FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » FUDforum » How To » Stop The Forums Running Themselves (I Have Gremlins)
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Stop The Forums Running Themselves [message #37476] Sun, 27 May 2007 19:40 Go to next message
Dustin Kowalski is currently offline  Dustin Kowalski   Germany
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
Hi all:

This is quite serious actually.

My forums control themselves. I'll come online to find threads locked, friends on ignore, and others banned.

This was really serious last week. There are two admins, and the generic 'admin' account. For whatever reason, the other admin and the 'admin' account had been banned, and I didn't do it. Had mine been banned too, we'd have been in serious trouble.

Anyway, I've just discovered that seven more people have been banned incorrectly, and a guy with 13 posts is now an 'unconfirmed user'.

I have no idea what's happening.

It may have been building for a while. For instance, if I send a private message or make a post, it's not unusual for the screen to make the post, but take me to another thread, instead of leaving me in the current one.

Evidently, I have grave concerns about this. It's frustrating anyway having to go through the members list unbanning people and unlocking threads, but I'm particularly concerned about what will happen if the two admins and the generic 'admin' account get banned.

Please help,

Tim
Re: Stop The Forums Running Themselves [message #37482 is a reply to message #37476] Mon, 28 May 2007 22:49 Go to previous messageGo to next message
Ilia is currently offline  Ilia   
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
Check which users have admin priveleges via the admin control panel. It sounds like your have a rogue admin. You should also check the Action Log Viewer

FUDforum Core Developer
Re: Stop The Forums Running Themselves [message #37486 is a reply to message #37476] Tue, 29 May 2007 10:09 Go to previous messageGo to next message
Dustin Kowalski is currently offline  Dustin Kowalski   Germany
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
Thanks Ilia. There's no issue regarding having an extra admin: it's just me, the other guy, and the generic 'admin' account.

However, the Action Log revealed who the rogue is ... it's me.

Everything with a star next to it is stuff that my account has done, but that I personally have not.

index.php?t=getfile&id=3264&private=0

The strange thing is that these changes are genuinely happening whilst I'm online ... they're not happening at times when I've logged out, so I can say that it doesn't appear to be that I have left myself logged into someone else's computer.

OK, what would we suggest as the best course of action?

Upgrade or reinstall the forums?

Maybe I should remove my admin permissions? I'm thinking that if I did that, *my account* would no longer be able to ban the others etc. I could always use 'admin' for admin purposes. I'd rather not have to delete my account if we can help it; most of my posts are learning materials, so I would have to redo them, which would be a major frustration seeing as I have more than a thousand of them!

It just seems very, very strange though.

I'm open to suggestions.

Thanks, Tim
Re: Stop The Forums Running Themselves [message #37487 is a reply to message #37476] Tue, 29 May 2007 10:14 Go to previous messageGo to next message
Dustin Kowalski is currently offline  Dustin Kowalski   Germany
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
I've just noticed that one of our members posted this a few weeks back:

Quote:

Another thing i've noticed the past week or so Tim is that you're permanently showing as logged in even when you've not been at a computer for days, and you show up as browsing random threads i sincerely doubt you are. Like you were allegedly browsing Hi a few minutes ago and i doubt you were...


So, it looks as though something *is* happening in my absence.

I need time to make a backup of the forums just in case, but after that, I think I'm going to need to remove my admin priveleges.
Re: Stop The Forums Running Themselves [message #37493 is a reply to message #37487] Tue, 29 May 2007 20:17 Go to previous messageGo to next message
Ilia is currently offline  Ilia   Canada
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
I'd recommend changing your password or better yet disable the old admin account and make a new one.

FUDforum Core Developer
Re: Stop The Forums Running Themselves [message #37495 is a reply to message #37476] Tue, 29 May 2007 22:19 Go to previous messageGo to next message
Dustin Kowalski is currently offline  Dustin Kowalski   Germany
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
Yep, already changed it. Will remember to log out all the time, and will monitor how things progress. If there's no change, I'll remove the admin priveleges from my account, and create a separate one. Thanks Ilia.
Re: Stop The Forums Running Themselves [message #37628 is a reply to message #37476] Sun, 10 June 2007 12:18 Go to previous messageGo to next message
Dustin Kowalski is currently offline  Dustin Kowalski   United Kingdom
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
Well, I've renamed my old account "Tim (Jinxed Account)", changed the password, logged it out, and removed its admin privileges.

Nonetheless, what did I notice a few minutes ago?

index.php?t=getfile&id=3295&private=0

So, I obviously need to delete the account. Just to double check; if I do that, it won't delete the posts will it? I made 1,100 posts on that account, and they're responsible for the bulk of the site's infrastructure. (It's an educational site, so the posts are still relevant for research's sake.)

