Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Disabled Forum

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Location
    Magna, UT
    Posts
    5

    Default Disabled Forum

    I got an email about a month ago about updating from phpBB2 2.0.15 to 2.0.16, which I did within a day or 2 of getting the email. I updated manually since I have a few mods and scripts that I didn't want to have to reinstall.

    So this morning, I wake up to a notice from Westhost stating that my forum has been disabled since I didn't do the upgrade. What's the deal here? I downloaded the update from the phpBB2 site and everything stated that I was running 2.0.16. I submitted a Westhost support ticket this morning, but I haven't heard from anyone and it's been about 4 hours now. The ticket status was set to 'Resolved' but obviously it hasn't been since I'm posting here.

    How long am I supposed to wait before I get a reply? How much longer after that will it take them to put my forum back the way it was? It isn't just my forum that's affected by their shutting it down. I have broken images & scripts all over the place.

    Westhost has been great up until now, but if my site isn't back to the way it was yesterday, I'm moving to the other hosting company I use. I've had to contact support with the other host twice before, but at least they always contact me within 15-30 minutes, and I've never had an issue take longer than an hour to be resolved.
    People really take these 'signatures' seriously? Wow! Imagine that...

  2. #2
    Junior Member
    Join Date
    Aug 2005
    Location
    Burnaby, BC. Canada
    Posts
    7

    Default

    Dear Christine, our site befell the same fate last night and I promptly opened a ticket with the exact details.

    I'm in a situation similar to yours. Our forum contains a number of modifications that I simply can't afford to lose with a clean install. At the same time, the modifications are so extensive that the Patch files simply won't work.

    I received a response along these lines:

    as far as we check, we look at the viewtopic.php, which is one of the most commonly exploited files of phpBB, and check the version information. Yours looks
    like this:

    Code:
    *   $Id: viewthread.php,v 1.186.2.35 2004/03/13 15:08:23 acydburn Exp $
    This shows that last time the version was updated was back on 3/13/04, not the latest, which was last modified a few weeks ago (around July 15th I believe)
    As stated in the e-mail, although I had made all of the necessary changes manually and the forum was no longer a security threat, I neglected to update the version headers in my files. When WestHost started sniffing for information about outdated forum software, ours cropped up.

    I hope that information helps

  3. #3
    Junior Member
    Join Date
    Apr 2004
    Location
    Magna, UT
    Posts
    5

    Default

    Thanks for the reply. I still haven't got a response from Westhost but it looks like they put my site back up. The lack of communication on their part is a real pisser.
    People really take these 'signatures' seriously? Wow! Imagine that...

  4. #4
    Senior Member visible soul's Avatar
    Join Date
    Sep 2003
    Location
    Corpus Christi
    Posts
    111

    Default

    This is inexcusable. What happened to the promotional spin that what happens on one VPS doesn't affect the others?

    With Virtual Private Server (VPS Hosting), also known as Virtual Dedicated Server (VDS Hosting) technology, a web server is divided into multiple isolated environments. Each environment has its own server software providing independence for that website. Any compromise to a site would only affect that VPS and could not affect any other site on the same server. As with a dedicated server, each VPS has its own independent operating system with it's own web server, mail server and independent software instances. A crashed application (Apache, Sendmail, MySQL etc.) in another client's VPS has no effect on your VPS.

    http://www.westhost.com/vps.html
    I would call WH support on the phone immediately.
    "Beware of all enterprises that require new clothes." -Henry David Thoreau

  5. #5
    Junior Member
    Join Date
    Aug 2005
    Posts
    2

    Default same thing here...

    They took my site down two days ago, I posted a support ticket immediately and still no reply.

    I upgraded to phpBB 2.0.16 and Mod Php 5.0.3 via the control panel weeks ago. After that, I upgraded to a very similar, modified version of phpBB 2.0.16 via FTP (a mod that works better with Mod Php 5.0.3).

    That modified version of phpBB can be found at:
    http://phpbb-php5mod.sourceforge.net/portal.php

    So anyway, my site has been down for two days. No reply from tech support. And, my forum had the most recent version the whole time! It never should have been disabled in the first place! A Westhost tech "wizard" on the phone told me the administrators were too busy today dealing with a server problem to bother with customer complaints, and he didn't have the clearance to re-enable my forum folder.

    It seems like Westhost should find a more fool-proof way to verify the version of phpBB before disabling the entire forum. HOW ABOUT A WARNING FIRST THAT THE SPECIFIC SITE IS GOING TO BE DISABLED! This is the first time Westhost has taken more than 15 minutes to respond to a complaint, so I hope this is not going to become the norm.

  6. #6
    Junior Member treblid's Avatar
    Join Date
    Sep 2003
    Posts
    1

    Default

    From what I have been told in the past when I had my account broken into (through phpBB) at a different host using 'vps technology', and I would imagine applies here, is this:

    Your account can be thought of as a prison cell. If no one watches the cell, evenetually someone, given enough time and ingenuity, will probably figure a way out. If a prisoner gets out of their cell, and the the rest of the prison (server) is unwatched, who knows what havoc could be wreaked, affecting other cell's besides your own.

