Postmortem Site compromised 10-Sep-2019 -

stingray

I'm sorry, Steve Irwin
kiwifarms.net
This entire thread is just fifty pages of r.etards gloating about VPNs and asking other people to check if they're on the list. Spoiler alert: it doesn't fucking matter. But this entire debacle has been really amusing, to say the least. This has also made me frighteningly aware of how fucking stupid most kiwis are. inb4 late 👻 come on, Null, give us some speshul badges
 

Maxliam

Professional Niggo
kiwifarms.net
Might not be a bad idea to force 2FA by default.
The site I worked for did that because people click on phishing links at a depressing rate.
This entire thread is just fifty pages of r.etards gloating about VPNs and asking other people to check if they're on the list. Spoiler alert: it doesn't fucking matter. But this entire debacle has been really amusing, to say the least. This has also made me frighteningly aware of how fucking stupid most kiwis are. inb4 late 👻 come on, Null, give us some speshul badges
Yeah but am I on the list because I can't see from the VPN I'm using?
 

Irrelevant

kiwifarms.net
FWIW I reckon whoever did this just wrote a scraper (as others have said)... That went through the 'Online Now' section at the bottom of the forum index (on phone, cbf finding link to actual online now page). I'm guessing nulls access means he can see Emails and IPs on certain sections of the site. Also why I believe no back end was compromised, as they wouldn't have had to create such a clusterfuck of files. Definitely not a perfectionist 'hacker'.
I think Null left Redis wide open on one of the non-Cloudflare servers (e.g. kiwifarms.pl). I've had it happen where software firewalls fail to start after a reboot due to kernel updates and then accidentally leave a server wide open. So these kind of mistakes happen quite often if you're using a regular "bare" VPS without a hardware firewall and it was only a matter of time before some random port scanner bot found it anyway (though it would have helped for Redis to be password protected it's common for it not to be if only clients from the private network are supposed to connect).

Then you could just connect with a Redis client, list all keys, and download them. I think all the .txt files are cache fragments but someone would need to look into the Xenforo source to confirm if these are commonly cached page fragments. The emails come from your account settings page where you can edit your own email and perhaps @Null could improve things by censoring them like a*@b*.c*.

The IPs were probably part of the cache keys or something to make sure people were served the correct fragments.

What I don't understand is why it all ended up as Markdown. Perhaps Xenforo caches multiple output formats and he happened to download the MD one.

Personally I would have released only the IPs + emails in a CSV with no further explanation. I think that would have spooked Null more as it would be less obvious how they were stolen.
 
Last edited:
  • Like
Reactions: Dork Of Ages

Tasty Tatty

kiwifarms.net
I find it funny that they want to attack us, when we are the ones cleaning up their fandom by exposing the sexual predators and animal rapist in their community. They should be thanking us.
Right. After the site was back, I searched for it in twitter and I saw some rando normie talking about someone (whose name I forgot, sorry). She said "I was reading the info about X in this kiwifarm forum, and X is indeed a predator and a pedo". Normies don't know all the crazy shit surrounding KF, they only know there is info here and that's it.
 

Null

Ooperator
kiwifarms.net
I think Null left Redis wide open on one of the non-Cloudflare servers (e.g. kiwifarms.pl). I've had it happen where software firewalls fail to start after a reboot due to kernel updates and then accidentally leave a server wide open. So these kind of mistakes happen quite often if you're using a regular "bare" VPS without a hardware firewall and it was only a matter of time before some random port scanner bot found it anyway (though it would have helped for Redis to be password protected it's common for it not to be if only clients from the private network are supposed to connect).

Then you could just connect with a Redis client, list all keys, and download them. I think all the .txt files are cache fragments but someone would need to look into the Xenforo source to confirm if these are commonly cached page fragments. The emails come from your account settings page where you can edit your own email and perhaps @Null could improve things by censoring them like a*@b*.c*.

The IPs were probably part of the cache keys or something to make sure people were served the correct fragments.

What I don't understand is why it all ended up as Markdown. Perhaps Xenforo caches multiple output formats and he happened to download the MD one.

Personally I would have released only the IPs + emails in a CSV with no further explanation. I think that would have spooked Null more as it would be less obvious how they were stolen.
The Redis auth key was 64 length base 64. I don't actually know how they got in. I've just shut down everything except the site proper and locked it all up again.
 
Tags
None

About Us

The Kiwi Farms is about eccentric individuals and communities on the Internet. We call them lolcows because they can be milked for amusement or laughs. Our community is bizarrely diverse and spectators are encouraged to join the discussion.

We do not place intrusive ads, host malware, sell data, or run crypto miners with your browser. If you experience these things, you have a virus. If your malware system says otherwise, it is faulty.

Supporting the Forum

How to Help

The Kiwi Farms is constantly attacked by insane people and very expensive to run. It would not be here without community support.

BTC: 1DgS5RfHw7xA82Yxa5BtgZL65ngwSk6bmm
ETH: 0xc1071c60Ae27C8CC3c834E11289205f8F9C78CA5
BAT: 0xc1071c60Ae27C8CC3c834E11289205f8F9C78CA5
LTC: LSZsFCLUreXAZ9oyc9JRUiRwbhkLCsFi4q
XMR: 438fUMciiahbYemDyww6afT1atgqK3tSTX25SEmYknpmenTR6wvXDMeco1ThX2E8gBQgm9eKd1KAtEQvKzNMFrmjJJpiino