Lemon Amiga forum hacked!

[Karlos]

You construct queries properly.
You type enforce and sanity check all input - assume everything is potentially hostile.
You don't allow arbitrary, unescaped strings to be used as parameters.
You don't allow multiple statements to be issued in a single string issued to your connector/driver.
You don't leak error information.

[AmigaBill]

Quote:

Originally Posted by lifeschool

SQL injection, LA and L64 sites compromised. The hackers want money to reveal how they did it.

Dan I am really sorry to hear this news. Freaking jerks Lemon Amiga is such a great asset to the community and one of my favorite sites. I hope it comes back soon with minimal damage. I know nothing about running a site like that, but if there is anything I can do to help out let me know. Massive thanks to you and the Lemon team for all the hard work

[Megalomaniac]

I did indeed mean the games competition, most people post scores on Lemon rather than EAB and so might not have an EAB account, or it might be under a different username. Plus there's a C64 competition which (AFAIK) isn't available anywhere other than Lemon64?

[Predseda]

Quote:

Originally Posted by Seiya

If they have a backup of forum and site, could be move to another server.

I have no idea. Database is not accessible from standard web admin, so only Kim knows what have survived and what have not.

[d4rk3lf]

One of the best sites.
Man... I admit I am stupid and can't comprehend why would anyone attack awesome site about retro computers.

Lemon is like a retro library/museum value to me.
Love reading reviews from scanned magazines, whenever I encounter interesting game that I have not seen before.

[lifeschool]

Quote:

Originally Posted by Megalomaniac

I did indeed mean the games competition, most people post scores on Lemon rather than EAB and so might not have an EAB account, or it might be under a different username. Plus there's a C64 competition which (AFAIK) isn't available anywhere other than Lemon64?

I didn't think about user names and access. I guess it would take a whole bunch of them to register here to continue. With the LA compo, yes most post on LA. But I'm hoping to keep it going and move it here instead. The Test Drive 2 round has been surprisingly quiet, and the next round is PD games, so no big deal as far as games. If the top players dont move over, it would be a shame to let others have an advantage. But I dont want to close the compo down completely, as who knows when it will come back.

Quote:

Originally Posted by Predseda

I have no idea. Database is not accessible from standard web admin, so only Kim knows what have survived and what have not.

He messaged me to say the site is 99% intact. Nothing has been deleted. But there is some bad code somewhere preventing things from working.

[Karlos]

Quote:

Originally Posted by d4rk3lf

One of the best sites.
Man... I admit I am stupid and can't comprehend why would anyone attack awesome site about retro computers.

Lemon is like a retro library/museum value to me.
Love reading reviews from scanned magazines, whenever I encounter interesting game that I have not seen before.

Some people are just complete bellends. But the reality is this is likely just a malicious automated crawler probing for specific database of known vulnerabilities and then doing a followup takedown on any it flags. I don't think the site would have been specifically targeted, unless by someone with a real axe to grind.

Other times it's just bored h4xx0rz going after a low hanging fruit.

[Retro1234]

I was making fun the other day about EAB not needing more security because its just an Amiga site - then some Lamer does this

[CCCP alert]

I went back to update a post about a newly completed game and it was just gone!

Whilst you can find games on gb64 site Lemon64 is more about info on games (conversions, magazine review scan links to archive.org, manuals, covers, user reviews and comments etc) than just checking out some screenshots so it is sad somebody thinks they can get rich hacking such a minority set of sites.

It's a problem for all of us.

"No matter how good you are at Poker, there will always be one person better than you." Nolan Bushnell. There is no such thing as a 100& hackproof site for such niche minorities.

Thankyou for the update Lifeschool.

[TCD]

Quote:

Originally Posted by Retro1234

I was making fun the other day about EAB not needing more security because its just an Amiga site - then some Lamer does this

It's all fun and games until a website is down for weeks, isn't it?

[AestheticDebris]

Quote:

Originally Posted by lifeschool

Can you explain how it is possible to avoid it? For example, is it the uploading of files to the server which is the leak? Or perhaps somehow the custom back end is the issue?

The classic mistake is building up SQL commands via string concatenation rather than using query parameters. If the value being embedded into a string is carefully constructed, you can effectively run any SQL you like when that is done. Parameterized queries prevent that because the value is guaranteed to be passed as a variable in the query.

So a good query might look like

"SELECT * FROM table WHERE name = ?;", input

And the bad version looks something like

"SELECT * FROM table WHERE name = '" + input + "';"

And if the value of input is:

'; DROP TABLE table; SELECT '

The parameterised version will look for a row where name is exactly the above text. The bad version will see multiple commands and run them all, dropping a table in the process.

If I were Kim I'd focus on anything to do with searching. It's almost always the place where people get sloppy and try to construct SQL queries by string concatenation, because they're cumbersome to write correctly when multiple options may or may not be selected etc. Beyond that, anything that allows passing parameters via a URL string is usually suspicious.

[Korodny]

Quote:

Originally Posted by lifeschool

I dont know what an SQL injection is

AestheticDebris was faster than me, but I'll try to give a less technical explanation.