    Your account can also be thought of as your home. Would you want someone just walking in and start eating your food, sleeping in your bed, calling around the world on your dime? Keeping software with known vulnerabilities available on your site basically invites these unwanted guests into your home to use your resources.

    So yeah, while WestHost may say that each account won't affect the another, would YOU be willing to sit on a server with accounts that are known to be broken into and being used for various things that they should not be? I know I'd rather have admin's reminding everyone to keep software up to date, especially with known security holes, than not hear anything from them and find out later that my account got broken in to because of another account that was cracked and wasn't taken care of by anyone.

  7. #7
    Senior Member torrin's Avatar
    Join Date
    May 2003
    Location
    Vista, CA
    Posts
    534

    Question

    Quote Originally Posted by treblid
    I know I'd rather have admin's reminding everyone to keep software up to date, especially with known security holes, than not hear anything from them and find out later that my account got broken in to because of another account that was cracked and wasn't taken care of by anyone.
    Yes, but shouldn't that reminder be an E-mail stating that your forum will be shut down if you don't contact us or something. I think people are complaining about the automated nature of this. An account should not be automatically disabled because of a version # at the top of a file. Especially with a piece of software like phpBB where they tell you that if you have a lot of mods, make the changes manually.

    In my opinion, an account should only be shut down after an (human) admin has made repeated attempts to contact the owner or, it's already compromised.
    Last edited by torrin; 08-10-2005 at 08:17 AM. Reason: clarification

  8. #8
    Junior Member
    Join Date
    Aug 2005
    Posts
    2

    Default

    Hello? The software is up to date. There is no security hole. My phpBB admin panel says version 2.0.16 and my control panel says version 2.0.16. They shut it down anyway!

    How about an email that says "we are going to shut it down if we don't hear back from you in 24 hours"?

    By the way, it's been three days now... and no response from tech support.

  9. #9
    Moderator wildjokerdesign's Avatar
    Join Date
    Jun 2003
    Location
    Kansas City Mo
    Posts
    5,721

    Default

    Yep I got caught in the same situation. Luckily I was able to get it taken care of before other recent events and the board was re-activated quickly. It was a heavily modded board and although WH encourages useing the patch files to update modded forums it is just not always possible as was my case.

    Automation is not the way to do this. As mentioned by others the method they used to check was not reliable. For one it could leave an unsecure file on the account. If any method of automation should be used it should check for not a file ID but for the vunrability itself.

    It is hard for me to understand why more tech support employees do not have the root access needed to take care of such things. I may be wrong but I think that is why it has to be sent to an admin to be taken care of. It if it is a matter of keeping track of such things why not a log of actions taken by tech support staff that involved root access that then the main admin or admins could reveiw. Perhaps putting limits on the what actions could be taken. In this case it seemed simply that they had to change the premissions on the forum directory. This might also lighten the duties of the admins and system managers so they could focus on matters that affect more people.

    I will say that I have learned my lesson and will always make sure I also update the ID information in the future.
    Shawn
    Please remember your charity of choice: http://www.redcross.org

    Handy Links: wildjokerdesign.net | Plain Text Editors: EditPlus | Crimson

  10. #10
    Senior Member visible soul's Avatar
    Join Date
    Sep 2003
    Location
    Corpus Christi
    Posts
    111

    Default

    Quote Originally Posted by wildjokerdesign
    I will say that I have learned my lesson and will always make sure I also update the ID information in the future.
    It is simply not reasonable for Westhost to disable scripts based on the version number at the top of individual files.

    This week I applied all security patches to an Invision Power Board 1.3.1 installation (not on WestHost) and I noticed that the version numbers varied on a file-per-file basis. Some files said 1.3.1 but other files said 1.3, some 1.2, and I even found one that said 1.1. This is not an uncommon practice for developers since in each successive version not every file will have changes. I checked the default IPB 1.3.1 package and this is how the files look when they are unzipped.

    This WH policy makes me question the wisdom of using the site manager to install any script.
    "Beware of all enterprises that require new clothes." -Henry David Thoreau

Similar Threads

  1. Avoiding Spam on your Forum
    By wildjokerdesign in forum General Discussion
    Replies: 5
    Last Post: 05-31-2006, 07:26 AM
  2. osCommerce Forum
    By rispku in forum Comments / Suggestions
    Replies: 7
    Last Post: 03-09-2006, 03:22 PM
  3. phpbb Forum resource utilization
    By sunzon in forum General Discussion
    Replies: 3
    Last Post: 05-13-2005, 03:17 PM
  4. Forum search ineffective...
    By maida in forum General Discussion
    Replies: 1
    Last Post: 01-11-2005, 11:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •