Abandon Fail Boat

The web team is in a bit of a situation. You see, we’ve been having numerous problems with the forums recently, including but not limited to:

  • Not being able to log in AT ALL into the Moderator Control Panel or Administration Control Panels intermittently
  • The ‘Edit’ button being broken for over a year
  • ‘Delete posts as spam’ not working intermittently
  • Spam getting worse every day, we recently had someone post sexually explicit and extremely objectionable to the boards which we had trouble deleting since the forum software is so horrendously broken
  • And the most recent incident where confidential user data has *somehow* been leaked to spammers.

This leaves us to conclude that there must have been some exploit performed on the board. This is an extremely bad security risk and as of now the forums have been locked down until we replace them.

However, we can no longer use vBulletin. Asides from our trust being lost in its security for a product we PAID for and the fact that it is a proprietary product which, as an open source project, we cannot support, our licence key as well as user name and password for downloading the forums software has gone missing which means that we cannot upgrade the forum software.

Guillaume and I consulted with the council and a majority decision was made (2 FORs, 2 ABSTEINs, 1 NOT PRESENT) to say ‘good riddance’ to vBulletin and move onto phpBB.

phpBB has the tools for us to import the existing database as well as the theme. Guillaume made it clear that he would rather spend time adjusting the theme so that it works on phpBB rather than fixing broken proprietary software.

edit 1: the new forum has been made – no theme as of yet; it will be ready soon-ish

44 thoughts on “Abandon Fail Boat

  1. Good to know you are working to make the forum as good as possible. I didn’t experience most of the latter problems (except random inability to login) but I wasn’t a really “hardcore” forum user.

  2. I think you guys had bad moderators or even admins, they leaked the forums passwords or something like that, vBulletin is better than any other forum out there. How can you prove your vB forum was hacked though, do you have logs of IPs ? this isn’t my business anyway so you better check that out with vB supporrt staff. Always upgrade to the latest version, and also always upgrade your server with security patches..

    1. Neither iXce, wfarr, nor myself are really stupid enough to leak information that is critical to the operation of the web infrastructure.

      We’re pretty sure the exploit happened through vB considering the numerous problems we’ve been having with it – however as mentioned in my follow up blog post we will launch a more detailed inquiry into how all this happened.

      The Web Team initially considered upgrading our vB installation but considering the fact that we cant get out licence key this was not an option. This whole spam issue was the last straw for us but in reality it was our fault for not acting earlier.

  3. I was dismayed and shocked when I started receiving spam–LOTS of spam–to the unique address I’d provided the forum when I registered. There was NO DOUBT where the spam originated, so I was angry that my personal data had been sold/shared/whatever. I’m glad this blog post was here! At least now I know what really happened. I’m still pissed off about the spam, but it’s now being directed to /dev/null.🙂

  4. @up

    well, now that you mention it, I think my email leaked the same way – I remember starting to get spam after I registered to the forum. I’m glad they will be re-set.

  5. feel sorry for you guys. I already got spammed a couple of times through pms on the forums, and finally got a spam mail directly on the email I gave when I registered, those jerks using my Compiz Forums username which I first found weird…. No big deal I got enough anti-spam tools, but again, I’m sorry for the forums. Not sure you’re better off with phpbb.. VBulletin being imo the best forum software in the field. May be you should have a talk with Eva2000 on VBulletin forums, they’re very helpful down there. Anyway, hope to be able to post again as soon as possible on a Compiz forum. Best of luck guys🙂

  6. Forget the BB, how is it that spam contains a script hosted on opencompositing.org which is still owned by Guillaume?

    How is it that when you look at the source code for opencompositing.org, you can see a reference to this site, (commented out)?

  7. not sure either a move to phpBB will solve the issue for good… the forum software might not be the culprit but the way it was managed, just a guess, I don’t put the blame on anyone. phpBB forums get spammed too, and often, don’t forget that. The guys who almost took your VBulletin down might now target your phpBB…just be careful and for Christ’s sake forget drop the bashing of proprietary software… I tell you go get in touch with the peole @ VBulletin, I’ve already seen them help the admins on another forum when shit happened there, it’s just really worth getting in touch with them. They’ll just tell you what to do to get a better protection in the future, and they might be able to tell why and how what happened could happen.