A website's database constantly has to store user generated content. You create an account -> your username, mail etc. need to be stored in the database. You write a posting or create a new thread -> your posting and/or the name of the thread you created need to be stored in the database.

"SQl injection" means an attacker creates some version of this user created content (username, posting...) that is meant to confuse the DB and make it do something it wasn't meant to do.

Fictional (and very simplified) example: I change my Username to...

Code:

Korodny"; DELETE ENTIRE DATABASE; "

The DB command used to update one of the 'username' entries looks like this:

Code:

WRITE "[new_username]" TO TABLE USERNAMES

If the website program tries to store my manipulated username in the DB, the resulting command will look like this...

Code:

WRITE "Korodny"; DELETE ENTIRE DATABASE; "" TO TABLE USERNAMES

...which is three (fictional) DB commands separated by semicolons: 'WRITE "Korodny"', which will simply produce an error from the DB ("write it to what table?"), 'DELETE ENTIRE DATABASE", which is the command the attacker wants to execute and '"" TO TABLE USERNAMES' which will produce another error.

[lifeschool]

Looks like the domain name side of things now points to this:

"Dear Lemon visitor,

We are deeply saddened to inform you that our beloved retro computing hobby project, which has been a labor of love for over 20 years, has been attacked. Unauthorized individuals have accessed our database.

What Happened:

Our website suffered a security breach, and our database was accessed without permission.
We are currently investigating the breach and working to secure our systems with the help of voluntary cybersecurity experts.

Our Response:

We are doing everything we can to understand how this happened and to prevent it from happening again.
The authorities have been notified, and we are working to strengthen our security measures.

The passwords in phpBB3.3 use an exceptionally strong and secure method of encryption. This means that your password cannot be decrypted. Regardless of this, we recommend that you change your password once the site is up and running.

We are truly sorry for any inconvenience or worry this may cause. This community means the world to us and we are totally committed to fixing this. Thank you for your understanding and patience as we work through this.

With a heavy heart,
The Lemoners Team"


Thanks AestheticDebris and Korodny!

[Megalomaniac]

I doubt that the people who've hacked this will appreciate how valuable it is to so many of us. Really hope it's all back up and running, with steps in place to stop it happening again, as soon as possible. The web address now linking to something directly written by the Lemon team, rather than a generic error message, is itself progress.

[AmyMor]

What kind of shitty people exist in the world?

Without LEMON I am an AMIGHIST divided in half

[jbenam]

Quote:

Originally Posted by lifeschool

Can you explain how it is possible to avoid it?

Drop anything that uses PHP I have had the misfortune to work with it (and I still have to, every now and then) and the entire thing is a trainwreck filled with vulnerabilities. Rarely have I seen such a major language releasing critical security fixes so often.

It’s fundamentally broken - it was a language written that let any kind of bad dev habit run free and as such it fostered a community of devs that kept using these bad habits and kept regurgitating the same things over and over.

The result is that literally anything written in PHP has at least one security hole somewhere. Never trust PHP.

“But but PHP8!!!1”, yes, yes. They finally tried fixing stuff. Too late, the dev community (at least the part that isn’t too scared or too closed to learn new things) moved on to better, faster and more secure things.

The TIOBE index for 2024 shows that PHP is a functionally dead language - no one uses it anymore for new projects and if they do they should be changed immediately for another more competent company

“But half of the internetzzz runs on PHP!’!1!1!”, yes, and half of the world still runs on coal. You can’t switch overnight to a new technology, it requires time and planning, even if you really really want to switch to cleaner and more modern forms of energy. Everyone knows that solar is going to be cheaper and better in the long run, sticking with coal is just stupid. The same thing with PHP.


tl;dr: just look at NodeBB and enjoy your blazing fast, cheaper, more secure and easier to manage forum. I also advise switching to MongoDB - no more SQL injections, if you don’t use SQL

[Karlos]

Node? Secure? LMFAO.

[jbenam]

Quote:

Originally Posted by Karlos

Node? Secure? LMFAO.

Still better than PHP

Clearly Rust would be the better choice if you want maximum security, but you have to draw the line somewhere.

Node is kinda like driving a hybrid car. Still better than that old 90s clunky petrol car you were driving before, still not as good as that fancy electric car everyone wants.

You have to start somewhere.

[Karlos]

Speaking as a senior architect for a major online retailer, I'm going to just come out with it. Node and JS in general are absolutely as bad as PHP from a security and major language flaws perspective. Both allow inexperienced developers to perpetuate bad practices. Furthermore, I've never seen anything as woeful as NPM from a supply chain vulnerability perspective and the whole JS ecosystem is maintained by a community of developers that literally never finish anything before abandoning it and moving on. Including the author of Node itself.

The key difference between the two ecosystems is that the issues in PHP tend to get dealt with.

[AestheticDebris]

Quote:

Originally Posted by lifeschool

Thanks AestheticDebris and Korodny!

Well I don't think I've actually done anything, though obviously if the lads over at Lemon need any help I'd be glad to. Really sad how people spend there time destroying things like this for fun rather than doing constructive things