Security Basics mailing list archives

RE: System Hacked From MySQL Insecurities

From: "Saint Anthony" <saintpatrick () xasamail com>
Date: Fri, 7 Jan 2005 05:13:28 +0100

It is entirely possible to hack your system via MySQL.  MySQL runs with root or system permissions? Can we get a CMD 
from a well crafted query?  

Not to mention that many people reuse passwords, not that you do.

It's a world of possibilities.

-Anthony Towry
 Student 

-----Original Message-----
From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id]
Sent: Wednesday, January 05, 2005 7:03 PM
To: security-basics () lists securityfocus com
Subject: System Hacked from MySQL Insecurities

Dear all,

several days ago, someone hacked my test box using the latest FreeBSD.
He explained that he rooted my box because he knows my root mysql password.
Is it possible to hack system via MySQL ? or he just tricked me and try hide
his way ? I am using MySQL 4.0.18 for FreeBSD.
My details system:

OS: FreeBSD 5.1
MySQL version: 4.0.18
Port : 3306

I opened port 3306 from Internet, so people can use this if they have
access/username to MySQL.

Thank you.


--
---
Kalpin Erlangga Silaen
mailto: kalpin () solonet co id
URL: http://www.warningnews.com
YM: kalpinus
MSN: kalpinus
IRC: mesra.dal.net nick Kalpin

    http://www.xasamail.com/

Current thread:

System Hacked from MySQL Insecurities Kalpin Erlangga Silaen (Jan 06)
- RE: System Hacked from MySQL Insecurities Shawn Wall (Jan 06)
- Re: System Hacked from MySQL Insecurities bernie (Jan 07)
  - Re: System Hacked from MySQL Insecurities Kalpin Erlangga Silaen (Jan 07)
- Re: System Hacked from MySQL Insecurities Danux (Jan 07)
- <Possible follow-ups>
- RE: System Hacked From MySQL Insecurities Saint Anthony (Jan 07)
- RE: System Hacked from MySQL Insecurities Ed Gorski (Jan 07)
  - RE: System Hacked from MySQL Insecurities Kalpin Erlangga Silaen (Jan 10)
    - Re: System Hacked from MySQL Insecurities q q (Jan 14)