Postmortem Site compromised 10-Sep-2019 -

Null

Ooperator
kiwifarms.net
hello yes another one of these posts


Someone using my account posted a file called release1.zip which contained two things:

1. A CSV containing several thousand recently-used IP addresses and the accounts they were used by.
2. A second ZIP file containing 32,277 files, 7 for each of 4,611 accounts.

The file contents looked like a webpage that had been converted to a human-readable post in Markdown format.

My belief is that the memory cache the site uses for storing sessions was compromised. The session IDs stored there were downloaded and used by an automated system to download web pages of specific importance from their logged in view with still-valid session tokens, bypassing both the password and 2FA. I base this mostly off the extremely bizarre shallowness of the release and the release format and not much else. I can't verify it.

If this was the vector, they were able to do this because I had relaxed the server's security a while back when trying to reconfigure it to have multiple front-ends. The interactions between servers required poking more holes than I had done before. Further, I was trying to prepare for a world post-Cloudflare, so my usual set of very tight firewall rules were completely turned off. I believe they had some sort of exploit involving the Redis server that was permitted because the firewall rules were so relaxed.

I do not believe it was a total database compromise nor do I believe it was root access to the devices. I've audited them and I see nothing that'd indicate that access was granted. Further, the information they were privileged to was very specific and not indicative that they had access to the admin panel. It is likely that they could log into my account to post, but they could not bypass the second level of two-factor authentication protecting the admin panel.

In response, I have completely re-installed the site. It's all fresh. If there was any strange configuration issue, it should be resolved.
I have also disabled the Tor exit node and disabled the two domains that bypass Cloudflare.


The Kiwi Farms handles half a billion requests and serves 100TiB of data every month. I do this on less than $2000/mo and I've done it on zero dollars a month in the not too distant past. While it was easy to just stick everything behind Cloudflare and lock it down in the past, the increasing demands of the site's traffic and the rising fears of reliable services becoming unreliable have driven me to make decisions that have reduced the site's overall security at a time where political antagonism against us is only continuing to swell. I am thoroughly stretched to the absolute boundaries of what a single person can do.


You should continue to operate with the expectation the site is compromised and your account can be accessed. I cannot assure you at this time this is not the case.

I'm reaching out to people I know regarding this, as well as alerting XenForo's software developers to see what they think.


Edit for FAQs:

WHO????
cares. stop speculating. there's ten thousand people with motivation.

Should I reset my password?
sure. i did.

Something is broken
totally fresh install. things will be broken. things are still downloading off the backup server.
 
Last edited:

2lolis1cup

Made you imagine it
kiwifarms.net
oh no they have my 10 minute email and ip I'm done. RIP guys I have to hide from the furries now.

Edit: guys I'm scared I just checked and my e-mail was identified. I saw this guy walking a dog that was whimpering and walking funny by my house earlier. I'm really worried right now.

lol.png
 
Last edited:
Tags
None

About Us

The Kiwi Farms is about eccentric individuals and communities on the Internet. We call them lolcows because they can be milked for amusement or laughs. Our community is bizarrely diverse and spectators are encouraged to join the discussion.

We do not place intrusive ads, host malware, sell data, or run crypto miners with your browser. If you experience these things, you have a virus. If your malware system says otherwise, it is faulty.

Supporting the Forum

How to Help

The Kiwi Farms is constantly attacked by insane people and very expensive to run. It would not be here without community support.

BTC: 1DgS5RfHw7xA82Yxa5BtgZL65ngwSk6bmm
ETH: 0xc1071c60Ae27C8CC3c834E11289205f8F9C78CA5
BAT: 0xc1071c60Ae27C8CC3c834E11289205f8F9C78CA5
LTC: LSZsFCLUreXAZ9oyc9JRUiRwbhkLCsFi4q
XMR: 438fUMciiahbYemDyww6afT1atgqK3tSTX25SEmYknpmenTR6wvXDMeco1ThX2E8gBQgm9eKd1KAtEQvKzNMFrmjJJpiino