[Coco] Gallery and Forums

[Gene Heskett]

On Thursday 08 February 2007 21:31, Roger Taylor wrote:
>Since I changed my password again, the Gallery is temporarily down
>until I update it to know the new database password.
>
>THE FORUMS... I'm working hard to track down how these attacks are
>being done, how new spammers are joining by bypassing the secure
>signup process, and how to get rid of the trojans that are being
>pushed to web browsers.  Signup requires manual verification by me,
>which obviously doesn't apply to advanced spammers?  That is, until I
>patch the system.  I'm coming across patches on the forum company's
>site but it takes time to do the fixes.
>
>One odd thing is that the company, who owns the most popular forum
>software, has come out with a pay-only version (2.0.0, I think), and
>they have removed downloadable no-support versions, and some of the
>links to certain security patches.  HmmmMMmmm.  What a great way to
>push sales?  Could an employee or ex-employee know so much about the
>system to do almost anything and to convince the public to move to
>the latest costly version?  Probably not the case, but man it sure
>does make you wonder.

At least the seed of doubt has been planted in your thinking Roger.

>The server log is huge and without an IP of the spammer it is
>impossible to find the HTTP requests made to perform these
>attacks.  With the request information I can see about doing my own
>patch.  I've removed the calendar feature since there was a known
>issue there with MySQL injections.  I might also import our database
>into OpenOffice.org for offline reviewing to see if something was
>injected somehow that's causing some of these problems.  I don't see
>how a hosting company can let anybody but ME have accidental access
>to my databases, but we're talking about the Great WWW,
>here.  Anything goes, and usually does.

Is this an IIS server, or a linux boxen you're talking about?

>Members, Please CHANGE YOUR PASSWORD, which is a common thing to do
>anyway.  Do not use dictionary-guessable names.  Bots will try common
>passwords and combinations to enter through your account if they
>can?  Somehow messages are being posted by unregistered spammers, and
>I'm also trying to figure out how that is done so I can defeat it.
>
>If the forums go offline temporarily, it is because I've had enough
>and will shut it down while I'm working.  I want to avoid renaming
>the URLs because we'll lose our Google and other s.e. listing ranks,
>but I may have to reinstall the forums under a new directory.
>
>An upgrade to the commercial version is $149 which I read to believe
>doesn't have these spammer issues, but also includes tech support in
>case it happens.  I want to avoid this upgrade if possible.
>
>I'm sorry that we're having these problems (challenges) but nobody is
>immune to the havoc that spammers are causing on the free web, an
>open domain for criminals and "I can sleep at night no matter who I
>hurt" breed of "people".  I'm bothered by this entire issue, and I
>want everyone to know that I'm trying in the time I have to cure the
> problem.
>
>Tomorrow I will be on the phone with my hosting company.  More soon.

Its real simple Roger, assuming you have a contract, would this not be 
considered a breach?

>--
>Roger Taylor

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.