Forum hack- what happened?

[Alain De Vos]

Indeed it is a chain. Wise words.

 

[SirDice]

I have been in contact with Microsoft Headquarters and a fix would be available in next Microft Release, that was 9 months later.

Once upon a time I reported a bug with Red Hat. Every time I asked for a status update I was told the bug was confirmed, fixed and it would be included in the next point release. And with every point release the bug wasn't fixed. It took 4 minor releases over the course of 2 years to actually fix it.

 

[PMc]

Setting DNS to localhost (127.0.0.1 or ::1) was a stroke of genius! People running a webserver on the same machine would get 404 Page not Found or similar server errors. The rest of us got Connection Refused errors. It had me puzzled for a while until I ran dig on my desktop and host on my server and realised which address was returned.

I searched a lot longer, because I got a connection-failed page that is definitely not mine or from anywhere on my site.
So I looked for any uplink traffic that would fetch that page, but couldn't see anything due to constant syn-flooding on all my uplinks.

Finally I figured out about service-workers, what they are, and why they are a nuisance.

 

[PMc]

Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?

Yeah, I got that one, after relocating to France. Thank You for capturing!
At first, my regular basecamp didn't receive the picture, neither the nice music.

Yes the same, I clicked on the link & there i could enter my email & password
I asked google ai about xenforo, it told me : freebsd-os, mariadb , nginx , php&zend.

Sadly I didn't get to any login/password option.

I also wonder why someone would hack a public forum.

What about: for the fun of doing it?

The use of language on the greeting page gives some hint on the mindset, which you can digest with the proper cultural background.

This hack is not a good look for freebsd forums. No matter the reason.

Why that? Hacking was always a fun thing - and still should be.

Only at some point, people came into the Internet which do not belong here, and they brought with them their immense greed for money. And now hacking is considered evil, for the only reason that people were made to fear somebody could steal their gathered stash of money.

What you need to understand is that IT is inherently unsafe, and will continue to be so for a long time to come.

Meanwhile where is Foundation ? Hey , did something happened ?
We are here to collect money . We are on the high level.

They're the managers. Managers always know nothing.
https://forums.freebsd.org/threads/freebsd-sa-26-06-tcp-remote-dos.102185/post-752666

Many people complain, but only a few are truly willing to offer support.

^support^money^
It's dead simple: I'm unemployed white trash, I not even have enough to eat.

(Otherwise see link above: I fix all the bugs I run into, and nobody cares.)

XenForo is not open source. also, XenForo is not Linux or FreeBSD, it's a piece of third-party software.

You cannot win that rat race.

 

[johnjohn]

Its because you are taking what im saying literally.

well, i'm sorry, but FreeBSD is the name of an Operating system and Linux is a kernel, of which the trademark is registered to Linus Torvalds. I do not see how an independent forum (linux.org) and a FreeBSD forum has anything to do with a Xenforo vulnerability. I shall refrain from further comment. I hope that you have a nice day

 

[Espionage724]

Reading this thread I find it interesting that people would actually click on any links in the hack unless you were actually doing security stuff in sandboxes to try and track people down.

Information seeking; I learned some fun stuff and lost a few assumptions yesterday

 

[MrBSD]

well, i'm sorry, but FreeBSD is the name of an Operating system and Linux is a kernel, of which the trademark is registered to Linus Torvalds. I do not see how an independent forum (linux.org) and a FreeBSD forum has anything to do with a Xenforo vulnerability. I shall refrain from further comment. I hope that you have a nice day

Its because you have simplistic and shortsighted view. This issue has nothing to do with either linux or freebsd, but at the same time it does. Because this forum, its administrators and users are representing. If you are unable to connect the dots, i cant help you. You and bunch of other users being so biased is not a good look either.

 

[SirDice]

The only real grief I have about yesterday's ordeal was the fact I skipped my workout, skipped dinner and probably smoked an entire pack of cigarettes in less than an hour. I'd do it again without hesitation whenever the need arises, that is a consequence of being a system's administrator. It can and will happen (law of inevitability), and it typically happens at the least convenient time.

