FreeBSD forums hacked

[Maxnix]

Hello all,

just some minutes ago I tried visiting https://forums.freebsd.org (with
javascript enabled), but instead of the forums home I was "greeted"
with a message by a group called "Warnight" claiming the hacking.

Does someone else already noticed this?

[Arthur Chance]

Same for me.

--
Vibe coding - the technical debt of tomorrow.

[Alex Mitchell]

Same

[Alexander Burke]

Only if JavaScript is enabled. Otherwise, no defacement is visible.

[Maxnix]

Il 30/03/26 19:25, Alexander Burke ha scritto:

> Only if JavaScript is enabled. Otherwise, no defacement is visible.
>

Yes, at least it was readable.

Now the forums report "Page could not be loaded"; the admins are surely
solving the problem.

[Ralf Mardorf]

On Mon, 2026-03-30 at 17:25 +0000, Alexander Burke wrote:
> Only if JavaScript is enabled. Otherwise, no defacement is visible.

For https://forums.freebsd.org/ here ist nothing unusual visible. Looks
ok.

Location Germany, Browser Waterfox 6.6.9 Linux, Javascript enabled

FWIW nameserver 192.168.1.1 which results in a mix of

62.109.121.48 Telefonica Germany GmbH & Co. OHG Germany, Munich O2
62.109.121.49 Telefonica Germany GmbH & Co. OHG Germany, Munich O2
217.91.179.72 Deutsche Telekom AG Germany, Dortmund OpenNIC
2a01:c30::27 HANSENET Germany, Munich O2
2a01:c30::28 HANSENET Germany, Munich O2

and probably a few other.

[Ralf Mardorf]

Now I get "Forum upgrade in progress."

[Dale Scott]

For me, the most valuable part of this discussion seeing how many people are using the forums and care to say, from which the size of the community can be estimated assuming e.g a multiplicative relationship. Without doing the math I think it shows a healthy community. :-)

---

Dale Scott

Engineering Manager | SME Business Software Support
Principal Consultant, dalescott.net

LinkedIn Profile, Dale Scott, P.Eng.

 

[Marco Moock]

On 30.03.2026 19:37 Uhr Ralf Mardorf wrote:

> For https://forums.freebsd.org/ here ist nothing unusual visible.
> Looks ok.

For me, it shows

Forum upgrade in progress.


--
kind regards
Marco
Send spam to 1774892...@stinkedores.dorfdsl.de

[Shamim Shahriar]

For me it is going nowhere. drill is pointing to localhost -- tried from multiple datacentres!

[Ralf Mardorf]

On Mon, 2026-03-30 at 11:45 -0600, Dale Scott wrote:
> Without doing the math I think it shows a healthy community.

I would advise caution when concluding that a high number of users on a
platform necessarily indicates a correspondingly healthy community.
There are some very telling counterexamples in this regard ;).

I decided to do a random Google search using the letter "x" and
"FreeBSD" as search terms. Google’s AI responded (translated from
German):

"X (formerly Twitter) has by far the largest community of the three
platforms mentioned, followed by xHamster, while the FreeBSD Forums
represent a very small, specialized niche.

Here is the comparison based on data from 2026:

X (Twitter): Has several hundred million monthly active users (estimates
for early 2026 are approximately 560–570 million) and billions of page
views.

xHamster: Ranks among the top websites worldwide, with over a billion
visits per month (according to Similarweb for Feb. 2026). It is one of
the most-visited pornographic platforms.

FreeBSD Forums: This is a specialized technical forum for the FreeBSD
operating system. The community is active, but tiny compared to social
networks. There are a few thousand registered users who exchange ideas
in threads.

Conclusion: X has the largest, most diverse community. xHamster is
extremely large in terms of pure traffic, but thematically very limited.
The FreeBSD Forums are a small, specialized community."

[Ralf Mardorf]

A few minutes make all the difference. The site is up again.

[Luna Jernberg]

Down here, also anyone know if they got any database or just defaced the site?

[Luna Jernberg]

hopefully the admins reset peoples passwords just in case, but guess
most FreeBSD users randomly generate something per site

[Mario Lobo]

Still down here.

Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since version 2.2.8 [not Pro-Audio.... YET!!]

[Peter 'PMc' Much]

Alexander Burke wrote:
> Only if JavaScript is enabled. Otherwise, no defacement is visible.

Thanks for the confirmation. That was the impression I got,
but when I got that far to switch off JS in the browser, target was
already offline.

Besides, it was a beautiful hack. The greeting was friendly, the
Russian(?) singer was inspiring, over all a very nice work.

