Forum Compromised

[simpilot]

The forum has lost about 36 hours of data due to an exploit that was present in the IPBoard system, it has since been patched. I think the attached Facebook thread involving Max Dyba will give you all the information needed to come to your own conclusion as to "why". The only word I can muster is disappointing. I attach it as a photo as I am sure the page will be edited in the near future.

This post was made shortly after the forum "went down".

I wish the best for these guys but it is embarrassing to all of us when developers act this way.

NOTE: Neither my host or I have been able to verify if any data was actually downloaded or not. I would suggest a password change both for the forum and the email you have associated with your profile.

Edit on 12-6-2016 @ 6:15pm EST - The view expressed here is not to be construed as the view of any one or anything else but myself. This is an opinion and also simply provides what I believe to be the facts presented to me, everyone can come to their own conclusion and do their own research if they so desire.

[TAV1702]

Yeah, that is a bit embarrassing (to them) when one has to do that so they can hurry and ,not (??) launch their forums/website. I just read they are "The Replacement" for phpVMS. Nice. I guess they forgot about VAM and SAMS. I'll use phpVMS until I can't use it any longer or one of the two that I just mentioned becomes a viable option.

I test and use all kinds of software on the net and one that I will not try, is theirs. Not after that stunt.

[MC1028]

*DELETED*

Edited December 7, 2016 by MC1028

[aarbee]

I am not so sure if they are so stupid. Perhaps they did not know, PHPVMS did exist? From VAM I read they came from another kind of software anyway.

You cannot migrate all data from PHPVMS

From FSVAOS, I get the impression that they are at least another year underway, before it works good enough. But this is my opinion.

But there comes danger from a different corner, for all using PHPVMS 2.9.

My hosting company is going to upgrade my shared hosting server to PHP 7. Another hoster is busy upgrading allready and from a third I know that they are planning to upgrade between jan 1st til april 1st 2017.

Experience wise I can tell you that all serious hosting companies will upgrade between now and 2 years. One sooner then the other.

PHPVMS runs until PHP5.6. PHP5.6 support will stop by the end of this year.

In short if your site is at PHPVMS 2.9 and the hosting company is going to upgrade, you have a problem!

I have tested it allready.

Experience wise and thanks to a tip of Parkho and Servetas, have installed PHP 5.5. And tested that on PHP 7. I can tell you it works.

As long as you use the default PHPVMS 5.5. As soon as you roll into adding modules, you get not only the tpl/php trouble, but also that a lot of declarations are unsupported.

Example: Deprecated: Non-static method PopUpNews::PopUpNewsList() should not be called statically.

Most modules can be upgrded right away. But others need more work.

What I also learned is that 3 out of 3 hostingcompanies I use as a reseller are not installing ioncube, or use a panel that does not support the PHP7 version of ioncube, or demand around 50 euro per month fee.

Experience wise: I am busy for a couple of weeks, and have rebuild my citylink-va website on another domain, and adding module after module.

Thanks to the help of crazycreatives, I am getting the job done. As my php is limited. I am more into html/css.

My advice in this is, please check your host when they are going to upgrade. And start preparing your site intime.

Moving to a different hosting company could be an option, but like I wrote earlier, they will migrate all in the end.

I have decided to upgrade to PHPVMS 5.5 and not going to VAM. As I still consider PHPVMS a very splendid platform. The others have a fancier website, include a lot for free. But if it all works as expected? I am not sure. I stick around here for a while.

Edited December 6, 2016 by aarbee

[StartVM]

The forum has lost about 36 hours of data due to an exploit that was present in the IPBoard system, it has since been patched. I think the attached Facebook thread between Taylor Broad and Max Dyba will give you all the information needed to come to your own conclusion as to "why". The only word I can muster is disappointing. I attach it as a photo as I am sure the page will be edited in the near future.

This post was made shortly after the forum "went down".

I wish the best for these guys but it is embarrassing to all of us when developers act this way.

NOTE: Neither my host or I have been able to verify if any data was actually downloaded or not. I would suggest a password change both for the forum and the email you have associated with your profile.