 

[Alain De Vos]

Note i just did,

pkg audit -F
vulnxml file up-to-date
chromium-145.0.7632.159 is vulnerable:
  chromium -- security fixes
  CVE: CVE-2026-3942
  CVE: CVE-2026-3941
  CVE: CVE-2026-3940
  CVE: CVE-2026-3939
  CVE: CVE-2026-3938
  CVE: CVE-2026-3937
  CVE: CVE-2026-3936
  CVE: CVE-2026-3935
  CVE: CVE-2026-3934
  CVE: CVE-2026-3932
  CVE: CVE-2026-3931
  CVE: CVE-2026-3930
  CVE: CVE-2026-3929
  CVE: CVE-2026-3928
  CVE: CVE-2026-3927
  CVE: CVE-2026-3926
  CVE: CVE-2026-3925
  CVE: CVE-2026-3924
  CVE: CVE-2026-3923
  CVE: CVE-2026-3922
  CVE: CVE-2026-3921
  CVE: CVE-2026-3920
  CVE: CVE-2026-3919
  CVE: CVE-2026-3918
  CVE: CVE-2026-3917
  CVE: CVE-2026-3916
  CVE: CVE-2026-3915
  CVE: CVE-2026-3914
  CVE: CVE-2026-3913
  WWW: https://vuxml.FreeBSD.org/freebsd/e45fb606-b731-4871-881d-27a1d5e2fd03.html

  chromium -- security fixes
  CVE: CVE-2026-3910
  CVE: CVE-2026-3909
  WWW: https://vuxml.FreeBSD.org/freebsd/26776062-fd24-4c2f-bf6c-7f231948ab19.html

  chromium -- security fix
  CVE: CVE-2026-3909
  WWW: https://vuxml.FreeBSD.org/freebsd/73eeb578-fd13-4d79-b50b-ed25c3614528.html

  chromium -- security fixes
  CVE: CVE-2026-4464
  CVE: CVE-2026-4463
  CVE: CVE-2026-4462
  CVE: CVE-2026-4461
  CVE: CVE-2026-4460
  CVE: CVE-2026-4459
  CVE: CVE-2026-4458
  CVE: CVE-2026-4457
  CVE: CVE-2026-4456
  CVE: CVE-2026-4455
  CVE: CVE-2026-4454
  CVE: CVE-2026-4453
  CVE: CVE-2026-4452
  CVE: CVE-2026-4451
  CVE: CVE-2026-4450
  CVE: CVE-2026-4449
  CVE: CVE-2026-4448
  CVE: CVE-2026-4447
  CVE: CVE-2026-4446
  CVE: CVE-2026-4445
  CVE: CVE-2026-4444
  CVE: CVE-2026-4443
  CVE: CVE-2026-4442
  CVE: CVE-2026-4441
  CVE: CVE-2026-4440
  CVE: CVE-2026-4439
  WWW: https://vuxml.FreeBSD.org/freebsd/3c370171-b6b6-463a-8746-ee49bea08c87.html

  chromium -- security fixes
  CVE: CVE-2026-4680
  CVE: CVE-2026-4679
  CVE: CVE-2026-4678
  CVE: CVE-2026-4677
  CVE: CVE-2026-4676
  CVE: CVE-2026-4675
  CVE: CVE-2026-4674
  CVE: CVE-2026-4673
  WWW: https://vuxml.FreeBSD.org/freebsd/07d6b170-fed8-4ee2-ba96-b6d61b6d6a26.html

mongodb80-8.0.12_5 is vulnerable:
  MongoDB -- Improper Handling of Length Parameter Inconsistency
  CVE: CVE-2025-14847
  WWW: https://vuxml.FreeBSD.org/freebsd/c1613867-df16-11f0-8870-b42e991fc52e.html

  MongoDB Server -- Improper Certificate Validation
  CVE: CVE-2025-12893
  WWW: https://vuxml.FreeBSD.org/freebsd/d2f2c691-cd42-11f0-85d4-b42e991fc52e.html

  MongoDB -- Improper Validation of Specified Quantity in Input
  CVE: CVE-2025-13507
  WWW: https://vuxml.FreeBSD.org/freebsd/ea64d2ec-ced4-11f0-a958-b42e991fc52e.html

  Mongodb -- Use-after-free in the MongoDB
  CVE: CVE-2025-11979
  WWW: https://vuxml.FreeBSD.org/freebsd/cdf2abf7-ae83-11f0-b5fb-b42e991fc52e.html

  MongoDB Server -- Multiple vulnerabilities
  CVE: CVE-2026-1847
  CVE: CVE-2026-1849
  CVE: CVE-2026-1850
  WWW: https://vuxml.FreeBSD.org/freebsd/77e32b14-0800-11f1-8a6f-b42e991fc52e.html

  MongoDB -- Missing Authorization
  CVE: CVE-2025-13643
  WWW: https://vuxml.FreeBSD.org/freebsd/eda92945-ced4-11f0-a958-b42e991fc52e.html

  MongoDB Server -- CWE-617 Reachable Assertion
  CVE: CVE-2026-25610
  WWW: https://vuxml.FreeBSD.org/freebsd/7b5671f9-0800-11f1-8a6f-b42e991fc52e.html