(I noticed that there's a 'delete' option and a 'delete posts' option. Just need to be sure that choosing to delete the account won't wipe out the posts.)
  • Attachment: jinx.jpg
    (Size: 42.08KB, Downloaded 1308 times)
Re: Stop The Forums Running Themselves [message #37629 is a reply to message #37628] Mon, 11 June 2007 01:58 Go to previous messageGo to next message
Ilia is currently offline  Ilia   
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
You can ban the account. That would prevent future access. If you delete the account all messages in that account will be moved to anonymous user.

FUDforum Core Developer
Re: Stop The Forums Running Themselves [message #37634 is a reply to message #37476] Mon, 11 June 2007 08:30 Go to previous messageGo to next message
Dustin Kowalski is currently offline  Dustin Kowalski   United Kingdom
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
I already banned it! It's still online right now, and has been (browsing different topics) every time I've checked!

I think I'll just have to change it to a shorter name and be happy with that ...

Thanks Ilia.
Re: Stop The Forums Running Themselves [message #37636 is a reply to message #37634] Mon, 11 June 2007 12:17 Go to previous messageGo to next message
Underhand is currently offline  Underhand   United Kingdom
Messages: 5
Registered: June 2007
Karma: 0
Junior Member
Dustin Kowalski wrote on Mon, 11 June 2007 09:30

I already banned it! It's still online right now, and has been (browsing different topics) every time I've checked!

I think I'll just have to change it to a shorter name and be happy with that ...

Thanks Ilia.


The ban prevents new logins with that account, but apparently did not prevent access to existing sessions.

I've matched up the times of the strange events to accesses in the apache log file, from the google bot.

After purging old sessions, it was visible that there was one session left with that user ID in the session table despite the ban. Removing that session from the database seems to have done the trick, although it's too early to be 100% sure.

The original problem appears to have been the posting of a URL to a forum page that accidentally contained session tracking information, leading to the google bot spidering as a privileged user, and triggering undesirable actions in the process.

(... the other admin)
Re: Stop The Forums Running Themselves [message #37640 is a reply to message #37476] Mon, 11 June 2007 21:42 Go to previous messageGo to next message
Dustin Kowalski is currently offline  Dustin Kowalski   United Kingdom
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
Heh! I'm glad we chatted on the phone Underhand, else I wouldn't have understood a word of that! Razz

Ilia; I have a feeling where the problems come from. When I chat with friends from another forum (IPB not FUD) we sometimes paste links to each other. When I follow the link, I enter those forums with my own account. Nonetheless, when I do the same with FUD, my friend follows the link, and enters as *me*, complete with admin privileges. I've posted links before in public, so that would appear to be where the problem comes from.

Maybe in future versions, it would be a good idea to not include session IDs in addresses, or to have sessions automatically log out after, say, a week.
Re: Stop The Forums Running Themselves [message #37641 is a reply to message #37640] Mon, 11 June 2007 22:11 Go to previous messageGo to next message
Ilia is currently offline  Ilia   
Messages: 13241
Registered: January 2002
Karma: 0
Senior Member
Administrator
Core Developer
That seems highly unusual because one, the URL sessions have additional validation SID and browser signature. You can always disable URL sessions.

FUDforum Core Developer
Re: Stop The Forums Running Themselves [message #37649 is a reply to message #37641] Tue, 12 June 2007 11:07 Go to previous messageGo to next message
Underhand is currently offline  Underhand   United Kingdom
Messages: 5
Registered: June 2007
Karma: 0
Junior Member
I disabled URL sessions yesterday to make sure this can't happen again.

I'm not sure how the link managed to persist as long as it did, but obviously by some means it did. It would be interesting to understand that better.
Re: Stop The Forums Running Themselves [message #37656 is a reply to message #37476] Wed, 13 June 2007 07:04 Go to previous messageGo to next message
Ernesto is currently offline  Ernesto   Sweden
Messages: 413
Registered: August 2005
Karma: 0
Senior Member
I had the problem with URL sessions before and people posting links, which made people become logged in as other users. I just turned off URL sessions and that problem was gone with the wind.

Re: Stop The Forums Running Themselves [message #37657 is a reply to message #37476] Wed, 13 June 2007 09:56 Go to previous message
Dustin Kowalski is currently offline  Dustin Kowalski   United Kingdom
Messages: 62
Registered: August 2006
Location: Leicester
Karma: 0
Member
That's what we've done too, Ernesto.

I always thought that the URLs seemed to be much more long than I was used to in other forums that I frequent, but had no idea that this was something that could be turned off. Everything is perfect now Smile
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Prunning private messages
Next Topic: How to setup FUDForum for international/multilingual target audience?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 19:34:34 GMT 2024

Total time taken to generate the page: 0.02623 seconds