Questions about CB and CBsubs

1 month 3 weeks ago #318382 by titolin
Replied by titolin on topic Questions about CB and CBsubs
Thank you Krileon for your valued responses,

The reason behind my desire to move users from my current CB website to a new installation is that I think there is one of the extension developers which I trusted before had used the FTP credentials that I gave to him to do something wrong, and since that time I think that he injected some files or uploaded bad files to be able to create superusers whenever he wants to do.

Of course, I will do everything to fix this issue and recover my clean website again but if I reversed to the previous backup I might lose some important users' data.

Another reason that makes me move to another installation that I need the main website to be accessed using domain "example1.com" while the community with cbSubs should be a standalone website on domain "example2.com"

Then I use a bridge to share users' data between the 2 installations and in the same time, I will feel more comfortable that the payment gateways API credentials that I will use for cbSubs will not get stolen because of the first website if the developer left any bad files to make a connection with the database without I know.. users' data safety is also the main concern.

I was thinking to make the 2 standalone websites on the same installation using the giving way here docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation
Then it will be better for me but I don't know how user registration will work well without users notice that the 2 websites are related to each other especially that each one of them is for a different purpose. I might use some modules for registration and login with different URL redirect when login and logout but the registration confirm email messages will use one website title and here is an issue for me.

- So now I would like to know what's the things that I need to put in mind when I transfer users from the first website to the new installation?

- Is migrating users need anything more than PHPmyadmin to export and import tables?

- Which tables that I really need to export and import?

- I'm thinking to update to latest CB on both sites > then I remove all CB database tables from the new installation > and then I export CB tables from the first website's database > then I import them to the new website database using PHPMyAdmin > then I edit super user's id number in CB users table to match the superuser on the new installation to make sure that there is no confliction ... are these procedures correct?

Thank you

Please Log in to join the conversation.

1 month 3 weeks ago #318400 by krileon
Replied by krileon on topic Questions about CB and CBsubs

The reason behind my desire to move users from my current CB website to a new installation is that I think there is one of the extension developers which I trusted before had used the FTP credentials that I gave to him to do something wrong, and since that time I think that he injected some files or uploaded bad files to be able to create superusers whenever he wants to do.

If he modified core files to do that simply install everything over the top of itself again. This includes Joomla and all your extensions. Do you have any proof this developer is even doing that though? Are you sure they're just not using a Joomla super user account to login?

Then I use a bridge to share users' data between the 2 installations and in the same time, I will feel more comfortable that the payment gateways API credentials that I will use for cbSubs will not get stolen because of the first website if the developer left any bad files to make a connection with the database without I know.. users' data safety is also the main concern.

That would just be a bandaid for a bigger issue. If you feel your site is compromised you should address that first instead of trying to launch and integrate a fresh site with a compromised site.

I was thinking to make the 2 standalone websites on the same installation using the giving way here docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation
Then it will be better for me but I don't know how user registration will work well without users notice that the 2 websites are related to each other especially that each one of them is for a different purpose. I might use some modules for registration and login with different URL redirect when login and logout but the registration confirm email messages will use one website title and here is an issue for me.

I do not recommend doing this.

- I'm thinking to update to latest CB on both sites > then I remove all CB database tables from the new installation > and then I export CB tables from the first website's database > then I import them to the new website database using PHPMyAdmin > then I edit super user's id number in CB users table to match the superuser on the new installation to make sure that there is no confliction ... are these procedures correct?

If you feel the issue is compromised files and not say a login then just use your existing database. There would be no need to import/export at all.


It just seams like you're trying to bandaid or workaround a bigger problem and that bigger problem is your site is compromised. If your site is indeed compromised you either need to identify how they're getting in and fix that or you need to abandon that site entirely and start over. If you choose to abandon the site then often the database can be salvaged, but you would need to completely start over again file structure wise. Starting over while salvaging the database sounds like the best option since you believe an extension developer used FTP to maliciously modify files, but you can first try reinstalling everything over the top of itself to clear any potential modifications to core code.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
The following user(s) said Thank You: titolin

Please Log in to join the conversation.

