Postmortem Site compromised 10-Sep-2019 -

Maxliam

You all disgust me.
kiwifarms.net
Might not be a bad idea to force 2FA by default.
The site I worked for did that because people click on phishing links at a depressing rate.
This entire thread is just fifty pages of r.etards gloating about VPNs and asking other people to check if they're on the list. Spoiler alert: it doesn't fucking matter. But this entire debacle has been really amusing, to say the least. This has also made me frighteningly aware of how fucking stupid most kiwis are. inb4 late 👻 come on, Null, give us some speshul badges
Yeah but am I on the list because I can't see from the VPN I'm using?
 

Irrelevant

kiwifarms.net
FWIW I reckon whoever did this just wrote a scraper (as others have said)... That went through the 'Online Now' section at the bottom of the forum index (on phone, cbf finding link to actual online now page). I'm guessing nulls access means he can see Emails and IPs on certain sections of the site. Also why I believe no back end was compromised, as they wouldn't have had to create such a clusterfuck of files. Definitely not a perfectionist 'hacker'.
I think Null left Redis wide open on one of the non-Cloudflare servers (e.g. kiwifarms.pl). I've had it happen where software firewalls fail to start after a reboot due to kernel updates and then accidentally leave a server wide open. So these kind of mistakes happen quite often if you're using a regular "bare" VPS without a hardware firewall and it was only a matter of time before some random port scanner bot found it anyway (though it would have helped for Redis to be password protected it's common for it not to be if only clients from the private network are supposed to connect).

Then you could just connect with a Redis client, list all keys, and download them. I think all the .txt files are cache fragments but someone would need to look into the Xenforo source to confirm if these are commonly cached page fragments. The emails come from your account settings page where you can edit your own email and perhaps @Null could improve things by censoring them like a*@b*.c*.

The IPs were probably part of the cache keys or something to make sure people were served the correct fragments.

What I don't understand is why it all ended up as Markdown. Perhaps Xenforo caches multiple output formats and he happened to download the MD one.

Personally I would have released only the IPs + emails in a CSV with no further explanation. I think that would have spooked Null more as it would be less obvious how they were stolen.
 
Last edited:
  • Like
Reactions: Dork Of Ages

Tasty Tatty

kiwifarms.net
I find it funny that they want to attack us, when we are the ones cleaning up their fandom by exposing the sexual predators and animal rapist in their community. They should be thanking us.
Right. After the site was back, I searched for it in twitter and I saw some rando normie talking about someone (whose name I forgot, sorry). She said "I was reading the info about X in this kiwifarm forum, and X is indeed a predator and a pedo". Normies don't know all the crazy shit surrounding KF, they only know there is info here and that's it.
 

Null

Ooperator
kiwifarms.net
I think Null left Redis wide open on one of the non-Cloudflare servers (e.g. kiwifarms.pl). I've had it happen where software firewalls fail to start after a reboot due to kernel updates and then accidentally leave a server wide open. So these kind of mistakes happen quite often if you're using a regular "bare" VPS without a hardware firewall and it was only a matter of time before some random port scanner bot found it anyway (though it would have helped for Redis to be password protected it's common for it not to be if only clients from the private network are supposed to connect).

Then you could just connect with a Redis client, list all keys, and download them. I think all the .txt files are cache fragments but someone would need to look into the Xenforo source to confirm if these are commonly cached page fragments. The emails come from your account settings page where you can edit your own email and perhaps @Null could improve things by censoring them like a*@b*.c*.

The IPs were probably part of the cache keys or something to make sure people were served the correct fragments.

What I don't understand is why it all ended up as Markdown. Perhaps Xenforo caches multiple output formats and he happened to download the MD one.

Personally I would have released only the IPs + emails in a CSV with no further explanation. I think that would have spooked Null more as it would be less obvious how they were stolen.
The Redis auth key was 64 length base 64. I don't actually know how they got in. I've just shut down everything except the site proper and locked it all up again.
 

Dwight Schrute

Murder, not mukduk.
kiwifarms.net
This entire thread is just fifty pages of r.etards gloating about VPNs and asking other people to check if they're on the list. Spoiler alert: it doesn't fucking matter. But this entire debacle has been really amusing, to say the least. This has also made me frighteningly aware of how fucking stupid most kiwis are. inb4 late 👻 come on, Null, give us some speshul badges
No u
 

Secret Asshole

Expert in things that never, ever happened
Local Moderator
True & Honest Fan
kiwifarms.net
I don't know why people are freaking. This shit was an inevitability. Do you know how many enemies this place has? Do you know how many people hate that we get to say whatever the fuck we want with impunity? Pretty much every person would have given the fuck up with the shit he's had to go through.

Everything has a price. Freedom isn't ever free.

Also I'd like a purple heart icon since I was shot by the doxing of the autistic faggots by other autistic faggot degenerate pedophile troon furry communists of September 11th 2019 Never Forget War
 
Tags
None