Hey guys, Adrian here! Sorry about what’s happened - I’m very happy to accept any help from anyone here who can dedicate the time to babysit a migration of phpBB from its very old version (3.0.8, released sometime around 2010. It’s almost old enough to drink!) to a recent one that has the latest security fixes.
I’ve brought the board back up for now temporarily, with a few firewall rules in place to stop the one specific attack that I was facing – but given that whatever exploit was used is still unknown to me, it’s quite possible/likely that the script kiddies who found it the first time will do so again from a different botnet/IP and I’ll have to take it down again until a permanent solution is found.
Like I mentioned to Thomas, no data is lost and I do take regular backups. It’s just a matter of getting the software through the upgrade lifecycle of over a decade’s worth of phpBB releases.
If you have the requisite skills, please do e-mail me at adrian@apetre.sc and we can immediately get to work together. I can probably bumble through myself eventually, even if I have to write a custom SQL migration, but it’s time I just don’t have at the moment, and probably won’t have until October.
Anyway, here’s hoping the month-long downtime has thrown the original attacker off the scent enough for them to forget about us for now
Yeah, this is exactly correct. You cannot go straight from 3.0.8 to 3.3 in a single jump (don’t be fooled by the small jump in version numbers; 3.0.8 and 3.3 are 15 years apart) - there’s too many schema changes which the developers expected people to upgrade incrementally over the years. So you’d have to upgrade many, many times, reading changelogs of each intermediate release to see if that point release required any breaking changes or schema updates. Especially in the early days of phpBB, even a minor point upgrade could be gnarly, requiring manual database interventions (especially since L19 has a few “mods” from before official mods were a thing, which means they consist of haphazard modifications to templates and code).
And some of these upgrades won’t just be phpBB upgrades but Apache, PHP, and MySQL upgrades as well, since the minimum requirements for each of those have gone up over the years.
The biggest wrinkle is that some of the intermediate upgrades between 3.0.8 and 3.3 are not even being distributed anymore. I think if I can get from 3.0.8 to 3.1.0 (2014) cleanly, then I can use an official upgrade pack from that point forward. But the releases between those two points are not officially distributed anymore and I think predate phpBB’s migration to git, so I’ll have to track them down on archive sites somehow.
So yes, Vassili62’s description is accurate. I will find time to do it eventually but until then help would be appreciated.
(On a bright note, L19 has been back up for 6 or so hours and the instance is still at normal CPU levels, so that’s a good sign )
I’ve put up a proper error page on the L19 domain this time, at least, so people know what’s going on. I’ll try to re-prioritize this to have it done before October, if nobody else with the relevant experience volunteers soon-ish.
Why? As long as L19 has these problems and as long those who have volunteered to make L19 work have no other place for the necessary “project management” this thread should be easy to read, with no distractors from the actually important points.
And then there are moderators … I remember “Kirby”
How about you, @Uberdude … IIRC (yet faintly) you wrote that you coded something for L19? Would that make you also a team member? Or are you a moderator anyway?
I would suggest that “Team L19” finds some safe and quiet place to plan and discuss things, like, either:
a Channel on Discord (or Slack, but IIRC that has to be paid-for, not sure though),
or a Group in something like Signal (or Telegram, but TG is not as secure IMHO)
Of course this presupposes that all of you have an account on either of these services, but that way you could focus on what’s to be done without interruptions, and one of you could off and on update us all here (or, perhaps, on L19 again finally).
IMO another nice thing would be if L19 could send out ONE mail to every member, telling them that L19 isn’t dead but only comatose, and the ICU is working hard on saving it. AND maybe also ask for phpBB experts!
I am a moderator there, mostly deleted spam. Don’t recall doing any coding, I think Kirby had more access and did some technical things. Unfortunately not a phpBB expert.
Yep - I am an admin on L19. I implemented the go diagrams and some other stuff on the site. I doun’t think the other admins do much technical stuff. Anyway, I am not a phpBB expert, but I do have a DB export now. I can’t make any promises, but I can see if I can do some sort of upgrade with the DB export that I have to get things running with some newer forum software.
Is it possible to follow up on the suggestion to redirecting users to a discord site, so that l19x19 users might get organized? I’m a web developer, know nothing specifically about PhP, but its possible I could help migrate the content to a clean running server.
)
what was THAT? I was able to play a few moves (though not share a variation), and I could even trigger a level IV analysis.
Or are you a moderator anyway?