Postmortem Site compromised 10-Sep-2019 -

  • We are being DDoS attacked still and 12,000 people are reading about incest. Expect weird errors. Most should go away by refreshing.


hello yes another one of these posts

Someone using my account posted a file called which contained two things:

1. A CSV containing several thousand recently-used IP addresses and the accounts they were used by.
2. A second ZIP file containing 32,277 files, 7 for each of 4,611 accounts.

The file contents looked like a webpage that had been converted to a human-readable post in Markdown format.

My belief is that the memory cache the site uses for storing sessions was compromised. The session IDs stored there were downloaded and used by an automated system to download web pages of specific importance from their logged in view with still-valid session tokens, bypassing both the password and 2FA. I base this mostly off the extremely bizarre shallowness of the release and the release format and not much else. I can't verify it.

If this was the vector, they were able to do this because I had relaxed the server's security a while back when trying to reconfigure it to have multiple front-ends. The interactions between servers required poking more holes than I had done before. Further, I was trying to prepare for a world post-Cloudflare, so my usual set of very tight firewall rules were completely turned off. I believe they had some sort of exploit involving the Redis server that was permitted because the firewall rules were so relaxed.

I do not believe it was a total database compromise nor do I believe it was root access to the devices. I've audited them and I see nothing that'd indicate that access was granted. Further, the information they were privileged to was very specific and not indicative that they had access to the admin panel. It is likely that they could log into my account to post, but they could not bypass the second level of two-factor authentication protecting the admin panel.

In response, I have completely re-installed the site. It's all fresh. If there was any strange configuration issue, it should be resolved.
I have also disabled the Tor exit node and disabled the two domains that bypass Cloudflare.

The Kiwi Farms handles half a billion requests and serves 100TiB of data every month. I do this on less than $2000/mo and I've done it on zero dollars a month in the not too distant past. While it was easy to just stick everything behind Cloudflare and lock it down in the past, the increasing demands of the site's traffic and the rising fears of reliable services becoming unreliable have driven me to make decisions that have reduced the site's overall security at a time where political antagonism against us is only continuing to swell. I am thoroughly stretched to the absolute boundaries of what a single person can do.

You should continue to operate with the expectation the site is compromised and your account can be accessed. I cannot assure you at this time this is not the case.

I'm reaching out to people I know regarding this, as well as alerting XenForo's software developers to see what they think.

Edit for FAQs:

cares. stop speculating. there's ten thousand people with motivation.

Should I reset my password?
sure. i did.

Something is broken
totally fresh install. things will be broken. things are still downloading off the backup server.
Last edited:

Angry Shoes

Untrue & Dishonest Fan
True & Honest Fan
I've never seen a random.txt be so relevant
Screen Shot 2019-09-10 at 11.29.30 AM.png


Made you imagine it
oh no they have my 10 minute email and ip I'm done. RIP guys I have to hide from the furries now.

Edit: guys I'm scared I just checked and my e-mail was identified. I saw this guy walking a dog that was whimpering and walking funny by my house earlier. I'm really worried right now.

Last edited: