4chan
4chan has been hacked. The hack is largely attributed to individuals or a group associated with Soyjak.party, a rival imageboard also known as "The Sharty." The primary motive appears to be related to the restoration of the /qa/ board, which was banned on 4chan about four years ago. The sharty boys allegedly reinstated this board during the attack, demanding a space significant to their community. Additionally, the hack involved leaking moderator and janitor emails, source code, and internal communications, exposing and undermining 4chan’s moderation practices.
the process
Evidently, some sharty boys had access to root on 4chan's servers since 2021 and planned the hack for a few years. The attackers exploited vulnerabilities in 4chan’s outdated infrastructure, specifically an old version of PHP (potentially from 2016) and deprecated MySQL functions in a script called "yotsuba.php." This script, which handles post submissions and moderation, was a key entry point. Some reports suggest the hackers gained shell access to 4chan’s servers, allowing them to leak sensitive data like admin panels, source code, and moderator credentials. There’s also mention of an exploit involving PDF uploads, where a malicious PDF could execute PostScript commands via an outdated Ghostscript version, granting shell access.[1]
what to do
Commentary and help from our friends in the east:
gallery
Oh well, despite the fact that people are crying about it and saying "this is the end," 4chan will probably be back in a few hours. Reminder: you are here forever.
stuff
- 7zip of the source files
- List of mods and jannies in .txt format.
- Dump of the jannies private IRC channel
- Dump of the entire /j/ board (a board private only to board jannies)
- File tree.
- Autodoxxed jannies/mods/admin in JSON.
- A bunch of posts from /j/. The janitor's hidden board.
it's back!!! (kinda)
Anonymous 02:38, 1 June 2025 (EDT) |
On the afternoon of April 14th, a hacker using a UK IP address exploited an out-of-date software package on one of 4chan’s servers, via a bogus PDF upload. With this entry point, they were eventually able to gain access to one of 4chan’s servers, including database access and access to our own administrative dashboard. The hacker spent several hours exfiltrating database tables and much of 4chan’s source code. When they had finished downloading what they wanted, they began to vandalize 4chan at which point moderators became aware and 4chan’s servers were halted, preventing further access.
Over the following days, 4chan’s development team surveyed the damage, which to be frank, was catastrophic. While not all of our servers were breached, the most important one was, and it was due to simply not updating old operating systems and code in a timely fashion. Ultimately this problem was caused by having insufficient skilled man-hours available to update our code and infrastructure, and being starved of money for years by advertisers, payment providers, and service providers who had succumbed to external pressure campaigns. We had begun a process of speccing new servers in late 2023. As many have suspected, until that time 4chan had been running on a set of servers purchased second-hand by moot a few weeks before his final Q&A, as prior to then we simply were not in a financial position to consider such a large purchase. Advertisers and payment providers willing to work with 4chan are rare, and are quickly pressured by activists into cancelling their services. Putting together the money for new equipment took nearly a decade. In April of 2024 we had agreed on specs and began looking for possible suppliers. Money is always tight for us, and few companies were willing to sell us servers, so actually buying the hardware wasn’t a trivial problem. We managed to finalize a purchase in June, and had the new servers racked and online in July. Over the next few months we slowly moved functionality onto the new servers, but we had still been relying on the old servers for key functions. Everything about this process took much longer than intended, which is a recurring theme in this debacle. The free time that 4chan’s development team had available to dedicate to 4chan was insufficient to update our software and infrastructure fast enough, and our luck ran out. However, we have not been idle during our nearly two weeks of downtime. The server that was breached has been replaced, with the operating system and code updated to the latest versions. PDF uploads have been temporarily disabled on those boards that supported them, but they will be back in the near future. One slow but much beloved board, /f/ - Flash, will not be returning however, as there is no realistic way to prevent similar exploits using .swf files. We are bringing on additional volunteer developers to help keep up with the workload, and our team of volunteer janitors & moderators remains united despite the grievous violations some have suffered to their personal privacy. 4chan is back. No other website can replace it, or this community. No matter how hard it is, we are not giving up.[2] |
Anonymous 02:38, 1 June 2025 (EDT) |
>impblying |
further reading
- Soyjack.party website
- Archived thread depicting the damage and joy.
- WE WON DATAMINE THE EMAILS NOOOOOOOOOOOOOOOOOOOOOOOW (archive link)
- Soyjak wiki (reminder that I need to add that to the Wikipedias article).
references
- ↑ Things nobody cares about.
- ↑ https://blog.4chan.org/post/781845918774394880/still-standing