Leaderboard

New build of Serpent/UXP for XP! Test binary: Win32 https://o.rthost.win/basilisk/basilisk52-g4.8.win32-git-20260606-3219d2d-uxp-bfaade4306-xpmod.7z Win64 https://o.rthost.win/basilisk/basilisk52-g4.8.win64-git-20260606-3219d2d-uxp-bfaade4306-xpmod.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/custom IA32 Win32 https://o.rthost.win/basilisk/basilisk52-g4.8.win32-git-20260606-3219d2d-uxp-bfaade4306-xpmod-ia32.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/ia32 NM28XP build: Win32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20260606-d849524bd-uxp-bfaade4306-xpmod.7z Win32 IA32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20260606-d849524bd-uxp-bfaade4306-xpmod-ia32.7z Win32 SSE https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20260606-d849524bd-uxp-bfaade4306-xpmod-sse.7z Win64 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win64-git-20260606-d849524bd-uxp-bfaade4306-xpmod.7z Win7+ x64 AVX2 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win64-git-20260606-d849524bd-uxp-bfaade4306-w7plus-avx2.7z Official UXP changes picked since my last build: - Issue #3109 - Clamp border-radius value to CSS' internal length clamp value (d47606ce8f) - Issue #2964 - Part 1: CSS Override for `uppercase` and `capitalize` (dff842a949) - Issue #2964 - Part 2a: Correctly Detect End of Buffer in `ToUpperCaseImpl` (7a933598d7) - Issue #2964 - Part 2b: Improve `ToUpperCaseLength` (b2f6fded36) - Issue #2964 - Part 3: JS Override for `ToUpperCase` (5dc2f08e29) No official Pale-Moon changes picked since my last build. No official Basilisk changes picked since my last build. My changes since my last build: - Revert "Revert "Implement FinalizationRegistry" and related commits." (1e38b5ec94) - mozapps/handling: fix application icon handling by reboot12@msfn (811b13e76c) - Revert "Revert "Revert "Implement FinalizationRegistry" and related commits."" (bfaade4306) Update Notice: - You may delete file named icudt*.dat and icu63.dll inside program folder when updating from old releases. * Notice: From now on, UXP rev will point to `custom` branch of my UXP repo instead of MCP UXP repo, while "official UXP changes" shows only `tracking` branch changes.

Works in Mypal 78, but not in New Moon 28 and Serpent 52. The reason lies in this poorly written function performDownload (line 26, column 119) within the download.js script on the sooftware.com server: function performDownload(num) { event.preventDefault(); ... Strictly speaking, of course, the variable `event` (line 26, column 140) is not defined that way. But Mypal 78 and Supermium seem to be able to handle it. The function performDownload should actually have been constructed this way: function performDownload(event,num) { event.preventDefault(); ... New Moon 28 and Serpent 52 are very sensitive to things like that.

@nicolaasjan This is an attempt to explain what happens when the contaminated MSFN server meets other search engine bots than Googlebot or bingbot. For everyone else, it refers to @nicolaasjan's test and observation: Why alternative bots (like MojeekBot) trigger the "Welcome Loading ..." freeze 1. The mechanics of the attack: The server-side user agent sniffer The malware installed on the server uses a conditional script (usually written in PHP within core files like index.php or .htaccess rewrites). This script scans the incoming request for specific keywords in the User-Agent string to determine whether to serve the clean forum to a human user or the spam payload to a search engine. 2. The Googlebot trigger vs. the MojeekBot catch-all fault With Googlebot: The malware has a fully defined template. When it detects Googlebot, it successfully injects the hidden HTML container containing the Thai spam, links, and keywords, allowing the page to render fully for the crawler. With MojeekBot (and potentially other secondary search bots): The malware's sniffing routine recognizes the word Bot or Bot/ (via a regular expression or wildcard check like *bot*), flagging it as a search engine. However, the malware's backend does not have a valid spam-template or correct database-routing configured for this specific bot identifier. 3. The cause of the freeze: Broken Document Object Model (DOM) & JavaScript execution The string "Welcome Loading ..." is part of the forum’s native lazy-loading or initialization layout (often used during the initial handshaking phase between the server and the browser's JavaScript engine). When MojeekBot hits the server, the malware triggers, intercepts the request, but then crashes or terminates prematurely (e.g., throwing a silent PHP Fatal Error or an unhandled exception because the variable for the payload is empty or undefined). The backend script crashes mid-execution: It completely fails to fetch and load the actual forum database content (the threads, posts, and UI). It leaves the HTML document incomplete and broken, trapping the page forever in the initial "Welcome Loading..." state. This observation proves that the infection is not a static HTML injection into old threads, but an active, dynamic routing script on the server. It intercepts all automated crawlers based on a broad User-Agent filter, but breaks completely when encountering bots it wasn't explicitly optimized for (like Mojeek). To fix this, the administrator @xper or supervisor @Tripredacus needs to look for malicious conditional statements filtering user agent keywords inside the server configuration or core PHP initialization scripts.

