| [ Total Views: 894 | Total Replies: 12 | Thread Id: 77381 ] |
|
|
 vanderaj
A.k.a.: Andrew van der Stock
Super Administrator
a suffusion of yellow
Posts: 3123
Threads: 438
Registered: August 26th, 2002
Member Is Offline
Location: Colorado Springs, CO, USA
Theme: UltimaBB Pro Yellow
Mood: In the family again
|
| posted on June 23rd, 2009 at 04:12 PM |
|
|
Administrivia: Downtime this weekend (Sunday morning)
Hi there,
I will be upgrading our server to the latest and greatest PHP 5.2.10, along with a few other behind the scenes tasks such as performing a full backup
prior to making the switch to the newer version of PHP.
When? Sunday morning from 9.30 am AEST til around noon.
What will be affected? Site will be down completely during this time.
What will be improved? PHP reliability - over 100 bugs fixed in PHP along with one security fix.
What will change? No functionality changes will be made.
thanks,
Andrew
|
|
|
 h
A.k.a.: Towely BuMpEr KING! ILLegal ALIEN on a roadtrip
Scirocco Rare
fractals - an ever changing lifestyle
Posts: 7671
Threads: 375
Registered: February 3rd, 2005
Member Is Offline
Location: noosa hillbilly 'yee har'
Theme: XMBX Pro Green
Mood: A T3 is not a Kombi - stop waving at me
|
| posted on June 23rd, 2009 at 05:51 PM |
|
|
omg im getting the jittery withdrawals already for sunday with no avd online with a cuppa n croissant for breakky.. 
cheers andrew for your tireless work
many thanks
|
|
|
vanderaj
A.k.a.: Andrew van der Stock
Super Administrator
a suffusion of yellow
Posts: 3123
Threads: 438
Registered: August 26th, 2002
Member Is Offline
Location: Colorado Springs, CO, USA
Theme: UltimaBB Pro Yellow
Mood: In the family again
|
| posted on June 28th, 2009 at 02:00 PM |
|
|
What an interesting weekend.
We took a whack of downtime Saturday night (6 ish to around 2.30 am) due to a suspected attempted break in. I'm still trying to establish what
exactly happened, but I had to restore a few system files (sudo in particular), and look around carefully for issues. Luckily, my paranoia whilst
setting up and maintaining the server means that the worst damage seems to be deletion of certain system files rather than any thing more serious.
This is still very serious, and I will be taking further measures to harden the host.
There was no downtime Sunday AM as the change has already occurred. I don't foresee any major downtime whilst I make any of the other changes behind
the scenes.
So far I have these issues:
* I can't log in. That sucks. I'll fix it, and I suspect I might fix the issue that's been plaguing all those folks who get bounced to the index
page without logging in as well.
* Xcache is not currently turned on so performance might be iffy. Xcache works, but I'm not turning it on until all the other issues are sorted.
* Apache is running deflate compression, rather than PHP running with gzip compression due to garbled response output. This might be a header issue,
but for now, I think we'll stay this way.
* Some configuration files are a little out of whack due to resolving corrupt system files. These will need addressing as I find them.
What's fixed:
* We are now on Apache 2.2.10 and PHP 5.2.10, and earlier than expected.
* Most of the system files have been refreshed from original sources and re-patched.
Beyond fixing the damage caused by this attack, once I've established what exactly happened, if it becomes obvious who did this (i.e. if it's not
just a worm) we will be sending all relevant data to the police. I created a snapshot of the machine at rest before my changes to update the system,
and I have all the logs. If you did this, just know that this stuff *IS* my day job, and I do not take it lightly.
Thanks everyone for your patience.
thanks,
Andrew
|
|
|
barls
A.k.a.: Mr indestructible
Super Administrator
Causer of Chaos and Mayhem
Posts: 9470
Threads: 296
Registered: June 22nd, 2004
Member Is Offline
Location: cruising in denistone east
Theme: UltimaBB Streamlined2
Mood: indestructible? and listening to the voices
|
| posted on June 28th, 2009 at 02:56 PM |
|
|
Andrew barls has been home using my computer and is still logged in, I can't log him out and he can't log in on his computer at home even with my
user name. Cheers Les
|
|
|
eraser
Fahrvergnugen
Posts: 970
Threads: 128
Registered: March 11th, 2005
Member Is Offline
Location: Adelaide
Theme: UltimaBB Pro Powder
|
| posted on June 28th, 2009 at 03:47 PM |
|
|
I hate it when people try to ruin everyone else's fun. But good work on getting it back up so soon.
|
|
|
vanderaj
A.k.a.: Andrew van der Stock
Super Administrator
a suffusion of yellow
Posts: 3123
Threads: 438
Registered: August 26th, 2002
Member Is Offline
Location: Colorado Springs, CO, USA
Theme: UltimaBB Pro Yellow
Mood: In the family again
|
| posted on June 28th, 2009 at 05:34 PM |
|
|
Good to know - I think the session object is failing for some reason. I'll check that out.
thanks,
Andrew
|
|
|
vanderaj
A.k.a.: Andrew van der Stock
Super Administrator
a suffusion of yellow
Posts: 3123
Threads: 438
Registered: August 26th, 2002
Member Is Offline
Location: Colorado Springs, CO, USA
Theme: UltimaBB Pro Yellow
Mood: In the family again
|
| posted on June 28th, 2009 at 08:34 PM |
|
|
Okay, I've worked out why the forum is not letting us log in.