Any real evidence that the VAOS guys did this? In case you were unaware, they got their forum going because it was their believe the phpVMS forum may be down permanently and they wanted to create a new venue for the community. David since you are responsible for managing this forum, if you want to get accusatory, let's discuss why you haven't updated the board and why the latest security patches aren't installed? Do you have a valid license for IPS Board, or is this nulled and that is why you can't update it?

[TAV1702]

Not sure about the forum null part but Reading the post, max came right out and said you can thank me later for that right after the kid said phpVMS forums were down. Not sure how far to read in to it but that all but explained it to me. As fro the null forum part, as David has pointed out, please feel free to use their piracy link. If they find it nulled or no license, then there is trouble. But not sure why David would suggest anyone report him if it is not legit. That would be kind of foolish no?

As far as why the board was never upgraded, good question. Bulletin boards must be updated regularly. hackers are always one step ahead of development.

[flyalaska]

phpvms has a legal copy of IPB, just not updated to 4x. License has expired and Nabeel hasn't renewed it.

Edited December 6, 2016 by flyalaska

[StartVM]

phpvms has a legal copy of IPB, just not updated to 4x. License has expired and Nabeel hasn't renewed it.

If the license has expired it doesn't sound too legal to me...

[simpilot]

I will do my best to address the questions and accusations pointed out by a number of the previous posts.

Do I have proof of who the perpetrator that has caused the issues outlined in my original post? - Server logs, or what is left of them would be a better statement, have been archived and will be reviewed when and if necessary. Here is my opinion and how I got to it. When someone posts that they can be thanked for a situation portrayed within a screenshot contained in the post I personally do not find any other conclusion than that person either did it, or at least has involvement or knowledge of how it occurred. Why else would they want to be thanked for it?

Yes, I am responsible for managing this forum, not only technically but financially. The phpvms and vacentral sites are solely supported by me financially at this point and have been that way for some time. I do not have a problem with this but I do believe it gives me some authority as to how my finances are spent against which parts of phpVMS. Am I the best at being timely with updates and such, admittedly no. There is also no way to update an ipBoard without continuing to purchase license renewals so it comes back to a financial matter, which for an open source project with no income is not sustainable in the long term. So if this makes me, and anyone else that has found themselves in this situation a "dumbass" as stated in the first post then I am guilty of just that. Sometimes the most trusting and giving people have to learn the hardest lessons, that is an unfortunate reality of life today.

There seems to be this theory that I have somehow nulled or obtained a nulled license for the forum. This is untrue in every sense of the statement. The original license was purchased for the domain by Nabeel and has been in place ever sense. He renewed a couple of times and I also renewed once when first taking over the forum operation. This license does not expire or become invalid if it is not renewed, you simply lose the support of future updates and the limited support that IPBoard offers. If you truly feel that this forum is operating without or with an improper license please feel free to report it to Invision themselves using their piracy reporting function. HERE IS THE LINK - https://invisionpower.com/legal/piracy - If you are correct I am sure I would be contacted and the board would/will be shut down.

Am I aware that the VAOS forum was started due to the phpVMS forum being down, yes of course I do. What I find troubling is the timing of posts on the VAOS Facebook page related to it. Could it be a coincidence? Sure, but I also can say I have started to connect enough dots for a picture to emerge.

Also, if you have an opinion about this, feel free to post or email me directly. If you find it necessary to threaten family, home, or life, the post will be removed immediately and an email to me with anything of this nature will simply be deleted.

[Max]

Right... Max Here.

David, I suggest you check your e-mail as my employer can not allow this to happen to me and he will defend me in any way possible. To explain this the "Thank me Later Taylor" was as thank me later for the explanation of why the forum was down. Now, my employer and my close friends consider this as slander and I am not up for it. The questioning of the legality of the forum was because it was outdated and my curiousity had taken over. You are coming to too many conclusions and making way to many assumptions here that are just not right. This could also set a bad name for VAOS but I don't think so, I have no involvement in it what so ever except for beta testing. The Max that posts at VAOS you ask? Not me.

I did not EVER expect an event like this to occur involving you or the phpVMS forums. You have set me a bad name for the entire phpVMS community, and I won't stand for it. I'd call it defamation of reputation.

