Forum hack- what happened?

[epower53]

And can it happen again?

 

[eternal_noob]

A XSS vulnerability in XenForo.

Thread 'Forum Outage'

Yesterday at 11:39 PM

Hi guys, sorry that the FreeBSD Forums were offline for a couple of hours.

We were hit by an exploit against a slightly outdated XenForo version that we were still running.

The same exploit hit quite a number of XenForo installations today, including linux.org.

The FreeBSD Forums showed a defacement page for a couple of minutes before it was detected by the admins and then skillfully removed, after which the XenForo software was updated.

In the meantime the FreeBSD organization decided to take our DNS record offline, in case we were possibly spreading malware, which did not...

• DutchDaemon
• Replies: 0
• Forum: News and Announcements

• 
• 

Same happened to linux.org

https://www.linux.org/threads/whoops-a-xenforo-xss-vulnerability-bit-us.64521/

 

[mer]

I've been here for a while and this is the first time this has happened so "can it happen again"? Maybe but not in the exact same way.

 

[DutchDaemon]

You are only as good as the latest software you're running and the ability to keep up with those. We had a failure in keeping up with XF and that will not happen again. This was the first security event in the 18 years that these forums have been running, and it just goes to show that there is no reason to become complacent.

 

[Alain De Vos]

Current,
script src="/js/xf/preamble.min.js?_v=6b10b28c"></script>
<script src="/js/vendor/vendor-compiled.js?_v=6b10b28c" defer></script>
<script src="/js/xf/core-compiled.js?_v=6b10b28c" defer></script

 

[epower53]

Kudos to the team for taking the extra step and removing DNS records as a preventive measure until the scope of the problem was understood. I love that forum management are setting the example for good net citizenship.

 

[astyle]

Pheeeewww... back. Here's a screenshot I managed to take during that time.

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?

 

[Alain De Vos]

Yes the same, I clicked on the link & there i could enter my email & password
I asked google ai about xenforo, it told me : freebsd-os, mariadb , nginx , php&zend.

 

[Mjölnir]

Makes me wonder, did everyone else see that same defacing of the Forums, or did anyone see/get a different image?

Yes, I made a screenshot at ... one moment... 18:19:09 MEST (my clock widget is on the picture).
I'll keep that FOREVER! What a bummer!
Maybe the admins should evaluate Zope as backend and use a open source forum SW? Plone is reknoŵn for it's over-average security, and at least partly that must come from Zope.

 

[astyle]

Alain De Vos : Yeah, Discord is the place to look if you wanna see social engineering in action. The late Kevin Mitinck did his social engineering over the phone, he just picked his words to get the humans to divulge admin access codes. These days, instead of an analog phone line, Discord is the tool of choice for social engineering to get humans to divulge their email and passwords. Oh, so is LinkedIn and weird-looking job application pages. Point being, social engineering is alive and well as a scamming mechanism. The tools being used (Discord, LinkedIn, hacking exploits) are merely what's available in modern times. Still gotta think critically, and think for yourself.

 

[ruby R53]

i only got an error message from freebsd.org itself saying the page couldn't be found, because of that i thought the forum was under maintenance or something until i got a Twitter notification on my phone saying it actually got hacked lol

i dunno if it's just me but there seems to have been an increase in websites/accounts being hacked ever since all that AI stuff started getting so much hype, this makes me wonder if hackers are using LLMs to improve their techniques or even to assist them with hacking by running some local model, but that might be just me being paranoid because of how much i hate AI

and as for the social engineering bit, i think that'd fit more for individual accounts getting hacked rather than entire websites

 

[zzfs6]

Did anything offical go out to the mailing lists? I feel like relying on Twitter, Reddit, etc. isn't the best approach.

 

[Alain De Vos]

Mailing lists if for kernel & ports maintainers. This is not a kernel or port thing.

 

[ruby R53]

yeah, i'd also go as far as to say the forum and mailing lists share little users too (i'm on both but am not nearly as active on the lists)

 

[johnjohn]

I figured that it was a xenforo injection vulnerability. I made a screen capture then i decided to revisit the site with JavaScript disabled because i suspected that it was a JavaScript overlay. Disabling JavaScript worked for me. I noticed the update in progress message, so i figured that an admin was updating xenforo. I've seen the source code of alot of forums and the php code is often sloppy and insecure. I've been thinking about building my own forum software lately.

 

[MG]

I saw "warday <3" or something like that for a short time. Now we know...

 

[astyle]

and as for the social engineering bit, i think that'd fit more for individual accounts getting hacked rather than entire websites

Sometimes, a legitimate web site gets hacked as a way to force people to click on the provided links and complete the process of divulging email and password. That's different from phishing (where malicious URLs present legit-looking pages).

 

[ruby R53]

hmmm