Timo 2020-08-20 16:46 (Edited)
Sorry for the failure of this website during the day. It's all back and nothing was lost. But I learned something about security (I'm not a professional web developer).
In the next days I will write some more details here.
A few weeks ago I noticed, that there where like 400 new users registered, but all with names of 10 random letters and of course without any activity here. Interestingly their e-mail addresses looked real, but most of them from aol and yahoo. Anyone is still using these services?? Obviously these users were created by a bot.
So I added a capture system to the user registration (https://www.phpcaptcha.org) and the fake user registrations stopped. So that worked. Anyway I don't really understand what was the point of this bot. It sent registration e-mails to all the people, but I don't think they were able to change the text in the e-mails to use it as spam.
And then, about a week later, I found the website broken. It just showed an error message. And it included the password for the database access. This was really bad and my fault, never leave error messages in a public website! I quickly removed the message and wanted to change the password.
Then I found out that the whole database was not available anymore. My first idea was, ok, they created again maybe some millions of users, overloaded the database, saw the error message with the password and got full access to the database. In this case they could have gotten all your e-mail addresses, which would make sense for spammers. Passwords are encrypted though, so at least these would stay save.
I called my webhosting provider. They said it was a temporary problem and they could fix it and they did.
So, in the end I don't know if the problem came from an attack or just happened. For sure I learned that error messages should be switched off and I will check for more possible security issues. And making backups of the database might be a good idea, too :O
I think that even if you have the password of the database, you cannot access it. Only the website itself can do it and I didn't find any changes in the PHP code. In this case nobody could steal e-mail addresses. I will confirm this soon to see if there was a real risk.
In the end I'm lucky, I really thought for a while that we lost all the content of this website!
Thank you all for being here :)
moechofe 2020-08-20 19:03
I'm a professional web developer, if you need, I can help.
Timo 2020-08-21 08:41
moechofe, I sent you an e-mail.
More info coming soon!
Timo 2020-08-21 12:06
I updated the post and added the whole story.
was8bit 2020-08-21 12:26
Thank YOU for all the headache you had to go thru, and for all you do to make lowres and this community a wonderful experience...
And of course a shout out to all who contribute here.... thankfully everything was rcovered :D
GAMELEGEND 2020-08-21 13:31 (Edited)
frikin jerk(s) tryin to mess with lowres
one of the greatest websites
G-9 2020-08-23 09:15
u are so right
G-9 2020-08-23 09:16
I was thinking my internet connection was lost :)