DefectiveWings ✈️2h ago
nixCraft 🐧

heads up: FreeBSD forums hacked. Be caeeful with your email or DMs coming from FreeBSD forum or freebsd{.}org for some time now.

https://forums {.} freebsd {.} org/

4:51pmWeb
Show threadBill10h ago
@nixCraft This is why we can't have nice things.
Show threadAaron Toponce βš›οΈ10h ago
@nixCraft Aside from defacement, what's the extent of the hack? Usernames and passwords leaked?
Show threadnixCraft 🐧10h ago
@atoponce no idea. we have to wait and see.
Show threadpete10h ago

@atoponce @nixCraft the hack looks to just be a defacement currently. the defacement is just links to this repository:

https://github.com/cassbethany10-afk/test123

which just has some syn flooders and whatnot. unlikely to be anything sophisticated.

GitHub - cassbethany10-afk/test123

Contribute to cassbethany10-afk/test123 development by creating an account on GitHub.

GitHub
Show threadpete10h ago
@atoponce @nixCraft also they decided to change who it was hacked by shortly after making the defacement page
Show threadpete10h ago
@atoponce @nixCraft they also made this update. user `sizinrepo` seemingly doesn't exist anymore.
Show threadpete9h ago
@atoponce @nixCraft looks like the forums are back.
Show threadpete9h ago

@atoponce @nixCraft looks like the forums are back down???

https://fosstodon.org/@xinayder/116319094022309675

^ this fedi post seems to imply (to me) it was just stored XSS?

Alex (@[email protected])

Attached: 1 image they added widgets to what seems to be the "Whats New" section of the forums, which load the replacement web page:

Fosstodon
Show threadpete9h ago

@atoponce @nixCraft forums are undergoing an "upgrade", which is hopefully a patch for whatever the attack was.

EDIT: actually, i'm not sure. my phone might be caching the page and giving me that. a different browser is saying the forums are down.

Show threadnixCraft 🐧9h ago
@novet @atoponce it is taken down now and i think it will remain down until admins or IT folks at FreeBSD infra team finds out exact root causes and how much damaged is done so far.
Show threadTomAoki9h ago

@nixCraft @novet @atoponce
Anyway, the DNS entry for forums.freebsd.org seems to be removed currently.
% drill forums.freebsd.org @1.1.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 46711
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; forums.freebsd.org. IN A

;; ANSWER SECTION:
forums.freebsd.org. 60 IN A 127.0.0.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 13 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Mar 31 03:04:59 2026
;; MSG SIZE rcvd: 52

The answer could be because of local_unbound (running at 127.0.0.1 [localhost]).

For some (running) others and parent entry:
% drill freebsd.org @1.1.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 40850
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; freebsd.org. IN A

;; ANSWER SECTION:
freebsd.org. 3600 IN A 96.47.72.84

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 18 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Mar 31 03:05:34 2026
;; MSG SIZE rcvd: 45
% drill bugs.freebsd.org @1.1.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53700
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; bugs.freebsd.org. IN A

;; ANSWER SECTION:
bugs.freebsd.org. 60 IN CNAME web3.nyi.freebsd.org.
web3.nyi.freebsd.org. 3600 IN A 96.47.72.106

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 35 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Mar 31 03:06:29 2026
;; MSG SIZE rcvd: 73
% drill www.freebsd.org @1.1.1.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 36543
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.freebsd.org. IN A

;; ANSWER SECTION:
www.freebsd.org. 10 IN CNAME web.geo.freebsd.org.
web.geo.freebsd.org. 150 IN A 192.50.199.250
web.geo.freebsd.org. 150 IN A 210.231.212.93

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 174 msec
;; SERVER: 1.1.1.1
;; WHEN: Tue Mar 31 03:06:02 2026
;; MSG SIZE rcvd: 87

