PDA

View Full Version : Disabled Forum



Christine
08-09-2005, 11:44 AM
I got an email about a month ago about updating from phpBB2 2.0.15 to 2.0.16, which I did within a day or 2 of getting the email. I updated manually since I have a few mods and scripts that I didn't want to have to reinstall.

So this morning, I wake up to a notice from Westhost stating that my forum has been disabled since I didn't do the upgrade. What's the deal here? I downloaded the update from the phpBB2 site and everything stated that I was running 2.0.16. I submitted a Westhost support ticket this morning, but I haven't heard from anyone and it's been about 4 hours now. The ticket status was set to 'Resolved' but obviously it hasn't been since I'm posting here.

How long am I supposed to wait before I get a reply? How much longer after that will it take them to put my forum back the way it was? It isn't just my forum that's affected by their shutting it down. I have broken images & scripts all over the place.

Westhost has been great up until now, but if my site isn't back to the way it was yesterday, I'm moving to the other hosting company I use. I've had to contact support with the other host twice before, but at least they always contact me within 15-30 minutes, and I've never had an issue take longer than an hour to be resolved.

pandymic
08-09-2005, 01:46 PM
Dear Christine, our site befell the same fate last night and I promptly opened a ticket with the exact details.

I'm in a situation similar to yours. Our forum contains a number of modifications that I simply can't afford to lose with a clean install. At the same time, the modifications are so extensive that the Patch files simply won't work.

I received a response along these lines:


as far as we check, we look at the viewtopic.php, which is one of the most commonly exploited files of phpBB, and check the version information. Yours looks
like this:


* $Id: viewthread.php,v 1.186.2.35 2004/03/13 15:08:23 acydburn Exp $

This shows that last time the version was updated was back on 3/13/04, not the latest, which was last modified a few weeks ago (around July 15th I believe)

As stated in the e-mail, although I had made all of the necessary changes manually and the forum was no longer a security threat, I neglected to update the version headers in my files. When WestHost started sniffing for information about outdated forum software, ours cropped up.

I hope that information helps

Christine
08-09-2005, 01:56 PM
Thanks for the reply. I still haven't got a response from Westhost but it looks like they put my site back up. The lack of communication on their part is a real pisser.

visible soul
08-09-2005, 04:47 PM
This is inexcusable. What happened to the promotional spin that what happens on one VPS doesn't affect the others?


With Virtual Private Server (VPS Hosting), also known as Virtual Dedicated Server (VDS Hosting) technology, a web server is divided into multiple isolated environments. Each environment has its own server software providing independence for that website. Any compromise to a site would only affect that VPS and could not affect any other site on the same server. As with a dedicated server, each VPS has its own independent operating system with it's own web server, mail server and independent software instances. A crashed application (Apache, Sendmail, MySQL etc.) in another client's VPS has no effect on your VPS.

http://www.westhost.com/vps.html

I would call WH support on the phone immediately.

tvscum
08-09-2005, 08:29 PM
They took my site down two days ago, I posted a support ticket immediately and still no reply.

I upgraded to phpBB 2.0.16 and Mod Php 5.0.3 via the control panel weeks ago. After that, I upgraded to a very similar, modified version of phpBB 2.0.16 via FTP (a mod that works better with Mod Php 5.0.3).

That modified version of phpBB can be found at:
http://phpbb-php5mod.sourceforge.net/portal.php

So anyway, my site has been down for two days. No reply from tech support. And, my forum had the most recent version the whole time! It never should have been disabled in the first place! A Westhost tech "wizard" on the phone told me the administrators were too busy today dealing with a server problem to bother with customer complaints, and he didn't have the clearance to re-enable my forum folder.

It seems like Westhost should find a more fool-proof way to verify the version of phpBB before disabling the entire forum. HOW ABOUT A WARNING FIRST THAT THE SPECIFIC SITE IS GOING TO BE DISABLED! This is the first time Westhost has taken more than 15 minutes to respond to a complaint, so I hope this is not going to become the norm.

treblid
08-10-2005, 01:22 AM
From what I have been told in the past when I had my account broken into (through phpBB) at a different host using 'vps technology', and I would imagine applies here, is this:

Your account can be thought of as a prison cell. If no one watches the cell, evenetually someone, given enough time and ingenuity, will probably figure a way out. If a prisoner gets out of their cell, and the the rest of the prison (server) is unwatched, who knows what havoc could be wreaked, affecting other cell's besides your own.

Your account can also be thought of as your home. Would you want someone just walking in and start eating your food, sleeping in your bed, calling around the world on your dime? Keeping software with known vulnerabilities available on your site basically invites these unwanted guests into your home to use your resources.

So yeah, while WestHost may say that each account won't affect the another, would YOU be willing to sit on a server with accounts that are known to be broken into and being used for various things that they should not be? I know I'd rather have admin's reminding everyone to keep software up to date, especially with known security holes, than not hear anything from them and find out later that my account got broken in to because of another account that was cracked and wasn't taken care of by anyone.

torrin
08-10-2005, 08:10 AM
I know I'd rather have admin's reminding everyone to keep software up to date, especially with known security holes, than not hear anything from them and find out later that my account got broken in to because of another account that was cracked and wasn't taken care of by anyone.