  8. The headers mean nothing. Spoofing of headers has been an issue nearly as long as spam has. The bottom line is that our contact info is out and is being abused. Feel lucky if you used a real email addy. I used an SMS alias that doesn’t provide for spam filtering (I thought I was careful enough about where I used it) and now I’m getting spam SMS messages to my cell phone. I’m glad to see the issue is being addressed so vigerously though.

  9. Ha, glad I’m not the only one who found this site through commented out text on the website found via the spam e-mail. I think every time someone clicks on that ‘drug.php’ it sends out another message, which is why I’ve gotten so many spams in the last 24 hours. The spam messages all lead to this website: http://n-pills.com/static/contacts which ironically has spambot prevention on their contact form but that hasn’t stopped me from filling out lots of complaints (with the original web address), as it looks like the spammer is unrelated to the store but is trying to get referral payments, so I figure if enough people complain the store will stop paying them money for these referrals.

  10. The smtp-server (qmail according to the headers) on 195.114.19.35 is still processing and sending spam from its queue. It seems to be struggeling with several hours of backlog. Please clean it up. and implement spam-filtering for outbound messages.

  11. The WHOLE problem with the proprietary software story is that WE DON’T HAVE ACCESS TO THE SOFTWARE UPGRADES, BECAUSE THE GUY WHO HAS THEM DID NOT GIVE THE ACCESS TO US. That’s not bashing, that’s just the __actual__ problem. The database access only gives access to the forum database, nothing else. About the rest of the issues; the server is not shut down, and mailqueue is cleared.

  12. and why were you denied access to these upgrades if I may ask ? by accessing these upgrades, do you mean accessing the installed upgrades themselves or not being able to upgrade at all ?

    ps: c’est vraiment une sale histoire, désolant tout çà.

  13. Guillaume, would it hurt to just talk with them and see if there is anything at all that can be done? I know how frustrating this is, but the goal is to get back up and running, and in the best time and way that it can be done (keeping security #1 on the list for importance). If you tell them what’s happened, they just might allow you to upgrade, and get back up on your feet here so to speak – from what I hear, they’re good people. It’s possible that you have access to the upgrades, but just don’t_know_how to access them, vs. not having them – if you talk to them, tell them what’s happened (they may already know even) and ask questions, then I’m sure they’d help.

  14. Khali25 : I mean the actual source files updates, which are in a password-restricted area. Well, just no response when we asked. I know the guy is busy with real life, so I’ll indeed try once more today, but there is little hope. Anyway, a phpBB forum is almost ready to be launched, I’m just auditing our security a little bit.

  15. considering you could retrieve the database, I guess we won’t have to register again right, on the phpBB, and we’ll be able to login with same username and password…

  16. The forum is imported. Posts are there, users are there, passwords hashes are not reusable though, you will have to go through a password reset step (which is pretty straightforward and immediate).

    1. @leigh

      Unfortunately, we’ve all been really busy quite recently and administrating the forum takes a lot of time.

      The header spoofing on the main page is harmless but nevertheless it’s long removed.

  17. there must be a way you can get in touch with Google to have them correct the site title you get through a search with “Compiz Forums”… I suppose you’re aware of the result…

      1. because it’s gone now. Googling “Compiz Forums” until two or three days ago gave “Viagra Generic etc…etc…” with sub-pages with the right Compiz related titles and clicking on this viagra thing actually led to the former compiz forum page.

  18. Hi, as you may already noted I’m new here.
    In first steps it is really nice if someone supports you, so hope to meet friendly and helpful people here. Let me know if I can help you.
    Thanks and good luck everyone!😉

  19. The response level to local and national disasters is awesome but it’s a damn shame that so many citizens take advantage of the sad situations.

    I mean everytime there is an earthquake, a flood, an oil spill – there’s always a group of heartless people who rip off tax payers.

    This is in response to reading that 4 of Oprah Winfreys “angels” got busted ripping off the system. Shame on them!
    http://www.cbsnews.com/blogs/2009/08/19/crimesider/entry5251471.shtml

  20. Taiga Leather is a world leading brand name in the fashion industry. louis vuitton wallets for men A Taiga Leather is not only a sign of taste and fashion; it is also a symbol of social status and recognition. At our website the quality of handbag has reached the highest level of perfection and it comes at a very attractive price. Louis Vuitton Handbags are inspired by louis vuitton mens wallets the highly popular designs of their original counterparts.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s