was able to run a "SELECT " on a login table table to list all the user names and passeords listed with the company . What do i make of it An admin lapse or a inherent limitation of MySQL as the support guy makes it out . But the latter is hard to believe. Any suggestions on how to make my DB invisible on other Logins ? Any help will be deeply appreciated . If your db is anywhere near critical, I would change to an ISP with a competent DBA, if I were you. -- /"\ \ /ASCII RIBBON CAMPAIGN X AGAINST HTML EMAIL / \AND POSTINGS - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Shell Shocking
Absolutely this is nothing short of bad adminingIbet you could scag in their passwd file and has root access in short order...;( And of course the ISP will blame mysql if anything happens to them though...lazy bad ISP cheers, mikel Donald Korth wrote: Hello The hosting company has given me a user name and passwd . When i log into my own site thro' a telnet session i 'm able to view all the databases created in the server that includes DBs not created by me . I also did a "USE DB" command to connect to a DB that wasn't mine . Also "Show tables" faithfully listed all the tables in the DB . I even was able to run a "SELECT " on a login table table to list all the user names and passeords listed with the company . What do i make of it An admin lapse or a inherent limitation of MySQL as the support guy makes it out . But the latter is hard to believe. Any suggestions on how to make my DB invisible on other Logins ? Any help will be deeply appreciated . Regards Donald - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Shell Shocking
What you have just described means that database permissions have not been set up correctly and your ISP has left himself wide open for all kinds of attacks and I'm not just talking about attacks on the database itself but also attacks on the whole system. Ie access to unix root. DOS, etc Read the security section of the manual, it will give you some idea of how it is done. I would say your ISP is one of these dotcom companies that are out for a few quick bucks and don't know what they are really doing. Cheers Rolf - Original Message - From: "Mikel King" [EMAIL PROTECTED] To: "clay bond" [EMAIL PROTECTED] Cc: "mysql@lists. mysql. com" [EMAIL PROTECTED] Sent: Tuesday, February 13, 2001 21:18 Subject: Re: Shell Shocking Problem is that most ISPs can't afford a competent DBA...;( clay bond wrote: On Tue, 13 Feb 2001, Donald Korth wrote: The hosting company has given me a user name and passwd . When i log into my own site thro' a telnet session i 'm able to view all the databases created in the server that includes DBs not created by me . I also did a "USE DB" command to connect to a DB that wasn't mine . Also "Show tables" faithfully listed all the tables in the DB . I even was able to run a "SELECT " on a login table table to list all the user names and passeords listed with the company . What do i make of it An admin lapse or a inherent limitation of MySQL as the support guy makes it out . But the latter is hard to believe. Any suggestions on how to make my DB invisible on other Logins ? Any help will be deeply appreciated . If your db is anywhere near critical, I would change to an ISP with a competent DBA, if I were you. -- /"\ \ /ASCII RIBBON CAMPAIGN X AGAINST HTML EMAIL / \AND POSTINGS - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Shell Shocking
Rolf Hopkins wrote:
What you have just described means that database permissions have not been
set up correctly and your ISP has left himself wide open for all kinds of
attacks and I'm not just talking about attacks on the database itself but
also attacks on the whole system. Ie access to unix root. DOS, etc
Read the security section of the manual, it will give you some idea of how
it is done. I would say your ISP is one of these dotcom companies that are
out for a few quick bucks and don't know what they are really doing.
Cheers
clay bond wrote:
On Tue, 13 Feb 2001, Donald Korth wrote:
The hosting company has given me a user name and passwd . When i log
into my own site thro' a telnet session i 'm able to view all the databases
created in the server that includes DBs not created by me . I also did a
"USE DB" command to connect to a DB that wasn't mine . Also "Show tables"
faithfully listed all the tables in the DB . I even was able to run a
"SELECT " on a login table table to list all the user names and passeords
listed with the company .
What do i make of it An admin lapse or a inherent limitation of
MySQL as the support guy makes it out . But the latter is hard to believe.
Any suggestions on how to make my DB invisible on other Logins ?
Any help will be deeply appreciated .
If your db is anywhere near critical, I would change
to an ISP with a competent DBA, if I were you.
Go into the mysql db and do the following:
INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv,
File_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES
('localhost', 'myuser', PASSWORD('secret'), 'n', 'n', 'n', 'n', 'n', 'n', 'n',
'n', 'n', 'n', 'n', 'n', 'n', 'n');
INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv,
Alter_priv) VALUES ('host', 'mydb', 'myuser', 'y', 'y', 'y', 'y', 'y', 'y', 'y',
'y', 'y', 'y');
Then, mysqladmin reload.
Then, tell someone there to do the following:
mysql mysql -e 'select * from user;'
mysql mysql -e 'select * from db;'
And, ensure all permissions for all users are set according to what you've set
up for myuser on mydb, with exception to their admin account. Tell them to set
the root password, also.
Hope that helps.
Van
--
=
Linux rocks!!! http://www.dedserius.com
=
-
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail [EMAIL PROTECTED]
To unsubscribe, e-mail [EMAIL PROTECTED]
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Shell Shocking
Hello The hosting company has given me a user name and passwd . When i log into my own site thro' a telnet session i 'm able to view all the databases created in the server that includes DBs not created by me . I also did a "USE DB" command to connect to a DB that wasn't mine . Also "Show tables" faithfully listed all the tables in the DB . I even was able to run a "SELECT " on a login table table to list all the user names and passeords listed with the company . What do i make of it An admin lapse or a inherent limitation of MySQL as the support guy makes it out . But the latter is hard to believe. Any suggestions on how to make my DB invisible on other Logins ? Any help will be deeply appreciated . Regards Donald
Re: Shell Shocking
Donald, Poor administration of the server or incorrect privileges assigned to your user account. Donald Korth wrote: Hello The hosting company has given me a user name and passwd . When i log into my own site thro' a telnet session i 'm able to view all the databases created in the server that includes DBs not created by me . I also did a "USE DB" command to connect to a DB that wasn't mine . Also "Show tables" faithfully listed all the tables in the DB . I even was able to run a "SELECT " on a login table table to list all the user names and passeords listed with the company . What do i make of it An admin lapse or a inherent limitation of MySQL as the support guy makes it out . But the latter is hard to believe. Any suggestions on how to make my DB invisible on other Logins ? Any help will be deeply appreciated . Regards Donald - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