Yes, but shouldn't that reminder be an E-mail stating that your forum will be shut down if you don't contact us or something. I think people are complaining about the automated nature of this. An account should not be automatically disabled because of a version # at the top of a file. Especially with a piece of software like phpBB where they tell you that if you have a lot of mods, make the changes manually.

In my opinion, an account should only be shut down after an (human) admin has made repeated attempts to contact the owner or, it's already compromised.

tvscum
08-10-2005, 08:16 AM
Hello? The software is up to date. There is no security hole. My phpBB admin panel says version 2.0.16 and my control panel says version 2.0.16. They shut it down anyway!

How about an email that says "we are going to shut it down if we don't hear back from you in 24 hours"?

By the way, it's been three days now... and no response from tech support.

wildjokerdesign
08-10-2005, 04:11 PM
Yep I got caught in the same situation. Luckily I was able to get it taken care of before other recent events and the board was re-activated quickly. It was a heavily modded board and although WH encourages useing the patch files to update modded forums it is just not always possible as was my case.

Automation is not the way to do this. As mentioned by others the method they used to check was not reliable. For one it could leave an unsecure file on the account. If any method of automation should be used it should check for not a file ID but for the vunrability itself.

It is hard for me to understand why more tech support employees do not have the root access needed to take care of such things. I may be wrong but I think that is why it has to be sent to an admin to be taken care of. It if it is a matter of keeping track of such things why not a log of actions taken by tech support staff that involved root access that then the main admin or admins could reveiw. Perhaps putting limits on the what actions could be taken. In this case it seemed simply that they had to change the premissions on the forum directory. This might also lighten the duties of the admins and system managers so they could focus on matters that affect more people.

I will say that I have learned my lesson and will always make sure I also update the ID information in the future. :)

visible soul
08-10-2005, 04:42 PM
I will say that I have learned my lesson and will always make sure I also update the ID information in the future. :)

It is simply not reasonable for Westhost to disable scripts based on the version number at the top of individual files.

This week I applied all security patches to an Invision Power Board 1.3.1 installation (not on WestHost) and I noticed that the version numbers varied on a file-per-file basis. Some files said 1.3.1 but other files said 1.3, some 1.2, and I even found one that said 1.1. This is not an uncommon practice for developers since in each successive version not every file will have changes. I checked the default IPB 1.3.1 package and this is how the files look when they are unzipped.

This WH policy makes me question the wisdom of using the site manager to install any script. :confused:

Christine
08-10-2005, 05:55 PM
Westhost had my forum back up sometime yesterday afternoon. I think the problem originated from me. When I first submitted a support ticket, I typoed my email address, realized what I had done, went back and resubmitted it with the corrections made. It's possible (probable) that they did reply to the first ticket, but since I made the error, any replies to that first ticket never made it to me. And since the second submission was a duplicate of the first, it was marked as 'Resolved'.

I did get a reply from someone last night who explained the reason for the second ticket being marked as it was. I thought I still had the email but it seems to have disappeared. So thanks to whoever sent that.

I'm glad to know now which file needs to be updated so next time I can update the version number and possibly avoid this in the future. I thought that since my Admin panel showed the updated version that Westhost would also be able to detect the changes.

And I thank God I'm not in the tech-support business... I would hate to deal with someone like me (or worse) when they aren't happy about a situation. My attitude hadn't even escalated to rotten when I made the forum post.

wildjokerdesign
08-11-2005, 09:47 AM
I'm pleased they got you back up and running.

It is true that support can be a very tough job and I feel WH does a pretty good job of it. Our post and complaints also help them to refine that process and improve it. I have seen the way they support change quite a bit over the past 6 or so years I have been with them and belive it is in part due to what they see posted here on the forums. They also get quite a bit out of the surveys that they have from time to time which is why try to always fill them out when they come along. The only problem with that is I often forget about some matters when filling them out. :)

cparra
08-13-2005, 08:36 AM
I was in the same situation with a heavily modified phpBB installation. Been struggling with trying to get it brought up to the latest version, all while the site has been experiencing downtime as a result of recent hardware failure on one of WestHost's servers (See http://forums.westhost.com/showthread.php?t=8405). With all of the downtime, and a strict deadline for getting my installation of phpBB patched, and the fact that they went ahead and disabled the board, I had to move one of my clients to a different hosting provider.

I'm still trying to get the old copy of the forum which is still on WestHost patched correctly. I patched it, and now the forum doesn't work and I am getting all sorts of errors. Well at least WestHost can't shut the board down because it hasn't been patched. It's been patched, and the patch has shut the board down!

wildjokerdesign
08-16-2005, 08:59 AM
You may want to manually install a new board then reapply your mods to it. You could then import the database from the old board into the new one once you get it set up and move the new files to the location of the old board. May be easier in the long run then trying to track where the error is. The whole process may be made easier if the first mod you install is EasyMod. It does seem to work on most mods. After installing each mod you could check for any errors.