1 month 3 weeks ago - 1 month 3 weeks ago #318411 by titolin
Replied by titolin on topic Questions about CB and CBsubs

If he modified core files to do that simply install everything over the top of itself again. This includes Joomla and all your extensions.

Yes I did that and some problems have solved also, I found encrypted coin miners js codes in core files which was making the website take a lot of CPU and client-side recourses. installing everything over solved the issue. but even so, I don't think that he forgot to upload some shell files or any malicious files to a deep folder within any core system plugin folder.

Do you have any proof this developer is even doing that though?

Recently there is one developer was solving a conflict between the template and his component then he encrypted some codes in the template files without my permission and then I discussed to him and I reinstalled the template files again. it was very weird from him to solve some conflicts by encrypting the code he adds to the template overwrites which is not acceptable for me. you know right that encrypted codes are something can't be trusted.
But for creating superusers and making a remote connection with the database I don't have specific proof for that. and here is the reason why I said (I think there is one of the extension developers) and I didn't mention the name or his website URL because it's true, over years I used many extensions and some developers asked for FTP and I gave to them based on their reputation which is a mistake from me to depend on that. but the issues started to pop up after that encrypted code that I found. Maybe the issues were since before until I wakeup and I started to focus too much on the performance and the security issues.
To be honest I can't point any developer with anything so I can't mention the name or his website. Even the chat that I still keep is considered for me as no real proof to destroy someone's reputation. But I have some issues and personally I'm sure it was because I shared FTP login, with who? it doesn't matter for me now since I need to start the new website with clean code with the minimum loss as much as I can.

Are you sure they're just not using a Joomla superuser account to login?

I'm sure it's not the Joomla superuser account. It's malicious files that give someone access to the database. I reinstalled everything and the website is working normally now, but I still think there are some malicious files somewhere, maybe in plugins folders .. If there is an easy way to clean these files it would be great.

If I'm not mistaken the update process is just installing the new core files over the current files but it doesn't remove the entire folders which may contain none-core important files for some other extensions and plugins to work well and here there might be some other malicious files as well which I'm worried from. but if it removes the entire directories and builds them again then I'm fine and no need for me to be much worried like that.

That would just be a bandaid for a bigger issue. If you feel your site is compromised you should address that first instead of trying to launch and integrate a fresh site with a compromised site.


Yes, I think it was hacked but after many procedures, it works just normal now (of course I'm still worried)

But even if it's in the best condition I still need 2 independent websites that they share users between them and users can log in to both using one account... I'm still trying to figure out how can I make it work!!!!
I just don't want to put the second new website under the same risk as the first one.. but I still need them both.
Hint: The first website is an existing brand that provides some services based on subscription too. The second website will be a competitor brand but based on an interactive paid community. I still want users to have access to both websites using one login.
My concern now is, Regardless of the security condition of the current website, I'm just thinking how to make the 2 websites work together with one login with no feature issues. Maybe some famous multi-sites 3d party extensions can solve it. I'm still thinking how, If there is any recommendation it would be great.

I do not recommend doing this.

Are there any other recommendations if I want to connect 2 websites with one login and same users?

the database can be salvaged, but you would need to completely start over again file structure wise. Starting over while salvaging the database sounds like the best option

Yes, it seems the best option. Saving the database can be done through import/export feature as I know and since file structure is very important so I think to do the following:

1- Installing all the "trusted" extensions, plugins, modules, and everything on the new installation.
2- Moving images and important files to the same directory structures as they were.
3- Removing the newer database but after installing everything.
4- Import the backed up database which will provide the menu structures and module settings, users data and content, etc.

Four simple steps to get the website to its original condition without malicious files and maybe the opinion from each plugin's developer regarding their plugins will be recommended so they might have specific instructions.

The steps to achieve the goal of integrating the community in 2 websites integration should be from step 5:
5- Cloning the recovered website after making sure it's working perfectly.
6- Installing the cloned copy on the second domain with another database.
7- Installing the multi-sites extension on both of them to share login for 2 different domains and to share users while content and menu items, templates will be modified to suit each website's purpose and style.

The multi-site extension that I talk about is here extensions.joomla.org/extension/multi-sites/ Honestly I never tried it before and I hope it will make it easy and user registration process will remain different and under each site domain without issues. Also, I wonder if it will help to separate "cbsubs" plans from the website to another since the main goal is to give more options to users and act as a competitor with different plans in each website.

If these simple steps are right then please let me know.

Thank you in advance, I really appreciate all your patience.

Please Log in to join the conversation.

1 month 3 weeks ago #318412 by krileon
Replied by krileon on topic Questions about CB and CBsubs
It doesn't really sound like a developer did this. That'd be a huge risk to their reputation, which would end their financial stream for minimal gain. More than likely your site was compromised a long time ago. That's basically the risk you take falling behind on updates. You either need to maintain your site or you need to completely lock it down and by lock it down I mean with strict server mod_security, limiting what data users can submit, limiting access, etc.. Reinstalling everything likely cleared away the exploit as it was probably modified core files.

I do agree on asking for FTP being pretty strange, but if it's needed by a developer in the future I suggest creating a FTP user account that has very limited access. We most commonly ask for a temporary super user account during install reviews, but it has been years since we needed any sort of access beyond that to debug something.

Additionally since developers did have access to FTP it means they had raw access to configuration.php, which stores your database username and password. So I suggest you change both of those then update your configuration.php if you haven't already.

Are there any other recommendations if I want to connect 2 websites with one login and same users?

Yes, there's 3rd party extensions for multi-site Joomla but CB doesn't officially support any kind of multi-site usage so how well that will work is unknown. We can't really help you much in this regard.

Yes, it seems the best option. Saving the database can be done through import/export feature as I know and since file structure is very important so I think to do the following:

Yup, that'll work fine.

The multi-site extension that I talk about is here extensions.joomla.org/extension/multi-sites/ Honestly I never tried it before and I hope it will make it easy and user registration process will remain different and under each site domain without issues. Also, I wonder if it will help to separate "cbsubs" plans from the website to another since the main goal is to give more options to users and act as a competitor with different plans in each website.

I don't have any experience with that extension or a multi-site setup so I can't really comment how well that'd work. CB isn't designed for multi-site. Personally seams odd to design 2 sites to compete with one another. Best I can suggest is just give that extension a try and see what happens, but recommend making your clear and secure site first before bothering with the second site.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

1 month 3 weeks ago - 1 month 3 weeks ago #318414 by titolin
Replied by titolin on topic Questions about CB and CBsubs

It doesn't really sound like a developer did this.

The encrypted code that he has inserted into some parts of the template is a true story. He tried to convince me that this is his product policy which he never shares on the product page so it wasn't an acceptable policy for me (If there is such policy to insert encrypted codes in the open-source world lol!). but since I don't have direct proof of the relation between what happened to my website and his codes and the access to FTP in the time that other developers accessed also so I didn't share the name or his website, even I didn't go to JED to make a bad review.

That'd be a huge risk to their reputation, which would end their financial stream for minimal gain.

Of course, if they understand the meaning of building a reputable stable business.

your site was compromised a long time ago

Maybe, everything is possible.

I do agree on asking for FTP being pretty strange, but if it's needed by a developer in the future I suggest creating a FTP user account that has very limited access. We most commonly ask for a temporary super user account during install reviews, but it has been years since we needed any sort of access beyond that to debug something.


I realized that.

Additionally since developers did have access to FTP it means they had raw access to configuration.php, which stores your database username and password. So I suggest you change both of those then update your configuration.php if you haven't already.


I did. and after changing the database username and password, the website speed on google speed test increased by more than 20%. (Is it possible?)

Yes, there's 3rd party extensions for multi-site Joomla but CB doesn't officially support any kind of multi-site usage so how well that will work is unknown. We can't really help you much in this regard.


I will test and once I make sure it will work properly without issues then I can go ahead for production. I have seen that JMS Multi-sites extension is since 2008 and the latest update was in 2018. Regardless of the compatibility with CB, Are the developers there trusted? any idea?

