107
Someone from my university took down my website (lemmy.world)
submitted 1 month ago by droning_in_my_ears@lemmy.world to c/casualconversation@lemm.ee
42 comments fedilink hide all child comments

So I have a small web app I made. I didn't really advertise much because there's a lot of things I wanna fix in it and I don't have the time. But I did tell a few classmates about it.

Last few days I noticed it had been running slowly. Until one day it just stopped working. I checked the server logs and there was a background worker trying and failing to insert some data into the db on loop because of a bug I didn't notice. The data it was trying to insert was spam so I knew this was an intentional thing. I took the server down and in the process accidentally deleted all the logs. Oops.

So I go and check the database and the user who inserted the spam data used their actual email. I google it, find their GitHub, their twitter, and their fiverr which has their actual name and picture. I search their name in my university system and find them. It's someone I don't know. Someone who heard from a classmate I told about it.

Fixed the bug now, banned the account, removed the spam. I guess you could say they did me a favor catching the bug but they could've just told me about it lol.

The only question left is: should I contact them? Send them a subtle 'I know what you did" message on the uni portal?

you are viewing a single comment's thread
view the rest of the comments
[-] SnotFlickerman@lemmy.blahaj.zone 35 points 1 month ago

Yeah generally it's in bad form to mess with other people's projects without their permission at university. CS Professor probably won't be impressed.

[-] TWeaK@lemm.ee 5 points 1 month ago

a) The logs were deleted, so there isn't much evidence left. b) We don't even know if this is a university project and not just a side project.

[-] droning_in_my_ears@lemmy.world 10 points 1 month ago

It's not a university project. I'm obviously not gonna report it to anyone.

The logs were deleted but the database entries remain, tied to their username and confirmed email.

[-] Lemjukes@lemm.ee 8 points 1 month ago

Even if the project wasn’t for university, it’s still yours. And the other student probably broke your schools code of conduct by doing what they did. You should still inform if not the dean of the program, then at least your professor. What’s to say this person isn’t also going around and fucking with other people’s projects?

[-] thesystemisdown@lemmy.world 2 points 1 month ago

How can you determine that someone didn't use their info as subterfuge? It sounds like most people could find that information and use it. You'll need a little more evidence.

Personally, I'd ask them if they want to pen test my next application and see how they respond.

[-] droning_in_my_ears@lemmy.world 1 points 1 month ago

What do you mean? If their email is confirmed, then I assume only they have access to it. Is there something I'm missing?

[-] thesystemisdown@lemmy.world 1 points 1 month ago* (last edited 1 month ago)

Perhaps it's something that I'm missing. What do you mean when you say their email is confirmed?

Usually when this happens, it's a result of someone taking advantage of an application vulnerability, e.g. sql injection. Sometimes it's more serious, like a script uploaded and a privilege escalation to execute it. The email value written to your database could be anything.

Not to condescend, but this is a good learning experience. If they were able to write to your db, they could likely also read from it, dump the whole thing and harvest the data.

[-] droning_in_my_ears@lemmy.world 1 points 1 month ago

They did not gain access to the db. They just inserted some garbage data that due to a bug in my code caused a background worker to try to insert some invalid data to the db and fail on loop, hogging network resources until eventually the main server couldn't serve anymore.

When I say their email is confirmed, I mean the email they used to sign up is presumably one they have access to because they clicked on the confirmation link with a token sent to their email. The data they inserted is tied to that account with a foreign key.

No SQL injection or anything like that was done. It was more them triggering a bug more than anything. But it's still clearly intentional because the data they inserted is spam about forex trading with no spaces (which is what caused the error, long story). My code is open source so presumably they knew that would happen.

[-] thesystemisdown@lemmy.world 1 points 1 month ago

Gotcha. Then maybe it is time for them to have a conversation with the friendly network administrator. You might have lost your logs, but university network appliances usually log alot.

[-] Maiq@lemy.lol 1 points 1 month ago* (last edited 1 month ago)

Might be able to recover the logs with testdisk. The email and other info might be enough. If you do get your logs back might impress the CS Prof. Shows willingness to figure shit out when things go wrong.

To me, what they did shows intent to commit a crime if not the crime itself. Possibly legal offences likely wont be taken lightly.

If your gonna hack shit it better be your own in a lab or have consent from the party involved

this post was submitted on 03 May 2025
107 points (98.2% liked)

[Migrated, see pinned post] Casual Conversation

3380 readers
3 users here now

We moved to !casualconversation@piefed.social please look for https://lemm.ee/post/66060114 in your instance search bar

Share a story, ask a question, or start a conversation about (almost) anything you desire. Maybe you'll make some friends in the process.

RULES

  1. Be respectful: no harassment, hate speech, bigotry, and/or trolling.
  2. Encourage conversation in your OP. This means including heavily implicative subject matter when you can and also engaging in your thread when possible.
  3. Avoid controversial topics (e.g. politics or societal debates).
  4. Stay calm: Don’t post angry or to vent or complain. We are a place where everyone can forget about their everyday or not so everyday worries for a moment. Venting, complaining, or posting from a place of anger or resentment doesn't fit the atmosphere we try to foster at all. Feel free to post those on !goodoffmychest@lemmy.world
  5. Keep it clean and SFW
  6. No solicitation such as ads, promotional content, spam, surveys etc.

Casual conversation communities:

Related discussion-focused communities

founded 2 years ago
MODERATORS
orangeNgreen@lemmy.world
neidu2@feddit.nl
BoozeOrWater@lemm.ee