Thank you morrus!
Storminator
First Post
Let me add my thanks and praise for your efforts Morrus. You've done a great job with all the trials and tribulations you've had to put up with.
I appreciate your efforts.
PS
I appreciate your efforts.
PS
Cergorach
The Laughing One
Thanks Morrus and friends that have been hard at work at updating the website! I'm currently not in any position to support financially, but have time and IT knowledge, so if you need that let me know.
As for the ENworld 'hack', this isn't exactly shocking, according to the old website it was running vBullitin 3.8.5, which means that there were no updates done for almost 2.5 years. Which isn't smart. And while 3.8.6 and 3.8.7 didn't patch any security holes by themselves, 3.8.7 PL1 did address a security hole which was present in the whole 3.8.x series, not to mention PL2 and PL3 for 3.8.7. vBulletin 3.8 is also End of Life since 4 September 2012, so no more security patches since that date. That also means that there's been a known security hole for 2-17 months at ENworld.
Another option could be that the custom code had security holes in it and depending on how the custom code was implemented it could have made the rest of the code compromised as well. If the custom code was also not modular (thus core changes instead of plugins/modules/etc.) it could also explain why the site wasn't updated to the latest security patches.
The 10.000GBP worth of 'lost' code isn't exactly lost I suspect, I suspect that it's not compatible with vBulletin 4.x, which doesn't exactly makes it the fault of the hacker. It's part of the life cycle of software, something a lot of folks seem to forget, not just Morrus, but folks that run a lot bigger operations then Enworld (monetary wise). (Custom) software that runs on version x might not work on version x+1 and version x will not be supported to infinity. Which doesn't make the situation any less sucky of course.
I can't for the life of me find out what the life cycle for vBulletin 4.2 is (when it's End of Life), not to mention that vBulletin 5 (Connect) is already running in beta for a few months and is less then perfect (depending on who you talk to). So, if I might give some unsolicited advice, don't spend another 10.000GBP on custom code until you know how long vBullitin 4.2.x is supported with security updates. And if you spend any money on custom code, make sure it's modular enough so you can do security patches during the entire life cycle.
As for the ENworld 'hack', this isn't exactly shocking, according to the old website it was running vBullitin 3.8.5, which means that there were no updates done for almost 2.5 years. Which isn't smart. And while 3.8.6 and 3.8.7 didn't patch any security holes by themselves, 3.8.7 PL1 did address a security hole which was present in the whole 3.8.x series, not to mention PL2 and PL3 for 3.8.7. vBulletin 3.8 is also End of Life since 4 September 2012, so no more security patches since that date. That also means that there's been a known security hole for 2-17 months at ENworld.
Another option could be that the custom code had security holes in it and depending on how the custom code was implemented it could have made the rest of the code compromised as well. If the custom code was also not modular (thus core changes instead of plugins/modules/etc.) it could also explain why the site wasn't updated to the latest security patches.
The 10.000GBP worth of 'lost' code isn't exactly lost I suspect, I suspect that it's not compatible with vBulletin 4.x, which doesn't exactly makes it the fault of the hacker. It's part of the life cycle of software, something a lot of folks seem to forget, not just Morrus, but folks that run a lot bigger operations then Enworld (monetary wise). (Custom) software that runs on version x might not work on version x+1 and version x will not be supported to infinity. Which doesn't make the situation any less sucky of course.
I can't for the life of me find out what the life cycle for vBulletin 4.2 is (when it's End of Life), not to mention that vBulletin 5 (Connect) is already running in beta for a few months and is less then perfect (depending on who you talk to). So, if I might give some unsolicited advice, don't spend another 10.000GBP on custom code until you know how long vBullitin 4.2.x is supported with security updates. And if you spend any money on custom code, make sure it's modular enough so you can do security patches during the entire life cycle.
