Bug Users complaining of losing all their "gold"
- Thread starter Jester
- Start date
-
- Tags
- activity admincp amount bug bugs choose currencies currency database donate error event forum free inactive inbox install issue logs member members money more nginx notifications open options popup post readme route settings shop support thread transfer update upgrade url user vbcredits vbulletin
- Status
Hi again,
Now that we've upgraded and it's been running for a day, one of the members who keeps losing his gold informed me today that he lost it again. All he did was log out yesterday, and when he logged in today, his gold was zero'd out.
The upgrade did not cure it unfortunately.
Now that we've upgraded and it's been running for a day, one of the members who keeps losing his gold informed me today that he lost it again. All he did was log out yesterday, and when he logged in today, his gold was zero'd out.
The upgrade did not cure it unfortunately.
Darkwaltz4
Former Developer
Does your login still work? I'll take a wide look at your settings. Also, let me know which member(s) this keeps happening to
I put the password back to the one I gave you before.
Users so far:
AntP - has happened 3x
Fiery Esmeralda - has happened 2x
Austin IceBlade - has happened 1x
Thanks Dark
Darkwaltz4
Former Developer
It is kind of late, can I check it in around 12 hours? (you can switch password back then) sorry 
Just happened again for AntP. :/
Darkwaltz4
Former Developer
Alright, lets get to the bottom of it this weekend:
Could you please create and PM me with a temporary FTP and AdminCP account?
For security reasons, we recommend you create a new FTP account only for DBTech support, then disable or delete it after we have both confirmed the issue has been solved and there are no further issues.
The same applies to AdminCP accounts; they should ideally be temporary accounts created for us only. If we have created an account on your site already, you can optionally boost that account to Administrator and then de-admin this account once the issue has been solved.
If you use a .htaccess password protection for your AdminCP directory, it is recommended that you create a new authorised user for DBTech and remove this user once the issue has been solved.
Please test any temporary accounts you create to ensure that the FTP account has access to the forum files, and that the AdminCP account can access the administrative controls for the product we are assisting you with.
Ensuring this is all in order before submitting the information will significantly speed up the process of assisting you. We will alert you via PM if there's any issues with the login information you have provided.
When sending the PM, for your security you should also un-tick the "Save a copy in my Sent Items folder" checkbox. When the access details have been received, we will delete the PM from our inbox. Ensuring you have not kept a copy of the PM reduces the risk of security breaches.
Thank you for helping us debug our products and allowing us to assist you, we appreciate it
Could you please create and PM me with a temporary FTP and AdminCP account?
For security reasons, we recommend you create a new FTP account only for DBTech support, then disable or delete it after we have both confirmed the issue has been solved and there are no further issues.
The same applies to AdminCP accounts; they should ideally be temporary accounts created for us only. If we have created an account on your site already, you can optionally boost that account to Administrator and then de-admin this account once the issue has been solved.
If you use a .htaccess password protection for your AdminCP directory, it is recommended that you create a new authorised user for DBTech and remove this user once the issue has been solved.
Please test any temporary accounts you create to ensure that the FTP account has access to the forum files, and that the AdminCP account can access the administrative controls for the product we are assisting you with.
Ensuring this is all in order before submitting the information will significantly speed up the process of assisting you. We will alert you via PM if there's any issues with the login information you have provided.
When sending the PM, for your security you should also un-tick the "Save a copy in my Sent Items folder" checkbox. When the access details have been received, we will delete the PM from our inbox. Ensuring you have not kept a copy of the PM reduces the risk of security breaches.
Thank you for helping us debug our products and allowing us to assist you, we appreciate it
Alright, lets get to the bottom of it this weekend:
Could you please create and PM me with a temporary FTP and AdminCP account?
For security reasons, we recommend you create a new FTP account only for DBTech support, then disable or delete it after we have both confirmed the issue has been solved and there are no further issues.
The same applies to AdminCP accounts; they should ideally be temporary accounts created for us only. If we have created an account on your site already, you can optionally boost that account to Administrator and then de-admin this account once the issue has been solved.
If you use a .htaccess password protection for your AdminCP directory, it is recommended that you create a new authorised user for DBTech and remove this user once the issue has been solved.
Please test any temporary accounts you create to ensure that the FTP account has access to the forum files, and that the AdminCP account can access the administrative controls for the product we are assisting you with.
