What's new
  • Donate and support Agora Road's Macintosh Cafe to keep the forum alive and make any necessary upgrades to have a more pleasant experience! In addition, you will be able to have "moods" enabled on your profile and have donation only awards! Update: I configured the site with Brave Browser, so you can send tips to the site with BAT.

    You can now donate directly to the forum without signing up for patreon. You will still have all of the same perks in patreon but its now one less sign up method. It will be under Account Upgrades

    This is the submission thread for the 2nd E-zine! Please use the dropbox linke for submissions and bump the thread with ideas, comments, statements, or just to bump. If you want to submit your stories or whatever you want to the second edition.

Kiwifarms under attack | Veteran of the Psychic Wars | The Internet is for EVERYONE.

Hadrian Hardrada Cicero

A magnificent mushroom cloud in the sky!
Gold
Joined
Aug 9, 2021
Messages
512
Reaction score
2,120
Awards
176
pretty bad
"Yesterday, Vsys, a host we used as a forward-proxy, was compromised.

Today, the site was hacked to change everyone's avatars to logos of another site (which I am not naming because I'm not sure what the motivation is behind it).

Then, each node on the forum index was deleted one at a time.

There are backups of the site so no information is permanently lost but I have not diagnosed what the attack vector was yet or the extent of the breach."

A Follow up

1663521004032.png
 
Virtual Cafe Awards

IlluminatiPirate

The Dreaded Pirate of Agora Road
Joined
May 29, 2018
Messages
1,379
Reaction score
3,725
Awards
225
Virtual Cafe Awards

ZinRicky

Vapor Noob
Joined
Jun 18, 2019
Messages
177
Reaction score
379
Awards
44
Website
zinportal.neocities.org
Virtual Cafe Awards

IlluminatiPirate

The Dreaded Pirate of Agora Road
Joined
May 29, 2018
Messages
1,379
Reaction score
3,725
Awards
225

Attachments

  • Screenshot_20220918-162947_Telegram.jpg
    Screenshot_20220918-162947_Telegram.jpg
    96.1 KB · Views: 44
Virtual Cafe Awards

punishedgnome

Active Traveler
Joined
Feb 2, 2022
Messages
270
Reaction score
538
Awards
60
Shit this scares me because we use xenforo, ill ask xenforo if they have a way to combat this for us
It sounds like it was some custom add-on Josh had made himself. He also hasn't been getting updates from Xenfor for some time as they banned him.

I also can't imagine this site is high-profile enough to be an enticing target.

This is why I make a new Protonmail account for every forum.
 
Last edited:
Virtual Cafe Awards

mydadiscar

Webcomics! Banzai!
Joined
Jan 20, 2022
Messages
607
Reaction score
1,995
Awards
169
Shit this scares me because we use xenforo, ill ask xenforo if they have a way to combat this for us
Gee, you want to spell it out for people?
Hay guise! Here's how someone hacked a forum! We use the same forum software as them! I better find out how to fix this!!!
 
Virtual Cafe Awards

Andy Kaufman

i know
Joined
Feb 19, 2022
Messages
786
Reaction score
2,654
Awards
165
Gee, you want to spell it out for people?
Hay guise! Here's how someone hacked a forum! We use the same forum software as them! I better find out how to fix this!!!
Anyone even remotely familiar with this stuff can see that agora road uses xenforo.
I saw it on the front page already before I even had an account. It's not like that's some hidden detail pirate just released.
 
Virtual Cafe Awards

Collision

Green Tea Ice Cream
Joined
Jun 5, 2022
Messages
247
Reaction score
719
Awards
65
More than anything else about this fiasco, what bothers me is that Null positions himself as a trustworthy expert for his users to listen to.
 
Virtual Cafe Awards

handoferis

Executor of Dry IT Men
Bronze
Joined
May 28, 2022
Messages
404
Reaction score
805
Awards
102
Fuck me this is bad. Hooking up a chat you made to the database/session state for an out of date forum is fucking dumb and raises your attack surface considerably (i.e. you now have forum*chat vulns, as opposed to forum+chat vulns), and is exactly how sessions and shit get stolen. Null calls it an XSS vulnerability but he basically opened the hole, all they had to do was poke through. This is the kind of shit you might be able to get away with (still bad idea) if you didn't have a target painted on your back, but KF does and has for a long while now.
 
Virtual Cafe Awards

punishedgnome

Active Traveler
Joined
Feb 2, 2022
Messages
270
Reaction score
538
Awards
60
More than anything else about this fiasco, what bothers me is that Null positions himself as a trustworthy expert for his users to listen to.
Yes, it certainly seems like this exploit was his fuckup. He gloated quite a bit when Ethan Ralph's shit got hacked, and that looks really bad now in hindsight.
 
Virtual Cafe Awards