I realise coming out here is completely unprofessional, but I need to get my point across. I also have a lot more to say, but just check your e-mail. In less than 24 hours i've lost valuable clients and money thanks to this.

Best Of Luck,

- Max

Also this comment was quite hurtful...

So disappointed in these people. Absolutely stupid.

Hopefully they won't bother us again!

Glad you got it all back up and running!

Onwards and upwards

Am I aware that the VAOS forum was started due to the phpVMS forum being down, yes of course I do. What I find troubling is the timing of posts on the VAOS Facebook page related to it. Could it be a coincidence? Sure, but I also can say I have started to connect enough dots for a picture to emerge.

I think you should check those dots. I don't think the correct picture is emerging...

Edited December 7, 2016 by ImmersionDesign

[flyalaska]

If the license has expired it doesn't sound too legal to me...

You have to renew it it every six months. I have the same board.

[magicflyer]

Edited January 19, 2018 by magicflyer

[Morgan]

Dear everyone

Please stop this childish behavior, at the end of the day the "forum" is back up and working.

To everyone who is calling the VAOS guys hackers, idiots and childish, well you need to look in the mirror... (TAV1702)

There is no solid proof Mr. Dyba or Mr. Broad (VAOS guys) as involved in this "Cyber Attack" so until there is some please stop being children and pointing fingers at each other because all that will happen is this community will divide

Mr. Dyba also said

If you like you can check my hard drives and logs

and i did, there was no trace of anything

Mr. Dyba also said

I am not involved in VAOS apart from being a beta tester

and

I was not involved in the sql injection hack

Yours sincerely,

Insitus Group Ltd, CN: 10502160

Represented by PSC

M E Walton

Edited December 8, 2016 by Morgan

[TAV1702]

So essentially you are saying I am a hacker Mr Morgan? I couldn't hack my way in to a server with every port wide open on it. And funny you only pointed me out out of everyone posting in this forum so you sir can kiss my ass! I called it exactly how I saw it according to the post. Right after it was announced that phpVMS forums went down, he came and said you can thank me later. Hmm how bad does that look??? Bad choice of words at the wrong time? probably. maybe if he would have said hey Taylor I got the forums up, you can thank me later, that would have solved the argument before it even started.

I have over 1800 posts here and have been an active member since 2009. 75-80% of the features in phpVMS was suggested to Nabeel by myself and a fist full of others and SEVERAL other generous users over the years adding to it and David himself taking over and recoding and paying for it all. I have been here since the beginning. Where the f*** have you been? So don't even come in here trying to toss some weight around and talk s*** to me pal. Got it?

Respectfully

Oh and P.S., apparently you missed the whole part with me talking to the guys (VAOS) yesterday on Facebook about what mysql and php works and what does not. I never said a damn thing to any one on that facebook page out of sorts. It was a civil chat for a few replies. No harm no foul. if they have issues with me, they can bring it up. Not some third party dildo.

Edited December 8, 2016 by TAV1702

[Max]

So essentially you are saying I am a hacker Mr Morgan? I couldn't hack my way in to a server with every port wide open on it. And funny you only pointed me out out of everyone posting in this forum so you sir can kiss my ass!

TAV1702. You're making no sense. Morgan never accused you of anything in his last comment. And he did not target you as a hacker, he just pointed you out. Also, he's not going to be kissing your ass anytime soon unless you shave it, Movember is over...

To everyone who is calling the VAOS guys hackers, idiots and childish, well you need to look in the mirror... (TAV1702)

Let me tell you guys, over all of this slander. The last think I want to do is bring David to court, I wish we could get along and civilly sort this issue out. I've lost friends, clients and money thanks to all the complete and utter s*** that's been started and I can only... ugh. Let's just say it's made a big dent in my life. I offered to talk this out with David on Facebook but he seemed to ignore my offer.

I am sick and disgusted that this has to go on like this.

One thing I can say is that I have looked up to David for a few years now and now that he, himself puts a big dent in my life by 100% standing by his false accusations makes me dislike him (a lot).