Ensuring this is all in order before submitting the information will significantly speed up the process of assisting you. We will alert you via PM if there's any issues with the login information you have provided.
When sending the PM, for your security you should also un-tick the "Save a copy in my Sent Items folder" checkbox. When the access details have been received, we will delete the PM from our inbox. Ensuring you have not kept a copy of the PM reduces the risk of security breaches.
Thank you for helping us debug our products and allowing us to assist you, we appreciate it
Hiya Dark,
I don't run an FTP daemon on my server, never installed it, don't use one. Is there some other way?
Last edited:
Darkwaltz4
Former Developer
Okay, SFTP works fine too
Okay, SFTP works fine too
That would require me giving you "root" access. The authentication is handled by SSH and the protocol is sftp. There is no configurable sftp daemon running. If files need to be uploaded, I would be happy to do so. As far as AdminCP access goes, just let me know when you wish to work on it and I will give you what you need.
There has to be some automatic mechanism somewhere in vbcredits that removes credits. This is not something I ever wish to do, can this mechanism be disabled? I find it hard to believe that I would be the only one affected, I am running vB4.2.0+.
Thanks Dark!!
Darkwaltz4
Former Developer
Lots of people are using the latest vbcredits with the latest vb4.2 and youre the only one reporting this...
There is no single "mechanism" for deducting credits. It is based on your settings, which apparently are fine (I looked them over many weeks ago when you first sent it). I don't have any ideas to try, except to go the debugging route with file system access.
You do NOT have to give me root access. All servers I've ever known (and I've worked with plenty that are SSH/SFTP only) include a regular user for mundane tasks. A system with only a root account would be very insecure.
I cant give you "files to upload" because debugging involves lots of little tiny edits and checking how the output fits expectations due to those edits. It would be a very long and tedious process for both of us to keep passing whole files and waiting for the other guy.
There is no single "mechanism" for deducting credits. It is based on your settings, which apparently are fine (I looked them over many weeks ago when you first sent it). I don't have any ideas to try, except to go the debugging route with file system access.
You do NOT have to give me root access. All servers I've ever known (and I've worked with plenty that are SSH/SFTP only) include a regular user for mundane tasks. A system with only a root account would be very insecure.
I cant give you "files to upload" because debugging involves lots of little tiny edits and checking how the output fits expectations due to those edits. It would be a very long and tedious process for both of us to keep passing whole files and waiting for the other guy.
Understood. Nobody else touches my servers, I've never had need to give a regular user any sort of access.
I'll set up an ftp server temporarily. I'll be back in touch.
Alright, it's now happening on a second server of mine. I do not know if the problem on the original site is still happening because I've had no complaints to report lately.
I've resorted to backing up my user table separately each night so I can look up the complaining members' balances from the day prior. It's a major pain and unfortunately a large, busy site.
Please let me know when you will have time to devote to this. I will need to work out ssh/scp access for you first though.
I just wanted to follow up on the point about not having to give regular user any access - that's not the issue, the issue is that if you install and run your site as root then you better be 100% sure that none of the PHP scripts you run have any form of vulnerability (which, btw, is 100% impossible to guarantee) otherwise a malicious user will have full access to your server and can install any form of malware they so desire without you knowing about it.
The mantra that Linux doesn't get malware is only true because you have to go out of your way to grant root access to scripts - in a normal environment. No app will ever ask for root access, and system apps / libraries are updated via a secure connection to servers maintained by the people who made your distro.
All that is thrown out the window if you run your web server as root. I cannot stress enough how monumentally bad the idea is. If that is the way your server is set up, I would suggest you devote 100% of your attention to resolving that immediately, and if possible coupled with a full OS reinstall from source to ensure any malware that may exist on your server is nuked.
Normal systems run Apache (or whatever other web server) as either apache, nobody or generate an individual account for each site running on the server (we have only 1 site on this server, so only 1 web server user).
My scripts are run as user "nginx".
- Status
Similar threads
- Locked
- Support ticket
Question
Laundry List O' Questions
- Tags
- additional admincp amount awards beta box broken button car cash counter currency database design display documentation eating event facebook fashion feature forms forum forums help html inactive install members mods more navbar new number only open paypal permissions points popup profile question questions sending settings shoutbox specific subscriptions suggestions support tabs tagging text threads track upgrade url vbactivity vbcredits vbshop vbulletin
