PDA

View Full Version : Missing PM - How to ID Root Cause?


silurius
02 Jul 2008, 01:12
I have been looking into a mystery and was hoping I could get some advice here. On a 3.6 forum a little while back, a user complained that her account had been compromised and that a certain private message had disappeared. Knowing this person as I do, I have no doubt that what she says happened did indeed happen, but I also know that vBulletin doesn't log that sort of activity (at least, I remember reading that it doesn't). I realize that there are hacks out there to address this should it happen in the future, but I am motivated to get to the bottom of this particular event, even if it was isolated.

Is it possible to run a grep command on the server, using some string with "private.php" in it, or something along those lines? Am I being too hopeful? I realize there could be an exhaustive amount of data to pour through, but I have reason to be totally OK with that. Whatever it takes, I'm willing, so long as there is potential.

Marco van Herwaarden
02 Jul 2008, 07:54
It would be very helpfull if you knew the pmid. Maybe you do have a backup from just before the PM disappeared to find the correct pmid (look in the backup file or restore to test database).

silurius
02 Jul 2008, 16:14
Oh, yes, I definitely have backups and restoring is not an issue. The big thing for me at this point is identifying the culprit. Maybe it's just a huge stretch of the imagination, but I was thinking that grepping on the server (or something along those lines) might reveal an IP address.

Marco van Herwaarden
03 Jul 2008, 08:37
Once you have the pmid, you could try to find more info in your web server logs, but it is a long shot. I wouldn't know of any other way to find out what happened, could be anything from a confused user (more likely) to a hacker (very unlikely).

silurius
04 Jul 2008, 04:30
Yeah, I hear what you're saying. Turns out even if I understood what to grep for better than I do currently, the server logs probably don't extend far enough back in time anyway (as it turns out).

A related question: The same user from above also reports that the message she originally sent is now appearing as having been sent from "Guest" (with a post count of "n/a "), when she goes to her sent messages. Any idea why this might be? I suppose it could be database corruption (which means no hanky panky, afterall) but at the same time it's isolated -- it has not impacted any other private messages in this forum.

Marco van Herwaarden
04 Jul 2008, 08:56
Has there been any changes to her account lately, any manual updates done using manual SQL or such?