Facebook
Twitter-
Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
-
The BIND DNS server has already been deprecated and removed from Plesk for Windows.
If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release. -
The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
Forgot password procedure
- Thread starter EricVis
- Start date
it stores password the way it can be retrieved back, that is VERY unsecure and allows attacker to get admin password, why this password is not stored as hashed??
it is almost impossible to detect hijicking password to plesk admin even all other components have been cleaned
just FYI plesk admins can go thru reseting password procedure instead of displaying password using simple command...
didn't darkleech proved plesk team wrong already? and you leave another potential hole open?
that's how I see it..
If you were watching Plesk 11.0 launch process, you would know '--show-password' wasn't available originally.
So apparently there were reasons to make us change the original decision.
Anyway you can suggest to eliminate '--show-password' at plesk.uservoice.com
So apparently there were reasons to make us change the original decision.
Anyway you can suggest to eliminate '--show-password' at plesk.uservoice.com
Eric,
Basically, if the bad guys have root access to your server then they already own it, and it really doesn't matter that they can then get easy access to your Plesk admin password. Even if that wasn't possible they would be able to change it to anything they wanted and would therefore know it.
Or even if all of that was prevented, they could cause a password reminder/reset email to be sent. And if that was just a link (no plaintext password) they could intercept the email, even if it was to an external address, and follow the link.
There's no way to win here. If they have root they have everything.
Basically, if the bad guys have root access to your server then they already own it, and it really doesn't matter that they can then get easy access to your Plesk admin password. Even if that wasn't possible they would be able to change it to anything they wanted and would therefore know it.
Or even if all of that was prevented, they could cause a password reminder/reset email to be sent. And if that was just a link (no plaintext password) they could intercept the email, even if it was to an external address, and follow the link.
There's no way to win here. If they have root they have everything.
in most cases yes.. but for example darkleech was trying not to be detected, the only way to detect this infection was to monitor files modification, then apache mod modification would trigger a warning
these days attacks are focused to get access to the server and plesk admin is next on the most wanted user after root
so let;s say they get to root, they stay tuned but get your plesk admn password - this kind of silent attack can stay undetected for long time... this is scenario I'm worrying about
Similar threads