  MongoDB -- Reachable Assertion
  CVE: CVE-2025-13644
  WWW: https://vuxml.FreeBSD.org/freebsd/e72ec9c1-ced4-11f0-a958-b42e991fc52e.html

gstreamer1-plugins-good-1.26.10 is vulnerable:
  gstreamer1 -- multiple vulnerabilities
  CVE: CVE-2026-3084
  CVE: CVE-2026-3081
  CVE: CVE-2026-3086
  CVE: CVE-2026-3085
  CVE: CVE-2026-3083
  CVE: CVE-2026-2923
  CVE: CVE-2026-2920
  CVE: CVE-2026-2922
  CVE: CVE-2026-2921
  CVE: CVE-2026-3082
  CVE: CVE-2026-1940
  WWW: https://vuxml.FreeBSD.org/freebsd/791d4b29-19fb-11f1-87cc-e73692421fef.html

gstreamer1-plugins-ugly-1.26.10 is vulnerable:
  gstreamer1 -- multiple vulnerabilities
  CVE: CVE-2026-3084
  CVE: CVE-2026-3081
  CVE: CVE-2026-3086
  CVE: CVE-2026-3085
  CVE: CVE-2026-3083
  CVE: CVE-2026-2923
  CVE: CVE-2026-2920
  CVE: CVE-2026-2922
  CVE: CVE-2026-2921
  CVE: CVE-2026-3082
  CVE: CVE-2026-1940
  WWW: https://vuxml.FreeBSD.org/freebsd/791d4b29-19fb-11f1-87cc-e73692421fef.html

gstreamer1-plugins-1.26.10 is vulnerable:
  gstreamer1 -- multiple vulnerabilities
  CVE: CVE-2026-3084
  CVE: CVE-2026-3081
  CVE: CVE-2026-3086
  CVE: CVE-2026-3085
  CVE: CVE-2026-3083
  CVE: CVE-2026-2923
  CVE: CVE-2026-2920
  CVE: CVE-2026-2922
  CVE: CVE-2026-2921
  CVE: CVE-2026-3082
  CVE: CVE-2026-1940
  WWW: https://vuxml.FreeBSD.org/freebsd/791d4b29-19fb-11f1-87cc-e73692421fef.html

gstreamer1-plugins-bad-1.26.10 is vulnerable:
  gstreamer1 -- multiple vulnerabilities
  CVE: CVE-2026-3084
  CVE: CVE-2026-3081
  CVE: CVE-2026-3086
  CVE: CVE-2026-3085
  CVE: CVE-2026-3083
  CVE: CVE-2026-2923
  CVE: CVE-2026-2920
  CVE: CVE-2026-2922
  CVE: CVE-2026-2921
  CVE: CVE-2026-3082
  CVE: CVE-2026-1940
  WWW: https://vuxml.FreeBSD.org/freebsd/791d4b29-19fb-11f1-87cc-e73692421fef.html

png-1.6.53 is vulnerable:
  png -- CWE-122: Heap-based Buffer Overflow
  CVE: CVE-2026-25646
  WWW: https://vuxml.FreeBSD.org/freebsd/f9cb72e4-0b52-11f1-8e75-b42e991fc52e.html

openssl35-3.5.5 is vulnerable:
  OpenSSL -- key agreement vulnerability
  CVE: CVE-2026-2673
  WWW: https://vuxml.FreeBSD.org/freebsd/ee1e6a24-1eeb-11f1-81da-8447094a420f.html

curl-8.17.0 is vulnerable:
  curl -- Multiple vulnerabilities
  CVE: CVE-2025-13034
  CVE: CVE-2025-14017
  CVE: CVE-2025-14524
  CVE: CVE-2025-14819
  CVE: CVE-2025-15079
  CVE: CVE-2025-15224
  WWW: https://vuxml.FreeBSD.org/freebsd/086d53fa-1d47-11f1-81da-8447094a420f.html

  curl -- Multiple vulnerabilties
  CVE: CVE-2026-1965
  CVE: CVE-2026-3783
  CVE: CVE-2026-3784
  CVE: CVE-2026-3805
  WWW: https://vuxml.FreeBSD.org/freebsd/1933737d-1d46-11f1-81da-8447094a420f.html

gstreamer1-1.26.10 is vulnerable:
  gstreamer1 -- multiple vulnerabilities
  CVE: CVE-2026-3084
  CVE: CVE-2026-3081
  CVE: CVE-2026-3086
  CVE: CVE-2026-3085
  CVE: CVE-2026-3083
  CVE: CVE-2026-2923
  CVE: CVE-2026-2920
  CVE: CVE-2026-2922
  CVE: CVE-2026-2921
  CVE: CVE-2026-3082
  CVE: CVE-2026-1940
  WWW: https://vuxml.FreeBSD.org/freebsd/791d4b29-19fb-11f1-87cc-e73692421fef.html

22 problem(s) in 10 package(s) found.

But then i'm not public

 

[mer]

Alain De Vos I don't think any of that is related to the thread.

