[Coco] Gallery and Forums

[Roger Taylor]

Since I changed my password again, the Gallery is temporarily down 
until I update it to know the new database password.

THE FORUMS... I'm working hard to track down how these attacks are 
being done, how new spammers are joining by bypassing the secure 
signup process, and how to get rid of the trojans that are being 
pushed to web browsers.  Signup requires manual verification by me, 
which obviously doesn't apply to advanced spammers?  That is, until I 
patch the system.  I'm coming across patches on the forum company's 
site but it takes time to do the fixes.

One odd thing is that the company, who owns the most popular forum 
software, has come out with a pay-only version (2.0.0, I think), and 
they have removed downloadable no-support versions, and some of the 
links to certain security patches.  HmmmMMmmm.  What a great way to 
push sales?  Could an employee or ex-employee know so much about the 
system to do almost anything and to convince the public to move to 
the latest costly version?  Probably not the case, but man it sure 
does make you wonder.

The server log is huge and without an IP of the spammer it is 
impossible to find the HTTP requests made to perform these 
attacks.  With the request information I can see about doing my own 
patch.  I've removed the calendar feature since there was a known 
issue there with MySQL injections.  I might also import our database 
into OpenOffice.org for offline reviewing to see if something was 
injected somehow that's causing some of these problems.  I don't see 
how a hosting company can let anybody but ME have accidental access 
to my databases, but we're talking about the Great WWW, 
here.  Anything goes, and usually does.

Members, Please CHANGE YOUR PASSWORD, which is a common thing to do 
anyway.  Do not use dictionary-guessable names.  Bots will try common 
passwords and combinations to enter through your account if they 
can?  Somehow messages are being posted by unregistered spammers, and 
I'm also trying to figure out how that is done so I can defeat it.

If the forums go offline temporarily, it is because I've had enough 
and will shut it down while I'm working.  I want to avoid renaming 
the URLs because we'll lose our Google and other s.e. listing ranks, 
but I may have to reinstall the forums under a new directory.

An upgrade to the commercial version is $149 which I read to believe 
doesn't have these spammer issues, but also includes tech support in 
case it happens.  I want to avoid this upgrade if possible.

I'm sorry that we're having these problems (challenges) but nobody is 
immune to the havoc that spammers are causing on the free web, an 
open domain for criminals and "I can sleep at night no matter who I 
hurt" breed of "people".  I'm bothered by this entire issue, and I 
want everyone to know that I'm trying in the time I have to cure the problem.

Tomorrow I will be on the phone with my hosting company.  More soon.



-- 
Roger Taylor