Show threadpete9h ago
@TomAoki @nixCraft @atoponce sensible move. would answer why i can't access it not on my phone and that my phone is caching it.
Show threadpete9h ago
@atoponce @nixCraft not sure about the XSS actually but i literally just have a phone and a BSD laptop which can't find the network interface (hence why i was looking at the forums) so couldn't do any proper investigation. hopefully the admins can get it up and running and the damage is only surface level.
Show threadNeil E. Hodges10h ago
@nixCraft Wild.
Show threadbazkie πŸ‘©πŸΌβ€πŸ’» bitplanes 🎡10h ago
@nixCraft #freebsd tag for extra visibility
Show threadΤŽΡ”Ξ·Ο…ΠΊΞΉ, ζ‰‹ζŠœγπŸš€πŸ§β™ πŸ”­ ⚫βšͺ10h ago
@nixCraft
source url of this news ?
Show threadNeil E. Hodges10h ago
@nixCraft @enigma If you go to the FreeBSD forums, you get this.
β™² f.kawa-kun.com/display/881761a…
nixCraft 🐧

heads up: FreeBSD forums hacked. Be caeeful with your email or DMs coming from FreeBSD forum or freebsd{.}org for some time now. https://forums {.} freebsd ...

Show threadΤŽΡ”Ξ·Ο…ΠΊΞΉ, ζ‰‹ζŠœγπŸš€πŸ§β™ πŸ”­ ⚫βšͺ10h ago
@tk
this is not the expected source from FreeBSD.org itself. Your link mirrors only this timeline here. So it has no more value . Authorized message from FreeBSD please
@nixCraft
Show threadpete10h ago

@enigma @nixCraft as far as i've seen, it's only been mentioned on this mailing list:

https://lists.freebsd.org/archives/freebsd-chat/2026-March/000075.html

so far. don't think there has been any official response as of yet.

Forums hacked or defaced

Show threadpete9h ago

@enigma @nixCraft there is this fedi post where someone claims they spoke on IRC. i haven't got a computer with me to check

https://fosstodon.org/@xinayder/116319164677216376

Alex (@[email protected])

got reply from IRC that the server admins are aware of the issue. hopefully it's just a defacement and no data was exfiltrated!

Fosstodon
Show threadΤŽΡ”Ξ·Ο…ΠΊΞΉ, ζ‰‹ζŠœγπŸš€πŸ§β™ πŸ”­ ⚫βšͺ9h ago
@novet
this helps more than scary screenshots from @nixCraft , thanks sincerely.
@nixCraft
Show threadΤŽΡ”Ξ·Ο…ΠΊΞΉ, ζ‰‹ζŠœγπŸš€πŸ§β™ πŸ”­ ⚫βšͺ9h ago
@novet
thanks, honestly. Maybe only forum is concerned. Not all freebsd.org
πŸ™
@nixCraft
Show threadpete9h ago
@enigma @nixCraft currently looks like it was just injection based on what i've seen on fedi. forums went back up a bit ago and just went back down seemingly.
Show threadnixCraft 🐧10h ago
@enigma
Show threadNeil E. Hodges10h ago
@nixCraft @enigma Inb4 he claims this was edited. :P
Show threadLuna / Miika ☭  (need more cuddles)9h ago
@nixCraft @enigma Mailinglist and website, apparently only their frontend is hacked but who knows
Show threadhazelnot 9h ago
@enigma @nixCraft you could see it for yourself, the page apparently got replaced with some "WarNight" shit and Russian text, it's down completely now though
Show threadΤŽΡ”Ξ·Ο…ΠΊΞΉ, ζ‰‹ζŠœγπŸš€πŸ§β™ πŸ”­ ⚫βšͺ9h ago
@hazelnot
you may have noticed I didnot have to see it. There are helpful people who don't say " see for yourself". Those I have to thank what I did.
Show threadhazelnot 8h ago

@enigma lol what? I didn't say "see for yourself", I said you could've seen it and that was the source, the website itself looking the way it did πŸ’€

But sure, feel free to continue being a condescending asshole 🀷

Show threadRay McCarthy9h ago

@nixCraft
Oh dear. :(

Just the forums? The packages & manuals not affected?

Show threadRichard9h ago
@nixCraft looks they are recovering
Show threadΔžΓ–KΓœπŸ‘»πŸ‘»β„’8h ago
@nixCraft whatever I want to start gets destroyed. ☹️ πŸ˜‚.. Was thinking to start Linux but now many distro going to implement age verification... Was thinking to use bluesky they Goin to use AI. Was thinking to use FreeBSD and shared video 2 days ago now this hacking news. Wath a lucky person I'm. πŸ˜…
Show threadcynical melomaniac 5h ago
@nixCraft That's incredibly rude.
Show threadcaveknoll1h ago
@nixCraft So what weird plugin not updated in years was in use. Or something less glamorous like phishing happened.