Right, I’ve calmed down now and am trying to take a fresh look at the whole situation and assess it. At first, I thought Google was mainly to blame. @NotHereToPlayGames believes that the owner and administrator @xper are solely to blame. The truth probably lies somewhere in between. Here is an alternative perspective on the whole matter from a very special source whom I am inclined to trust. I will not answer any questions about the nature of this source. It enjoys incognito status. So, believe it or not. The cause: The "Japanese Keyword Hack" (or SEO spam injection) The fact that Google search results display Thai characters or Asian text, even though the actual page is in English, is due to a security vulnerability in the forum software that was exploited by automated spam bots. In professional circles, this is usually referred to as the "Japanese/Thai Keyword Hack". 1. What the spammers did Automated bots exploited a vulnerability on MSFN (often via the internal search function, registration pages or by generating thousands of fake profiles/posts). Unnoticed in the background, so to speak "invisible", they generated millions of artificial, low-quality URLs on MSFN, which were crammed with Thai terms, casino links, dubious diet pills or counterfeit branded products. 2. What Google did during the Core Update Google crawled these hidden spam pages. As a Core Update re-evaluates the entire index, the algorithm noticed the sheer volume of this Thai spam content on MSFN. As these generated spam pages were highly optimised for the Google bot, the algorithm mistakenly assumed that the main topic or main language of certain forum sections was now suddenly Thai. In the search results, Google then mixes the page’s actual title with the injected Thai keywords from the cache, which is why the links look so strangely masked to you. 3. The consequence: Classification as a spam farm Because the Google bot suddenly found millions of pieces of Thai spam content on MSFN, the algorithm pulled the emergency brake. Google classifies the domain at this point as "hacked" or "abused for spam". This leads to an automatic, algorithmic (or sometimes manual) block and a massive wave of de-indexing. In doing so, Google protects its users from suspected malware. Summary for clarification There is no malicious intent on Google’s part: Google does not “think” like a human. The bot simply sees: “Suddenly, 80% of all pages on this domain are Thai spam – so the entire domain is corrupted.” It is not the intention of MSFN: The MSFN administration hasn't done much wrong; it has simply fallen victim to an aggressive, automated wave of hacking that exploited a technical vulnerability in the forum software to carry out illegal SEO sinking. In practical terms, this means: Only once the MSFN administration, @xper and @Tripredacus, has completely removed all these fake URLs, profiles and injections from the server, closed the security loophole and sent a clean re-review request to Google via Search Console will the Thai characters disappear and the site slowly recover its position in the index.

I continued my conversation with Copilote, with following question: "In an earlier conversation today (on another browser) Copilot said Bing was still indexing msfn.org. Was this an error, or is it possible the AI-engine was so called 'hallucinating'?" The answer was interesting (at least to me, probably not to AstroSkipper ). Cited small part of Copilot's answer only: "The earlier answer you saw was not you imagining things — it was almost certainly a case of the AI giving an overconfident but incorrect statement. In other words: yes, that was a hallucination, and I can explain exactly why it happens in this specific situation. 🎯 Short, direct answer Bing used to index MSFN normally, but it no longer indexes new MSFN content reliably. If another Copilot instance told you “Bing is still indexing MSFN,” that was incorrect — a classic AI hallucination caused by outdated assumptions about how search engines behave. (......) Bing is still returning MSFN pages, but it is not indexing new pages beyond ~2025. (....)."

No, we can't! I'm not saying to take my word for it, I would love for somebody to "trick" Cloudflare. But yeah, ALL SIGNS POINT TO *NO*, it can't be done! My city utilities (sewer and trash) is behind Cloudflare. Like CLOCKWORK, any browser older than a mere TWO MONTHS (just under, actually) can *NOT* be used to pay city utilities. So I've been "experimenting" for the last YEAR (at least). You can *NOT* spoof a UA, you can *NOT* fake Client Hints, you can *NOT* polyfill javascript. I've done a "million" things (exaggerating, but you get the idea). I'm not exactly a "stupid person" (how many people do you know that can FAKE CLIENT HINTS). I'm telling you, IT CAN'T BE DONE. I've been on dozens of sites that are smarter than me and they can't do it either. IT CAN'T BE DONE. The "technology" simply does not exist. Cloudflare is GREAT at what they do. I'm going to keep trying to "break" it. But so far, IT CAN'T BE DONE.