 

[Alain De Vos]

Sorry, the only relationship is "vulnerability". Which raises question of workflow.
- On regular times check and be able to see new known vulnerabilities.
- Be able to see if fix / patch is available & install it.

 

[mer]

Sorry, the only relationship is "vulnerability". Which raises question of workflow.
- On regular times check and be able to see new known vulnerabilities.
- Be able to see if fix / patch is available & install it.

I think that would warrant it's own thread, like "How do you deal with reported vulnerabilities reported by pkg audit". It would keep things cleaner.

 

[epower53]

I think that would warrant it's own thread, like "How do you deal with reported vulnerabilities reported by pkg audit". It would keep things cleaner.

I'd follow that thread, because I'd love to get some suggestions... not that I feel all that vulnerable, but I suspect my home setup security is more to do with obscurity than anything else. If someone really rolled up their sleeves and tried to get in, I'm sure they could.

 

[ThePowerOfFuet]

I've been thinking about building my own forum software lately.

Discourse.

 

[mer]

I'd follow that thread, because I'd love to get some suggestions... not that I feel all that vulnerable, but I suspect my home setup security is more to do with obscurity than anything else. If someone really rolled up their sleeves and tried to get in, I'm sure they could.

Take advantage of "periodic". Make sure everything you want enabled, is enabled. By default the cron jobs send mail to root, which on your home system most people don't look at. I redirect all the periodic output to files in /var/log (look at /etc/defaults/periodic.conf) and manually check them.

 

[Alain De Vos]

Very good idea , trying out new config,

cat /etc/periodic.conf

cat /etc/periodic.conf 
daily_status_smart_devices="AUTO"

# Ensure headers/separators always show up in the log
daily_show_success="YES"
weekly_show_success="YES"
monthly_show_success="YES"

# Redirect daily, weekly, and monthly output to your custom log
daily_output="/var/log/myperiodic.log"
weekly_output="/var/log/myperiodic.log"
monthly_output="/var/log/myperiodic.log"

# Also redirect security-specific reports if desired
daily_status_security_output="/var/log/myperiodic.log"
weekly_status_security_output="/var/log/myperiodic.log"
monthly_status_security_output="/var/log/myperiodic.log"

/etc/newsyslog.conf

/var/log/myperiodic.log          600  7     *    @T00  N

 

[Charlie Brown]

Would that been possible if the forum we're using foss sofware instead of nfoss xenforo

 

[eternal_noob]

Of course. It's just a matter of patching security holes in time.

 

[Alain De Vos]

With more "functionality" , comes also more "danger". I use freebsd for functionality, and not openbsd.

 

[SirDice]

Would that been possible if the forum we're using foss sofware instead of nfoss xenforo

A long time ago the forums ran on phpBB for a while. It too had its fair share of security issues. Software rarely is completely free of bugs, open or closed source doesn't really matter. Closed source may be a bit better at hiding them.

 

[cracauer@]

Would that been possible if the forum we're using foss sofware instead of nfoss xenforo

Xenforo is utterly superior software, though.

I also ran a forum on OSS for a while.

 

[Alain De Vos]

It's php.
Me Sorry I'm gone write something in flask first. Then move it to dlang.
AI systems never heard of Dlang. It are "executables". Offcourse also vulnerable.
Personally i think as you say xenforo, years no problem. Thats even older than my doggy or my cat.
And then Very important. Did they get root access ?
Or did they did some stupid kiddy stuff , changed change root page ?
Also thats why i like contributers in there mailing lists.
You cant hurt them.
Probably they use some high level emacs or vim. Everthing is interpreted as plain text.
Really , really , nobody cares here on a deeper level. But very much thanks tackling this problem. And these cigarattes are gone.
But this makes live going. Otherwise life is too dull.

 

[mer]

A long time ago the forums ran on phpBB for a while. It too had its fair share of security issues. Software rarely is completely free of bugs, open or closed source doesn't really matter. Closed source may be a bit better at hiding them.

And not letting customers know about them. It's one of the things that annoys me: you hear on the news that your bank was hacked and data stolen 6 months ago and this is the first you find out. Bank gets around it by "we posted a link to the data breach on the third page of our website hidden behind the other stuff"
Heck no. Any institution that has my email address should be sending an email as soon as they discover the breach. I'd rather have a "your data may have been compromised" than the 6 month delay.

 

[Alain De Vos]

Mer I worked for "Justice department". Following rules rules i cannot answer. Will look into how i can do private closed.

 

[SirDice]

And then Very important. Did they get root access ?

Common misconception. Even the "limited" www user most webservers run on can be abused to attack/proxy other systems. It's not as "limited" as a lot of people think it is. As a matter of fact, it's not limited at all, it can do the same things as any other user account can do.