From: Maurits v. R. <m.v...@ze...> - 2015-12-21 11:54:12
|
Op 21/12/15 om 10:37 schreef Sven-Erik Tiberg: > Hi > > Have a fear that someone hacked into my plone 3.4 server and changed > f.ex. Admin pwd. > > Can be an earlier 3.n version, it’s been running so smooth for years > that I haven’t upgraded it or had to admin it in any way. > > Any tips on how to set the admin pwd again? > > Or should I upgrade it. Any tips. Plone 3.4 does not exist. Latest Plone 3 version is 3.3.6. Latest Plone vesion is currently 5.0, so Plone 3 is old. And it no longer officially gets security hotfixes. But I still have several Plone 3 sites running. If you no longer have the admin password, you can create a new Manager account from the command line. If you normally start your zope site with 'bin/zeoclient start' you can add a user with: bin/zeoclient adduser newusername newpassword Note that in Plone 3 you get no indication of whether this has succeeded or not. If a user with this name already exists, Plone silently ignores the request. With this account you can then login in the ZMI (Zope Management Interface). You should login at the Zope root, so one level above the Plone Site. You may need to use ssh port forwarding to get there on the server. Also, if you have followed the instructions from an earlier Plone security hotfix, you may have disallowed any access to the ZMI directly, except through ssh port forwarding. If your Plone Site is at http://localhost:8080/Plone then you should login at http://localhost:8080/manage with your new account. Then navigate to acl_users and there if you wish you can set the password for the old account. Of course if someone really has changed the admin password, he may have created other users with Manager rights, so you may want to verify that there are no unexpected users. -- Maurits van Rees: http://maurits.vanrees.org/ Zest Software: http://zestsoftware.nl |