Yup, that'll work fine.

Happy to hear that, I will proceed.


I don't have any experience with that extension or a multi-site setup so I can't really comment how well that'd work. CB isn't designed for multi-site.

If I coud share users profile only or even users login only then it's more than enough for my need, no desire to clone activity stream or groups or notifications.

Personally seams odd to design 2 sites to compete with one another.


I can't share the business model for the public but after I prepare the 2 websites I will then need to CB quickstart and CBsubs then you'll see it live. For now, I can give some explanation about how it works:

Website1 is a standalone business that helps people to get some services (legal and for public) then clients will pay the price of the services based on subscription and they can decide to renew or cancel or even hold renewal.

Website2 will give the people the ability to help each other to get these services and here is the need for activity stream and all features that will make them enjoy their happy time helping each other. they will subscribe to the premium sections of the website and their ability to message each other privately will be based on subscription and here is the beauty of this update www.joomlapolis.com/blog/kyle/18876-private-message-create-access
which I was asking about in the first post of this topic when I opened it.


The users on website2 will still see banners that asking them to get the services from the company on website1 instead of getting it from individuals who may sell these services or for free but my business model, not a market place and I don't aim to collect a commission for sales that users will make between each other because part of this community goals is to help people freely while those who are able to pay will cover the cost with a small subscription fee.

The website1 will make it easy for those people who are rushing and want professional help. and will offer them to login immediately if they have an account on the community on website2. and here is the reason that I want a way to share at least logins.

The words (competitors, competing, and similar words) might not be correct because the 2 websites will complete each other somehow.

Best I can suggest is just give that extension a try and see what happens,


Exactly I will do that.

but recommend making your clear and secure site first before bothering with the second site.


That's what I will do first, making sure the website is secure and there are no malicious files then I will clone the clean copy and then I start on the testing environment.

If I succeed to make them work with one login then the next step will be installing the quickstart and cbSubs. I'm happy that the quickstart can be installed on an existing website. The word quickstart sounds like a new Joomla installation quickstart which makes confusion.

in case if I didn't success to make them work together with one login then I will go for completely separate websites and I will start with a new Joomla installation. I might lose the advantage of having the existing users on the second website, so this will be my last option in addition that I will try to export and import them through the database which might be possible.

Please Log in to join the conversation.

1 month 3 weeks ago #318462 by krileon
Replied by krileon on topic Questions about CB and CBsubs

I will test and once I make sure it will work properly without issues then I can go ahead for production. I have seen that JMS Multi-sites extension is since 2008 and the latest update was in 2018. Regardless of the compatibility with CB, Are the developers there trusted? any idea?

I've no experience with multi-site extensions or their developers.

If I coud share users profile only or even users login only then it's more than enough for my need, no desire to clone activity stream or groups or notifications.

You might be able to just push that information to your other site using CB Auto Actions if that's the case.

I can't share the business model for the public but after I prepare the 2 websites I will then need to CB quickstart and CBsubs then you'll see it live. For now, I can give some explanation about how it works:

Seams like it'd just be easier to put this under 1 roof and use Joomla template/module menu assignment in combination with 2 different Joomla menus to accomplish all this without double the work. You can have 2 totally different sites on a single Joomla install entirely with Joomla menu assignment behavior basically. Example as follows.

Menu 1 = paid services site
Menu 2 = free services site

Have 2 different templates installed or 2 copies of the same template. Assign your paid services template to Menu 1 and the other template to Menu 2. Now setup modules for those templates and also assign the menus. This should give you 2 different looking sites based off what menu item is accessed.

To take this a step further point a domain name to menu 1 and a domain name to menu 2. This gives you 2 different domains under same roof. As long as live_site in configuration.php is kept empty Joomla should handle the domain output fine. There's more work involved in this of course, but that's the basic idea for 2 sites under 1 roof.


Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in to join the conversation.

Moderators: beatnantkrileon
Time to create page: 0.452 seconds

Facebook Twitter LinkedIn