I can personally say all the accusations made against me and Taylor are 100% complete and utter bulls*** and even worse is that David stands by them with no proof to bring to the table.

Whatever is all I can really say, if this gets to a point where I can't handle it anymore I have 5 lawyers lined up to help me out. But I am pretty sure if David Clark is the man he is, he can realise that he's accused an innocent person of hacking his forums and put a dent in his wallet and life. You're being very stubborn at this point and won't admit anything as you are (probably) worried that karma will come back and take it's course if you admit that I did nothing wrong. If you do in fact, apologise to me publicly and realise that I have done no such thing... I can make sure no karma slaps you back in the face as I will appreciate it.

- Max

[TAV1702]

Well no matter what he was saying, I surely do not appreciate being singled out. That is wrong right from the start. Plain and simple. Out of all the posts, I got picked. Nice. All I did was call it exactly how the screen shot showed it. As I said, it was most likely a bad choice of wording at the wrong time. Real simple.

It is a crying shame that I even let my self get to the point that I just did. I do owe all the regular users here a bit of an apology for taking such tones. never in almost 8 have I ever talked as such on this community. And as far as I am concerned, I probably never will again.

On a side note, I find it kind of funny you have to speak for Morgan and he has to speak for you. ;-)

Take care.

[Max]

Pretty much so, nobody does. I can apologise on mine and Morgan's behalf about that.

Yeah it was, but unfortunately, the misunderstanding has caused me a lot of trouble. And I want that to be compensated... really badly.

It is a crying shame that I even let my self get to the point that I just did. I do owe all the regular users here a bit of an apology for taking such tones. never in almost 8 have I ever talked as such in this community. And as far as I am concerned, I probably never will again.

It's no problem at all... This subject is really f*cked up to be honest, and I need things to be made right.

And as you said, real simple... it is indeed! But people being stubborn is getting in the way from making things better of (what I assume) will put their own reputation on the line after already ruining mine. I as a good person will not let their reputation get shat on after all that I've been put through.

Tis' indeed. He is trying to lend me all the help he can as my employer and I appreciate it coming from him a lot.

- Max

[Morgan]

Dear Everyone,

1) Mr. Dyba please do not apologies on my behalf.

2) I did not refer to you as hack but i did refer to you as childish, after i read your first post.

Yeah, that is a bit embarrassing (to them) when one has to do that so they can hurry and ,not (??) launch their forums/website. I just read they are "The Replacement" for phpVMS. Nice. I guess they forgot about VAM and SAMS. I'll use phpVMS until I can't use it any longer or one of the two that I just mentioned becomes a viable option.

I test and use all kinds of software on the net and one that I will not try, is theirs. Not after that stunt.

you said this before there was any 100% proof, even now there is no proof Anyone did it.

Also Mr."TAV1702" please try and be a adult here and not swear at me in public.

Yours sincerely,

Insitus Group Ltd, CN: 10502160

Represented by PSC

M E Walton

[simpilot]

I am going to say this just as I have said to Mr Waltons' five layers of representation privately, and I have clearly stated in the original post. The post details my conclusion formed from my interpretation and opinion of your statements, anyone else needs to draw their own conclusions, just as your stated opinions of the forum using an illegal license, me being thick, and all IPBoard users being dumb will lead people to their own conclusions.

You speak of the kind of man I am, I have not censored your posts, deleted posts, banned your profile, or anything else to stop your voice from being heard. This is the kind of man I am, allowing for all to state their opinion and let others form their own opinions. I do draw the line when things become vulgar and at threats to personal being which could be derived from your karma smacking me in the face comments but again, that is my opinion so I have let them stand.

Not everyone will ever agree with everything another does, this is a simple fact of life. There will be no apologies from me for showing factual information and my stating an opinion. I do however want to thank you for two things.

1 - For all the grief I have gotten I have gotten 10 fold support. This helps me realize the world is not all that gloomy of a place.

2 - You have lit a fire in me that has been missing for quite some time, that is to go ahead and finish coding and get the next generation of phpVMS out to the community.

[servetas]

It's sad to see people whose main purpose is and was profit (that was the main reason why they register here) getting back to the forum to speak against others who have actively supported the community during all these years.

