13 July 2024, 18:52 | #41 |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,843
|
You construct queries properly.
You type enforce and sanity check all input - assume everything is potentially hostile. You don't allow arbitrary, unescaped strings to be used as parameters. You don't allow multiple statements to be issued in a single string issued to your connector/driver. You don't leak error information. |
13 July 2024, 19:42 | #42 |
Registered User
Join Date: Sep 2016
Location: New York, USA
Posts: 192
|
Dan I am really sorry to hear this news. Freaking jerks Lemon Amiga is such a great asset to the community and one of my favorite sites. I hope it comes back soon with minimal damage. I know nothing about running a site like that, but if there is anything I can do to help out let me know. Massive thanks to you and the Lemon team for all the hard work
|
13 July 2024, 19:54 | #43 |
Registered User
Join Date: Sep 2022
Location: Eastbourne
Posts: 1,184
|
I did indeed mean the games competition, most people post scores on Lemon rather than EAB and so might not have an EAB account, or it might be under a different username. Plus there's a C64 competition which (AFAIK) isn't available anywhere other than Lemon64?
|
13 July 2024, 20:22 | #44 |
Puttymoon inhabitant
|
|
13 July 2024, 20:55 | #45 |
Registered User
Join Date: Jul 2015
Location: Novi Sad, Serbia
Posts: 1,730
|
One of the best sites.
Man... I admit I am stupid and can't comprehend why would anyone attack awesome site about retro computers. Lemon is like a retro library/museum value to me. Love reading reviews from scanned magazines, whenever I encounter interesting game that I have not seen before. |
13 July 2024, 20:56 | #46 | |
Local Moderator
Join Date: Oct 2009
Location: Lancashire, UK
Age: 48
Posts: 1,724
|
Quote:
He messaged me to say the site is 99% intact. Nothing has been deleted. But there is some bad code somewhere preventing things from working. |
|
14 July 2024, 00:15 | #47 | |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,843
|
Quote:
Other times it's just bored h4xx0rz going after a low hanging fruit. |
|
14 July 2024, 00:21 | #48 |
Phone Homer
Join Date: Jun 2006
Location: 5150
Posts: 5,883
|
I was making fun the other day about EAB not needing more security because its just an Amiga site - then some Lamer does this
|
14 July 2024, 08:06 | #49 |
Registered User
Join Date: May 2023
Location: essex
Posts: 590
|
I went back to update a post about a newly completed game and it was just gone!
Whilst you can find games on gb64 site Lemon64 is more about info on games (conversions, magazine review scan links to archive.org, manuals, covers, user reviews and comments etc) than just checking out some screenshots so it is sad somebody thinks they can get rich hacking such a minority set of sites. It's a problem for all of us. "No matter how good you are at Poker, there will always be one person better than you." Nolan Bushnell. There is no such thing as a 100& hackproof site for such niche minorities. Thankyou for the update Lifeschool. |
14 July 2024, 08:35 | #50 |
HOL/FTP busy bee
Join Date: Sep 2006
Location: Germany
Age: 46
Posts: 32,446
|
|
14 July 2024, 10:12 | #51 | |
Registered User
Join Date: May 2023
Location: Norwich
Posts: 516
|
Quote:
So a good query might look like "SELECT * FROM table WHERE name = ?;", input And the bad version looks something like "SELECT * FROM table WHERE name = '" + input + "';" And if the value of input is: '; DROP TABLE table; SELECT ' The parameterised version will look for a row where name is exactly the above text. The bad version will see multiple commands and run them all, dropping a table in the process. If I were Kim I'd focus on anything to do with searching. It's almost always the place where people get sloppy and try to construct SQL queries by string concatenation, because they're cumbersome to write correctly when multiple options may or may not be selected etc. Beyond that, anything that allows passing parameters via a URL string is usually suspicious. |
|
14 July 2024, 12:40 | #52 |
Zone Friend
Join Date: Sep 2001
Location: Germany
Posts: 814
|
AestheticDebris was faster than me, but I'll try to give a less technical explanation.