There seems to be a change between Apache 2.2.3 -> 2.2.11 and PHP 5.2.8 -> 5.2.10 which affects how headers are put out there. Looking at the
output, there is something up with the way PHP creates the cookie, and I'm getting blanks.
I think it's probably because we don't stick to the RFC, which requires only ASCII characters in headers. This has been a problem for our users with
usernames with spaces and *'s and etc in them in the past. As things get more strict between the platform and browsers, old software like this
requires a bit of updating.
So here's what I'm in the process of doing to rectify this issue:
If you choose not to login with "remember me" (which is the default) the system will now use the session object to store the login state,
rather than a cookie. This is much safer (and faster). It's also the first line of login even if you're logging in with a "remember me" cookie.
This will be the fail safe option as it doesn't rely on your browser working correctly.
The remember me cookie will be encrypted, serialized and base64 encoded. This will make it safe to go into a cookie. The encryption is long
overdue and should make your credentials a bit safer.
I'm centralizing all login and logout code. I'm also removing guest posting code from post.php (a feature we don't have enabled, so you
won't notice).
I'm moving login code to prepared statements, so you can have any username without restriction. This may not happen tonight but it will be soon
as it's been on the cards for a long time.
The oldtopics and last visit cookies will be migrated to your user record. There's no residual reason for them to be set as a cookie any more.
This will not happen tonight, but I've noticed the problems with the login cookie are also affecting these cookies.
thanks,
Andrew
|
|
|
vanderaj
A.k.a.: Andrew van der Stock
Super Administrator
a suffusion of yellow
Posts: 3123
Threads: 438
Registered: August 26th, 2002
Member Is Offline
Location: Colorado Springs, CO, USA
Theme: UltimaBB Pro Yellow
Mood: In the family again
|
| posted on June 29th, 2009 at 01:11 AM |
|
|
I've put in changes that:
* True session logins (i.e. no remember me) work without setting a cookie now
* Remember me logins set a new type of cookie that should allow everyone (including IE/Vista) to login successfully. It may not keep you logged in,
but it will as soon as I work out why this software combination is being such a bastard.
* Logout works properly.
thanks,
Andrew
|
|
|
vanderaj
A.k.a.: Andrew van der Stock
Super Administrator
a suffusion of yellow
Posts: 3123
Threads: 438
Registered: August 26th, 2002
Member Is Offline
Location: Colorado Springs, CO, USA
Theme: UltimaBB Pro Yellow
Mood: In the family again
|
| posted on June 29th, 2009 at 01:52 AM |
|
|
Remember Me is fully debugged. I was not setting an expiry time on the cookie. It is now doing so. If you log on again now, you'll be getting a long
term cookie.
I also fixed a bug where the last visit times were not being cleared properly on logout. This is actually a long standing XMB bug too. In the grand
scheme of things... it's not a huge issue.
Over the next few days, I will be adding some code to convert the old cookies over to the new format. This should be transparent to you all.
thanks,
Andrew
|
|
|
Jay_1965vw
A.k.a.: Jay
Custom Title Time!
Chatting Babe
Posts: 1429
Threads: 102
Registered: August 26th, 2002
Member Is Offline
Location: Canberra
Theme: UltimaBB Pro Blue ( Default )
Mood: Blissed out on parenthood... and tired...
|
| posted on June 29th, 2009 at 08:30 AM |
|
|
Three cheers Andrew, Thanks!
Part of Melbourne's Unreal Aircooled VW Community
|
|
|
trickysimon
A.k.a.: Simon Azzopardi
Custom Title Time!
100km/h is only 9 seconds away
Posts: 1473
Threads: 43
Registered: December 15th, 2007
Member Is Offline
Location: Wagga Wagga
Theme: UltimaBB Pro Blue ( Default )
|
| posted on June 29th, 2009 at 08:38 AM |
|
|
Hip Hip
|
|
|
barls
A.k.a.: Mr indestructible
Super Administrator
Causer of Chaos and Mayhem
Posts: 9470
Threads: 296
Registered: June 22nd, 2004
Member Is Offline
Location: cruising in denistone east
Theme: UltimaBB Streamlined2
Mood: indestructible? and listening to the voices
|
| posted on June 29th, 2009 at 06:20 PM |
|
|
thanks andrew now just to find out what chaos the old man did with my login
|
|
|
grumble
Son of Jim - Creator of Good
Posts: 2671
Threads: 53
Registered: June 10th, 2008
Member Is Offline
Location: Taree
Theme: UltimaBB Pro Blue ( Default )
Mood: happy all the time
|
| posted on June 30th, 2009 at 08:55 PM |
|
|
Thank you Andrew,between you and barls i have now logged him out without having to wreak too much mayhem in his name.i can now use the system without
too much drama .we appreciate the time that you put into this forum for us. Cheers Les
|
|
|
