Discussion:
Can a computer be hacked using MySQL???
(too old to reply)
ashah
2011-11-28 12:04:17 UTC
Permalink
Hi,

I am really a new person using MySQL. We are working on a project
using MySQL and Visual Basic and writing code to make GUI in Excel
using Visual Basic and getting data from connecting to MySQL.

We were also sharing the files in which we had written the code. The
file had all the information relating to connecting to MySQL database.
i.e. Password etc.

Few minutes later I saw that my mouse suddenly moved without me moving
it and some websites also got automatically opened.

What could have happened?
1) Could someone has hacked into my computer using MySQL if they know
my password and IP address?

2) Can there be any malicious code written in macro in excel?

3) Can anyone access my desktop and play with it (like remote login)
through MySQL, if they know my password and IP address?

4) Is there a way to know if someone logged into my computer via.
MySQL?

I really do not know anything about servers and other stuff.
Any help will be highly appreciated?

Please let me know what could have happened and how can I prevent it
in future.

Thanks,

Aman
www.1-script.com
2011-11-28 18:41:27 UTC
Permalink
responding to
http://www.1-script.com/forums/mysql/can-a-computer-be-hacked-using-mysql-8961-.htm
Post by ashah
What could have happened?
1) Could someone has hacked into my computer using MySQL if they know
my password and IP address?
Don't ever post any real user names and passwords on the Net, that's like
a first rule of Net safety.

But even without knowing the passwords it's possible to use MySQL and
execute code on the computer that runs MySQL server. Search for "SQL
injection" - it's a pretty commonly known vulnerability. It's also pretty
easy to stop - properly escape all user input to inoculate possible
executable code they may be sending.

Anyhow, you'd need to stop sharing the passwords (and change all existing
ones!) before the input escaping can work. Otherwise they can still send
queries containing unescaped commands by avoiding your software that does
the escaping.

I'm not much of a Windows person and cannot say exactly what damage can be
done this way but if someone you don't trust is able to run commands on
your computer, all bets are off. You might as well just kill the entire
system and rebuild it from scratch.

Good luck!

-------------------------------------
--
Cheers,
Dmitri
http://www.1-script.com/
Gordon Burditt
2011-11-29 01:50:25 UTC
Permalink
Post by ashah
I am really a new person using MySQL. We are working on a project
using MySQL and Visual Basic and writing code to make GUI in Excel
using Visual Basic and getting data from connecting to MySQL.
We were also sharing the files in which we had written the code. The
file had all the information relating to connecting to MySQL database.
i.e. Password etc.
Sharing how? Via public web pages? FTP? Email?
Post by ashah
Few minutes later I saw that my mouse suddenly moved without me moving
it and some websites also got automatically opened.
Logging in to a MySQL server doesn't move your mouse.
Was that *physically* moving the mouse, or just the mouse pointer moved?

If your mouse is really a touchpad, funny things can happen with
static electricity. Sometimes on my laptop, the touchpad works
funny until I touch something likely to be grounded.
Post by ashah
What could have happened?
Static electricity? Flies? Cockroaches? Your cat? Someone tripped
over the mouse cord?
Post by ashah
1) Could someone has hacked into my computer using MySQL if they know
my password and IP address?
Yes. But if you have MySQL listening only on a local socket, it's
harder, unless you've also got a web site on that machine and they
broke into that. And then, it's probably easier to just hack the
web site and forget MySQL, if the idea is to get desktop access.
Post by ashah
2) Can there be any malicious code written in macro in excel?
Yes.
Post by ashah
3) Can anyone access my desktop and play with it (like remote login)
through MySQL, if they know my password and IP address?
There would need to be some software on your desktop to do that.
Going through MySQL is probably not nearly as easy as going through
a web server. MySQL doesn't have built-in functions like
escape-to-shell-on-server.
Post by ashah
4) Is there a way to know if someone logged into my computer via.
MySQL?
Did you have the log active? If they got in through the web server,
there may be problems distinguishing between YOUR queries and the
legitimate ones.
Post by ashah
I really do not know anything about servers and other stuff.
Any help will be highly appreciated?
Please let me know what could have happened and how can I prevent it
in future.
Don't share passwords. Give each person his own.
Unless there is a good reason for it, have MySQL listen only on the
local socket so it can be accessed only from other programs on the
local server.

Continue reading on narkive:
Loading...