Aussieveedubbers - Powered by GaiaBB

Administrivia: Downtime this weekend (Sunday morning)

vanderaj - June 23rd, 2009 at 04:12 PM

Hi there,

I will be upgrading our server to the latest and greatest PHP 5.2.10, along with a few other behind the scenes tasks such as performing a full backup prior to making the switch to the newer version of PHP.

When? Sunday morning from 9.30 am AEST til around noon.

What will be affected? Site will be down completely during this time.

What will be improved? PHP reliability - over 100 bugs fixed in PHP along with one security fix.

What will change? No functionality changes will be made.

thanks,
Andrew

h - June 23rd, 2009 at 05:51 PM

omg im getting the jittery withdrawals already for sunday with no avd online with a cuppa n croissant for breakky.. :lol:
cheers andrew for your tireless work
many thanks

vanderaj - June 28th, 2009 at 02:00 PM

What an interesting weekend.

We took a whack of downtime Saturday night (6 ish to around 2.30 am) due to a suspected attempted break in. I'm still trying to establish what exactly happened, but I had to restore a few system files (sudo in particular), and look around carefully for issues. Luckily, my paranoia whilst setting up and maintaining the server means that the worst damage seems to be deletion of certain system files rather than any thing more serious. This is still very serious, and I will be taking further measures to harden the host.

There was no downtime Sunday AM as the change has already occurred. I don't foresee any major downtime whilst I make any of the other changes behind the scenes.

So far I have these issues:

* I can't log in. That sucks. I'll fix it, and I suspect I might fix the issue that's been plaguing all those folks who get bounced to the index page without logging in as well.
* Xcache is not currently turned on so performance might be iffy. Xcache works, but I'm not turning it on until all the other issues are sorted.
* Apache is running deflate compression, rather than PHP running with gzip compression due to garbled response output. This might be a header issue, but for now, I think we'll stay this way.
* Some configuration files are a little out of whack due to resolving corrupt system files. These will need addressing as I find them.

What's fixed:

* We are now on Apache 2.2.10 and PHP 5.2.10, and earlier than expected.
* Most of the system files have been refreshed from original sources and re-patched.

Beyond fixing the damage caused by this attack, once I've established what exactly happened, if it becomes obvious who did this (i.e. if it's not just a worm) we will be sending all relevant data to the police. I created a snapshot of the machine at rest before my changes to update the system, and I have all the logs. If you did this, just know that this stuff *IS* my day job, and I do not take it lightly.

Thanks everyone for your patience.

thanks,
Andrew

barls - June 28th, 2009 at 02:56 PM

Andrew barls has been home using my computer and is still logged in, I can't log him out and he can't log in on his computer at home even with my user name. Cheers Les

eraser - June 28th, 2009 at 03:47 PM

I hate it when people try to ruin everyone else's fun. But good work on getting it back up so soon.

vanderaj - June 28th, 2009 at 05:34 PM

Good to know - I think the session object is failing for some reason. I'll check that out.

thanks,
Andrew

vanderaj - June 28th, 2009 at 08:34 PM

Okay, I've worked out why the forum is not letting us log in.

There seems to be a change between Apache 2.2.3 -> 2.2.11 and PHP 5.2.8 -> 5.2.10 which affects how headers are put out there. Looking at the output, there is something up with the way PHP creates the cookie, and I'm getting blanks.

I think it's probably because we don't stick to the RFC, which requires only ASCII characters in headers. This has been a problem for our users with usernames with spaces and *'s and etc in them in the past. As things get more strict between the platform and browsers, old software like this requires a bit of updating.

So here's what I'm in the process of doing to rectify this issue:

If you choose not to login with "remember me" (which is the default) the system will now use the session object to store the login state, rather than a cookie. This is much safer (and faster). It's also the first line of login even if you're logging in with a "remember me" cookie. This will be the fail safe option as it doesn't rely on your browser working correctly.

The remember me cookie will be encrypted, serialized and base64 encoded. This will make it safe to go into a cookie. The encryption is long overdue and should make your credentials a bit safer.

I'm centralizing all login and logout code. I'm also removing guest posting code from post.php (a feature we don't have enabled, so you won't notice).

I'm moving login code to prepared statements, so you can have any username without restriction. This may not happen tonight but it will be soon as it's been on the cards for a long time.

The oldtopics and last visit cookies will be migrated to your user record. There's no residual reason for them to be set as a cookie any more. This will not happen tonight, but I've noticed the problems with the login cookie are also affecting these cookies.

thanks,
Andrew

vanderaj - June 29th, 2009 at 01:11 AM

I've put in changes that:

* True session logins (i.e. no remember me) work without setting a cookie now
* Remember me logins set a new type of cookie that should allow everyone (including IE/Vista) to login successfully. It may not keep you logged in, but it will as soon as I work out why this software combination is being such a bastard.
* Logout works properly.

thanks,
Andrew

vanderaj - June 29th, 2009 at 01:52 AM

Remember Me is fully debugged. I was not setting an expiry time on the cookie. It is now doing so. If you log on again now, you'll be getting a long term cookie.

I also fixed a bug where the last visit times were not being cleared properly on logout. This is actually a long standing XMB bug too. In the grand scheme of things... it's not a huge issue.

Over the next few days, I will be adding some code to convert the old cookies over to the new format. This should be transparent to you all.

thanks,
Andrew

Jay_1965vw - June 29th, 2009 at 08:30 AM

Three cheers Andrew, Thanks!

trickysimon - June 29th, 2009 at 08:38 AM

Hip Hip

barls - June 29th, 2009 at 06:20 PM

thanks andrew now just to find out what chaos the old man did with my login

grumble - June 30th, 2009 at 08:55 PM

Thank you Andrew,between you and barls i have now logged him out without having to wreak too much mayhem in his name.i can now use the system without too much drama .we appreciate the time that you put into this forum for us. Cheers Les