[Virtualei]

I think that it is disgusting that someone hacked this forum. A forum that I and many others have relied on and learnt from for which I am truly grateful. Dave I am 100% grateful to you for all you have done for this community and hope that it continues. You have my full support

[Max]

It's sad to see people whose main purpose is and was profit (that was the main reason why they register here) getting back to the forum to speak against others who have actively supported the community during all these years.

ImmersionDesign is actually the account I used for my hosting company a while back. My VAs account Fiji Virtual has been banned (For unknown reasons... David?).

- Max

[Bonanza123d]

Time to hear it from the horse's mouth so to speak,

I am Taylor Broad, the creator of the VAOS project. I have been following the topic on here for a while and I wanted to step in to clear some things on my end.

First off to David Clarke, I apologize if what happened and the actions I took caused the firestorm we are in today.

As to the reason I brought my forums up and running was so the community had a place for good support. I was worried that due to the lack of meaningful activity (VA Announcements don't count), that the forums went down. As stated in my post, I found out from multiple sources that the forums were down. When I checked for myself, I deduced it to a database problem. To me, two scenarios went through my mind:

1. The database was deleted by admins

2. The site was hacked and database was deleted.

The latter was what actually happened, however since phpVMS was an older system with "alternatives" (mine being one of them) coming to or on the market, that this forum would not be coming back.

As for my comments and discussion with Max in the original thread about this being a pirated license, I was ruling that as a possibility since pirated licenses of IPS exist and this was running a older version of the software. For anyone who was wondering about the license fees, base cost for the self hosted version of IPS is $200 with a $25 support and update renewal fee every 6 months. From what David told me on the thread, This was a paid license without expiring and it behaves like that. However, the question I have regarding these boards is if they were updated with the latest security patches to prevent the SQL Injection.

Now regarding my claims about the capabilities of my system. I do have the ability to up-transfer AND down-transfer data to a phpVMS database. VAOS has a new scheduling system that works quite differently from other systems like phpVMS. To ensure legacy compatibility for ACARS clients, I have included the entire core folder which has a few modifications to it to allow for both systems to write to each other. The end result should be that the ACARS client should not be able to tell it is running on VAOS.

That is all for now.

Also David, good luck on creating your new system. I am interested to see what your's can do.

[simpilot]

ImmersionDesign is actually the account I used for my hosting company a while back. My VAs account Fiji Virtual has been banned (For unknown reasons... David?).

- Max

Max, you are correct, as any admin would probably do I banned it within hours of the site being compromised. It is now set as a normal account if you desire to use it. There were also 8 IP addresses associated with the account that were banned from the server but as you are on the forum you must be using a different one so i am leaving those in place.

I am Taylor Broad, the creator of the VAOS project. I have been following the topic on here for a while and I wanted to step in to clear some things on my end.

First off to David Clarke, I apologize if what happened and the actions I took caused the firestorm we are in today.

Taylor, I appreciate your openness in your post. I have never tried to destroy or otherwise hinder another system from becoming available. I have no intentions of starting now, frankly other systems drive us all to make our own projects better so we all win. I can not take complete, actually very little, credit for phpVMS, ultimately we all have Nabeel to thank. The only system that was anything near a true VA System prior to phpVMS that I was aware of was VABase. The rest of us have come after.

I can only wish you and VAOS (and VAMS, and VAFinancials, and, ...) a productive future, we will all learn from each other. Some people like red cars and some like blue cars, this is the same for software/applications and.... if everyone drove the same color car life would be pretty boring.

[FijiVirtual]

I appreciate you un-banning my account David. The reason for 8 different IPs was that I have different staff accessing the account and I often use a VPN.

I wish you luck with the development of the (hopefully) upcoming next generation of phpVMS. And this forum update is quite nice...
 

Quote

2 - You have lit a fire in me that has been missing for quite some time, that is to go ahead and finish coding and get the next generation of phpVMS out to the community.

 

I am glad to see that (most) people can see that it was a misunderstanding and we can all move on with our lives.

- Max

Edited December 18, 2016 by FijiVirtual