1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Plesk MS SQL Insecure

Discussion in 'Plesk for Windows - 8.x and Older' started by MattWHT, Feb 8, 2004.

  1. MattWHT

    MattWHT Guest

    0
     
    Is the MS SQL version installed is Plesk insecure. I woke up this morning to find the machine pushing a over 7mbits per seconds and its seems from the logs a trojan was uploaded via xp_cmdshell?
     
  2. AdamF

    AdamF Guest

    0
     
    Yes it requires patching up. It is the old vulnerability that the slammer worm used. You should patch MSDE to SP3 and apply a hotfix. If you are going to reinstall your box then I would advise that you installed the sp3 version of sql server first and then install plesk. I had less hassle that way. BTW make sure you install it in mixed mode.

    AdamF
     
  3. MattWHT

    MattWHT Guest

    0
     
    Isn't that just stupid of Plesk? Why bother including insecure software?

    System administration practices aside, I mean any IP is regularly scanned by bots for such vunerabilities, so despite that fact the Plesk doesnt mention anywhere about MS-SQL server (it's not even in the service list - Plesk SQL server applies to mySQL), just whilst installing it you open your computer to remote vunerability (e.g. myself with xp_cmdshell), a good bot will only need a few seconds.
     
  4. AdamF

    AdamF Guest

    0
     
    I agree especially if you don't even have a mssql licence, like us. It is in the services list under mssqlserver. As we didn't have the license I didn't expect to have it installed. I tell you what, I learnt about MS BaseLine after this vulnerability.
     
  5. MattWHT

    MattWHT Guest

    0
     
    I think its MSDE (basically MS-SQL with a 5 concurrent access) which is can be distributed as far as I know, but still it seems like gross neglience on the part of Plesk to include an insecure version like I said a clever bots only need a few seconds , I definitely won't be purchasing Plesk now (probably time to move on...).
     
Loading...