Lemon Amiga forum hacked!

[jaycee1980]

Quote:

Originally Posted by jbenam

Great stuff, I retired a PHP4 application after 20 years just some months ago and it was never attacked. The code? It was utter trash. Did a vulnerability scan on it some years ago before rewriting it and it literally had dozens of 9+ vulnerabilities. On every part. Oh, and it had a phpmyadmin version from 1999 installed next to it.

PHP4 was indeed an era of much crap full of vulnerabilities. 5 helped and things have gotten pretty much tighter with 7.

A lot of it is deployment as well as the code though. PHP setups that echo errors out to the end user are just asking to be exploited. I always configure PHP so that it logs errors to a logfile, and if neccesary the HTTP side responds with 500.

Stuff like phpmyadmin, webmin, cpanel etc left exposed is also bad news. Either limit it by IP, put it behind a VPN, or dont run it at all. I quickly got rid of phpmyadmin from anything i worked on.

[Karlos]

Quote:

If you’re a so-called dev and don’t even check if what you’re installing is *actually* what you meant to install (be it by sigs, checksum, or by just reading the freaking URL you’re cloning) the problem doesn’t lie in the framework and/or the package manager, it lies between the screen and the chair.

I agree wholeheartedly in principle, but in practise large applications often have hundreds of dependencies and as always in online businesses, driven by MVP and time to market concerns. Stuff gets overlooked all the time. As long as nothing appears to be obviously wrong, stuff gets applied without the level of review you expect. I just don't think it's fair to hold a team of Devs working to a tight deadline responsible for not noticing something insidious when security auditing is probably a job that someone working for a CISO should habe.

Plus, a lot of companies simply don't (want to) pay for SAST tools that go a long way to automating these processes too.

[lifeschool]

I believe Lemon/64 was running at least php 7.

Upgrading to the latest builds of phpbb is a supreme ball ache, and there should be some kind of easy way to batch run installs.

[lifeschool]

Good news. Lemons are back in a couple of days. !

Look out for progress maybe soonish.

[Seiya]

very good news

[Karlos]

Quote:

Originally Posted by lifeschool

I believe Lemon/64 was running at least php 7.

Upgrading to the latest builds of phpbb is a supreme ball ache, and there should be some kind of easy way to batch run installs.

Do they know what the attack vector was?

[Predseda]

We are back online.

[Karlos]

Quote:

Originally Posted by Predseda

We are back online.

+1

Any fallout?

[AlphaAmiga]

Quote:

Originally Posted by Predseda

We are back online.

Awesome!!!

[gimbal]

Quote:

Originally Posted by AestheticDebris

The parameterised version will look for a row where name is exactly the above text. The bad version will see multiple commands and run them all, dropping a table in the process.

Not very likely to succeed thankfully. Because

A) referential integrity constraints and
B) if the application database user has the right to drop tables, you must want it to happen.

Data theft is the bigger risk.

[Octopus66]

Quote:

Originally Posted by Predseda

We are back online.

Great news!

[Avanze]

Yay! Lemon is back!

[AestheticDebris]

Quote:

Originally Posted by gimbal

Not very likely to succeed thankfully. Because

A) referential integrity constraints and
B) if the application database user has the right to drop tables, you must want it to happen.

Data theft is the bigger risk.

Well yes, but that's the simple example. Extending it to do anything such as dump out entire tables is trivial.

[prometeo]

Quote:

Originally Posted by Karlos

Whichever technology stack you use, you have to take security seriously or hope that your infrastructure protects you.

Amen.
Cheers,
Giacomo.

[swoslover]

Is amiga.org down now too?

[TCD]

Quote:

Originally Posted by swoslover

Is amiga.org down now too?

Lemon Amiga is back up. Amiga.org forum is down.

[Karlos]

Quote:

Originally Posted by swoslover

Is amiga.org down now too?

It goes down so often that it's got its own OnlyFans account these days....

[swoslover]

Quote:

Originally Posted by Karlos

It goes down so often that it's got its own OnlyFans account these days....

Good to know that's it's usual and this isn't some coordinated attack on Amiga sites!

[Karlos]

I joke, but it is a bit sad. These sites are all run by enthusiasts, even the ones owned by "business". Amiga.org was my go-to place for Amiga news and discussion for years, long before I ever signed up. When Wayne had to move it to vBulletin from XOOPS, there was so much stuff that couldn't be imported, so we ended up writing custom migration tooling and doing it bit by bit. I remember scripting the link replacements, that had to identify every site referencing URL in every post, comment, article, etc and update them so they'd still link to the same equivalent content etc. We could've left it, but we wanted people to have a consistent experience and not just endless 404s (rewrite rules can only do so much).That was the lariest one, having so many regular expression callbacks. There was so much content to get through, it had to run while the site was up, in a rate limited fashion. I think it took maybe a day to finish working from most recent to oldest.

I'm not blaming anyone for anything, but the long period it was down for prior to the current iteration seems to have been a fatal blow to what was my favourite watering hole in the vast desert of targeted content I can't give a crap about that is the modern web.

[Karlos]

Quote:

Originally Posted by gimbal

Not very likely to succeed thankfully. Because

A) referential integrity constraints and
B) if the application database user has the right to drop tables, you must want it to happen.

Data theft is the bigger risk.

Generally, it's not that you want it to happen, it's that you're a regular guy running a site on an out of box solution on a host but you're not a DBA or a sysadmin and maybe you aren't aware you've got a risky configuration. You just don't know what you don't know. You might even have inherited the responsibility from someone else who didn't know what they were doing, or worse did, but didn't care.

It could be some shared hosting solution that got owned through a neighbour's laxity.

Ignorance ultimately isn't an excuse if you are going to run a site but every kind of sh*t happens.