I tried to figure out what was written on the page in Cyrillic
(cut&paste didn't work), but only got to the first word (which
seemed to resemble "pornofilmy"). Anybody got more?
Besides, I think we really need to think about the discrimination
of the Slavic people.

Marco Moock wrote:
> For me, it shows
> Forum upgrade in progress.

FIRST,
It may show anything your localhost sends. For now, the DNS
tells this:

root@edge:~ # dig -t ANY forums.freebsd.org
...

;; ANSWER SECTION:
forums.freebsd.org. 60 IN RRSIG AAAA 8 3 60 20260413093756 20260330155100 50326 freebsd.org. ...
forums.freebsd.org. 60 IN AAAA ::1
forums.freebsd.org. 3600 IN RRSIG TXT 8 3 3600 20260409000528 20260325122003 50326 freebsd.org. ...
forums.freebsd.org. 3600 IN TXT "v=spf1 ip4:162.223.10.29 ip4:84.22.108.242 ip6:2607:fc50:0:15::1b9 ip6:2a02:2770:6:0:21a:4aff:fe6d:b94 mx ~all"
forums.freebsd.org. 3600 IN RRSIG MX 8 3 3600 20260409061617 20260326102003 50326 freebsd.org. ...
forums.freebsd.org. 3600 IN MX 10 forums.freebsd.org.
forums.freebsd.org. 60 IN RRSIG A 8 3 60 20260414011206 20260330155100 50326 freebsd.org. ...
forums.freebsd.org. 60 IN A 127.0.0.1


Fancily, the SPF record still give us the correct IP, and with these
we still get into the Forum. (I am currently logged in, and I really
don't see any point in killing the DNS.)

SECOND,
even with the forum being offline, you may see in the browser
something else. That is because the forum installs a so-called
"Service Worker" into your browser.

A "service worker" is basically a piece of Javascript code that gets
downloaded and inserted into your browser, and then stays there.
This "service worker" then intercepts all your queries, and does
with them whatever it seems fit. and whether it reaches the forum
or not. And at least in Firefox it cannot be disabled or removed.

I also just learned what that is (and I hate it). Anyway, with all
my surfing around, the forums.freebsd.org is apparently the only site
that has installed such a thing into my browser.

But then also, the specs tell us, that "the modern user wants a
web experience that is undisturbed by whether the target site is
online or offline" - or some more of that bullshit bingo.
In other words, the "modern user" is expected to just consume their
continuous advertisement feed and keep sleeping. Another step into
our modern classful society.

Cheerio,
PMc

[Polarian]

Hey,

> A "service worker" is basically a piece of Javascript code that gets
> downloaded and inserted into your browser, and then stays there.
> This "service worker" then intercepts all your queries, and does
> with them whatever it seems fit. and whether it reaches the forum
> or not. And at least in Firefox it cannot be disabled or removed.

As far as I am aware, this is installed to provide notifications for
your browser, and it is optional, you get a pop up asking you if you
want to enable it or not, I don't believe it is done by default.

Or maybe I am wrong, I am not a web developer after all.

Take care,
--
Polarian
Jabber/XMPP: pola...@icebound.dev

[Daniel Lysfjord]

Watch your service workers @ about:debugging#/runtime/this-firefox

[Polarian]

Ah,

I am not able to use service workers anyways because my browser has
privacy features enabled. As for Peter who said you can not disable it,
please read [1].

Also it is what I thought it is, firefox (at least used to) asks you
permission to install a service worker into your browser when it asks
if you would like to receive notifications from the site.

So this is not an issue, if you don't want it, don't click allow on the
pop up or disable the service workers entirely using about:config.

Take care,
--
Polarian
Jabber/XMPP: pola...@icebound.dev

[1]
https://firefox-source-docs.mozilla.org/devtools-user/about_colon_debugging/index.html#service-workers-not-compatible

[Luna Jernberg]

https://forums.freebsd.org/threads/forum-outage.102193/#post-752543

[Maxnix]

Il 30/03/26 21:18, Luna Jernberg ha scritto:

> Down here, also anyone know if they got any database or just defaced the site?
>
> Den mån 30 mars 2026 kl 21:15 skrev Ralf Mardorf <ralf-m...@riseup.net>:
>> A few minutes make all the difference. The site is up again.
>>

Seems they just defaced it:
https://forums.freebsd.org/threads/forum-outage.102193/post-752543

[Maxnix]

Il 31/03/26 00:38, Peter 'PMc' Much ha scritto:

> I tried to figure out what was written on the page in Cyrillic
> (cut&paste didn't work), but only got to the first word (which
> seemed to resemble "pornofilmy"). Anybody got more?

Google translated it as "Have a good day, if you are having one" or
something along this line.