As you may have noticed, I recently have written the code for the
Tremulous Player Manifest, and nearly right after the first entry, I checked the databases, and found an entry in the databases submitted by a user (which – no wonder – never has confirmed his signing) with a name with an interesting part in it: “"xor”…
For those who are not familiar with SQL, this database-language submits everything with strings, while values are delimited by quotes, and thus can be compromised if the programmer is a beginner, you can submit almost anything to the database if you just manage to put something in that has a quote inside. Obviously, a few hours after I put the code online, somebody tried to break into the database. (Of course anybody who is not a complete greenhorn will catch this by masking quotes, in the Trem-Manifest, this is done by replacing quotes with their HTML-code, which is, well, "…)
Also, if you happen to run a server, you also may often find strange requests in the logs, this is, something like “cmd.exe”, where somebody tries to pull a fast one to gain control over the server. Those attacks are by the way usually
automatted and are performed not be any “criminal servers”, but by computers (or even servers!) taken over by viruses and remotely controlled (tough not actively) by people earning their money with spam, fraud, or other criminal activities.
With other words: There are tons of programs out there with the only purpose to find the one idiot out of a million people who actually
will buy “\/|agra” or a fake Rolex…
Bots scanning forums, blogs, social media, normal websites, installed on Zombie computers taken over by viruses. This is (part of) the reality of the internet. And sometimes, when writing a pretty small project like the Manifest, it strikes me again, for there are times I tend to forget all that.