A website's database constantly has to store user generated content. You create an account -> your username, mail etc. need to be stored in the database. You write a posting or create a new thread -> your posting and/or the name of the thread you created need to be stored in the database. "SQl injection" means an attacker creates some version of this user created content (username, posting...) that is meant to confuse the DB and make it do something it wasn't meant to do. Fictional (and very simplified) example: I change my Username to... Code:
Korodny"; DELETE ENTIRE DATABASE; " Code:
WRITE "[new_username]" TO TABLE USERNAMES Code:
WRITE "Korodny"; DELETE ENTIRE DATABASE; "" TO TABLE USERNAMES |
14 July 2024, 12:40 | #53 |
Local Moderator
Join Date: Oct 2009
Location: Lancashire, UK
Age: 48
Posts: 1,724
|
Looks like the domain name side of things now points to this:
"Dear Lemon visitor, We are deeply saddened to inform you that our beloved retro computing hobby project, which has been a labor of love for over 20 years, has been attacked. Unauthorized individuals have accessed our database. What Happened: Our website suffered a security breach, and our database was accessed without permission. We are currently investigating the breach and working to secure our systems with the help of voluntary cybersecurity experts. Our Response: We are doing everything we can to understand how this happened and to prevent it from happening again. The authorities have been notified, and we are working to strengthen our security measures. The passwords in phpBB3.3 use an exceptionally strong and secure method of encryption. This means that your password cannot be decrypted. Regardless of this, we recommend that you change your password once the site is up and running. We are truly sorry for any inconvenience or worry this may cause. This community means the world to us and we are totally committed to fixing this. Thank you for your understanding and patience as we work through this. With a heavy heart, The Lemoners Team" Thanks AestheticDebris and Korodny! |
14 July 2024, 12:53 | #54 |
Registered User
Join Date: Sep 2022
Location: Eastbourne
Posts: 1,184
|
I doubt that the people who've hacked this will appreciate how valuable it is to so many of us. Really hope it's all back up and running, with steps in place to stop it happening again, as soon as possible. The web address now linking to something directly written by the Lemon team, rather than a generic error message, is itself progress.
|
14 July 2024, 14:48 | #55 |
Registered User
Join Date: Apr 2020
Location: Calvi Risorta
Posts: 177
|
What kind of shitty people exist in the world?
Without LEMON I am an AMIGHIST divided in half |
14 July 2024, 15:08 | #56 |
Italian Amiga Zealot
Join Date: Jan 2009
Location: Italy
Age: 36
Posts: 1,926
|
Drop anything that uses PHP I have had the misfortune to work with it (and I still have to, every now and then) and the entire thing is a trainwreck filled with vulnerabilities. Rarely have I seen such a major language releasing critical security fixes so often.
It’s fundamentally broken - it was a language written that let any kind of bad dev habit run free and as such it fostered a community of devs that kept using these bad habits and kept regurgitating the same things over and over. The result is that literally anything written in PHP has at least one security hole somewhere. Never trust PHP. “But but PHP8!!!1”, yes, yes. They finally tried fixing stuff. Too late, the dev community (at least the part that isn’t too scared or too closed to learn new things) moved on to better, faster and more secure things. The TIOBE index for 2024 shows that PHP is a functionally dead language - no one uses it anymore for new projects and if they do they should be changed immediately for another more competent company “But half of the internetzzz runs on PHP!’!1!1!”, yes, and half of the world still runs on coal. You can’t switch overnight to a new technology, it requires time and planning, even if you really really want to switch to cleaner and more modern forms of energy. Everyone knows that solar is going to be cheaper and better in the long run, sticking with coal is just stupid. The same thing with PHP. tl;dr: just look at NodeBB and enjoy your blazing fast, cheaper, more secure and easier to manage forum. I also advise switching to MongoDB - no more SQL injections, if you don’t use SQL |
14 July 2024, 15:11 | #57 |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,843
|
Node? Secure? LMFAO.
|
14 July 2024, 15:12 | #58 |
Italian Amiga Zealot
Join Date: Jan 2009
Location: Italy
Age: 36
Posts: 1,926
|
Still better than PHP
Clearly Rust would be the better choice if you want maximum security, but you have to draw the line somewhere. Node is kinda like driving a hybrid car. Still better than that old 90s clunky petrol car you were driving before, still not as good as that fancy electric car everyone wants. You have to start somewhere. |
14 July 2024, 15:26 | #59 |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,843
|
Speaking as a senior architect for a major online retailer, I'm going to just come out with it. Node and JS in general are absolutely as bad as PHP from a security and major language flaws perspective. Both allow inexperienced developers to perpetuate bad practices. Furthermore, I've never seen anything as woeful as NPM from a supply chain vulnerability perspective and the whole JS ecosystem is maintained by a community of developers that literally never finish anything before abandoning it and moving on. Including the author of Node itself.
The key difference between the two ecosystems is that the issues in PHP tend to get dealt with. |
14 July 2024, 15:30 | #60 |
Registered User
Join Date: May 2023
Location: Norwich
Posts: 516
|
Well I don't think I've actually done anything, though obviously if the lads over at Lemon need any help I'd be glad to. Really sad how people spend there time destroying things like this for fun rather than doing constructive things
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
amiga magix website is hacked | Retro-Nerd | Amiga scene | 19 | 14 July 2006 03:31 |
The Lemon Amiga forum is Launched | Lemon | News | 13 | 15 July 2004 23:03 |
Amiga.com hacked ! | RCK | Amiga scene | 34 | 29 December 2002 01:01 |
Another Amiga WebPage Hacked | Carlos Ace | Amiga scene | 13 | 11 May 2002 01:21 |
Amiga.org Hacked/Down | Galahad/FLT | Amiga scene | 3 | 24 December 2001 16:35 |
|
|