Forum hack- what happened?

A XSS vulnerability in XenForo.

DutchDaemon

Thread 'Forum Outage'

Hi guys, sorry that the FreeBSD Forums were offline for a couple of hours.

We were hit by an exploit against a slightly outdated XenForo version that we were still running.

The same exploit hit quite a number of XenForo installations today, including linux.org.

The FreeBSD Forums showed a defacement page for a couple of minutes before it was detected by the admins and then skillfully removed, after which the XenForo software was updated.

In the meantime the FreeBSD organization decided to take our DNS record offline, in case we were possibly spreading malware, which did not...
  • Thanks
  • Like

Same happened to linux.org

 
You are only as good as the latest software you're running and the ability to keep up with those. We had a failure in keeping up with XF and that will not happen again. This was the first security event in the 18 years that these forums have been running, and it just goes to show that there is no reason to become complacent.
 
Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?
 

Attachments

  • capture.png
    capture.png
    939.9 KB · Views: 101
Yes the same, I clicked on the link & there i could enter my email & password :)
I asked google ai about xenforo, it told me : freebsd-os, mariadb , nginx , php&zend.
 
astyle said:
Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?
Click to expand...
Yes, I made a screenshot at ... one moment... 18:19:09 MEST (my clock widget is on the picture).
I'll keep that FOREVER! What a bummer!
Maybe the admins should evaluate Zope as backend and use a open source forum SW? Plone is reknoŵn for it's over-average security, and at least partly that must come from Zope.
 
Alain De Vos : Yeah, Discord is the place to look if you wanna see social engineering in action. The late Kevin Mitinck did his social engineering over the phone, he just picked his words to get the humans to divulge admin access codes. These days, instead of an analog phone line, Discord is the tool of choice for social engineering to get humans to divulge their email and passwords. Oh, so is LinkedIn and weird-looking job application pages. Point being, social engineering is alive and well as a scamming mechanism. The tools being used (Discord, LinkedIn, hacking exploits) are merely what's available in modern times. Still gotta think critically, and think for yourself.
 
i only got an error message from freebsd.org itself saying the page couldn't be found, because of that i thought the forum was under maintenance or something until i got a Twitter notification on my phone saying it actually got hacked lol

i dunno if it's just me but there seems to have been an increase in websites/accounts being hacked ever since all that AI stuff started getting so much hype, this makes me wonder if hackers are using LLMs to improve their techniques or even to assist them with hacking by running some local model, but that might be just me being paranoid because of how much i hate AI

and as for the social engineering bit, i think that'd fit more for individual accounts getting hacked rather than entire websites
 
yeah, i'd also go as far as to say the forum and mailing lists share little users too (i'm on both but am not nearly as active on the lists)
 
I figured that it was a xenforo injection vulnerability. I made a screen capture then i decided to revisit the site with JavaScript disabled because i suspected that it was a JavaScript overlay. Disabling JavaScript worked for me. I noticed the update in progress message, so i figured that an admin was updating xenforo. I've seen the source code of alot of forums and the php code is often sloppy and insecure. I've been thinking about building my own forum software lately.
 

Attachments

  • Screenshot_2026-03-30_19-15-15.png
    Screenshot_2026-03-30_19-15-15.png
    107.7 KB · Views: 38
  • Screenshot_2026-03-30_19-25-01.png
    Screenshot_2026-03-30_19-25-01.png
    154.2 KB · Views: 39
  • Screenshot_2026-03-30_19-42-48.png
    Screenshot_2026-03-30_19-42-48.png
    714.3 KB · Views: 38
ruby R53 said:
and as for the social engineering bit, i think that'd fit more for individual accounts getting hacked rather than entire websites
Click to expand...
Sometimes, a legitimate web site gets hacked as a way to force people to click on the provided links and complete the process of divulging email and password. That's different from phishing (where malicious URLs present legit-looking pages).
 
This is about the corresponding hack on linux.org from this thread.

"Edit2: more info: https://github.com/methosiea/xenforo-2-xss
So, the attack chain is basically:

  1. Attacker registers an account
  2. New post w/ the xss payload - it goes to the queue
  3. An admin views it, it fires off the xss payload stealing his session
  4. Attacker creates the malicious widget"
I wonder if the XSS hack was combined with other methods to do more damage.

I also wonder why someone would hack a public forum.

/grandpa
 
Reading this thread I find it interesting that people would actually click on any links in the hack unless you were actually doing security stuff in sandboxes to try and track people down.
My first instinct was to just close the browser.

As for why? emails and passwords are often the first bits of information needed.

DutchDaemon 18yrs is a good run.
 
Alain De Vos said:
Mailing lists if for kernel & ports maintainers. This is not a kernel or port thing.
Click to expand...
the mailing lists are for everyone! we have a list specifically for user questions (questions@) where several people posted about the forums issue while it was down.

i'm not sure why there wasn't at least a brief post on the lists similar to what was posted on socials... there probably should have been, since most users aren't on the forums and some were concerned this might have affected freebsd.org more generally (which it didn't).

but please don't feel like you can't or shouldn't use the mailing lists if you aren't a src/ports developer or aren't posting about that specifically. pretty much anything FreeBSD-related is on topic on at least one of the lists.
 
  • Like
Reactions: mer
MrBSD said:
This hack is not a good look for freebsd forums. No matter the reason.
Click to expand...

drhowarddrfine said:
The hack also took down linux.org's forum so I guess it's not a good look for Linux forums, too, eh?
Click to expand...

The topic of this thread is "what happened".

I was reading a thread about poudriere and when I clicked page 2 I saw the result of the hack. It was a strange feeling.

If I should wander off topic and view my personal opinion on how this Forum looks without starting a new thread I would say that this forum looks very well. There's lots of fun to be read and to be inspired by. To me personally it's invaluable.

I sympathize with all involved in getting the forum back online again. Incidents cause stress and steal time from other activities - even if there is a process for it.

I know that forum rules do not allow posting of thank you but I think in this case I will break that rule and say thanks DutchDaemon and all others involved.

/grandpa
 
You must log in or register to reply here.
Back
Top