New build of BOC/UXP for XP! Test binary: MailNews Win32 https://o.rthost.win/boc-uxp/mailnews.win32-20260530-40a79c75-uxp-3c23f8ee4e-xpmod.7z BNavigator Win32 https://o.rthost.win/boc-uxp/bnavigator.win32-20260530-40a79c75-uxp-3c23f8ee4e-xpmod.7z source repo (excluding UXP): https://github.com/roytam1/boc-uxp/tree/custom * Notice: the profile prefix (i.e. parent folder names) are also changed since 2020-08-15 build, you may rename their names before using new binaries when updating from builds before 2020-08-15. -- New build of HBL-UXP for XP! Test binary: IceDove-UXP(mail) https://o.rthost.win/hbl-uxp/icedove.win32-20260530-id-656ea98-uxp-3c23f8ee4e-xpmod.7z IceApe-UXP(suite) https://o.rthost.win/hbl-uxp/iceape.win32-20260530-id-656ea98-ia-c642e3c-uxp-3c23f8ee4e-xpmod.7z source repo (excluding UXP): https://github.com/roytam1/icedove-uxp/tree/winbuild https://github.com/roytam1/iceape-uxp/tree/winbuild

New build of Serpent/UXP for XP! Test binary: Win32 https://o.rthost.win/basilisk/basilisk52-g4.8.win32-git-20260530-3219d2d-uxp-3c23f8ee4e-xpmod.7z Win64 https://o.rthost.win/basilisk/basilisk52-g4.8.win64-git-20260530-3219d2d-uxp-3c23f8ee4e-xpmod.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/custom IA32 Win32 https://o.rthost.win/basilisk/basilisk52-g4.8.win32-git-20260530-3219d2d-uxp-3c23f8ee4e-xpmod-ia32.7z source code that is comparable to my current working tree is available here: https://github.com/roytam1/UXP/commits/ia32 NM28XP build: Win32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20260530-d849524bd-uxp-3c23f8ee4e-xpmod.7z Win32 IA32 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20260530-d849524bd-uxp-3c23f8ee4e-xpmod-ia32.7z Win32 SSE https://o.rthost.win/palemoon/palemoon-28.10.7a1.win32-git-20260530-d849524bd-uxp-3c23f8ee4e-xpmod-sse.7z Win64 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win64-git-20260530-d849524bd-uxp-3c23f8ee4e-xpmod.7z Win7+ x64 AVX2 https://o.rthost.win/palemoon/palemoon-28.10.7a1.win64-git-20260530-d849524bd-uxp-3c23f8ee4e-w7plus-avx2.7z Official UXP changes picked since my last build: - Re-land: Fix devtools on 32-bit big endian platforms (0915736715) - Issue #3053 - Implement CSSStyleSheet constructor (f5a84f4ad2) - [js] Use size_t when inflating UTF8 (7bbdccd376) - [NSS] Fix instances of softoken attributes freed after owning object. (300dd371b2) - [NSS] Handle SEC_ASN1_NULL in sec_asn1e_contents_length. (9179441f96) - [libjar] Check Jar entry names for nulls. (aadb6beb07) - [NSS] Align PKCS7 digest array with digestAlgorithms. (089170ae83) - [NSS] NSS_CMSContentInfo_SetContent: only modify cinfo if everything succeeds. (7167a8fabc) - [NSS] Initialize src in SEC_PKCS5GetIV (07201fa1ae) - [NSS] Avoid integer overflow when converting AVA value to hex string. (6511833580) - Bug 2029771 - Heap use-after-free in [@ token_destructor] reading tok->pk11slot after nssToken_Destroy frees the token arena. (57bef0265c) - Bug 2029782 - fix 8-byte over-read of AES-192 key buffer in x86 builds without USE_HW_AES. (92b3f6dd67) - [netwerk] nsRequestObserverProxy ref cleanup. (bb2275d400) - [netwerk] Make nsSocketTransport2::mConnectionFlags atomic. (bb85939429) - Bug 2036905: Fix UDPSocketParent::ConnectInternal data race on mSocket. (8d4079866b) - [netwerk] Make socket transport hold a reference to TLSServerConnectionInfo. (349f46bbb2) - Bug 2027381 - improve error handling in SECITEM_DupArray with non-null arena. (b3f801743b) - [NSS] Fix maxSize calculation in NSSUTIL_AddNSSFlagToModuleSpec. (c36357a954) - Revert "Issue #3092 - Perform a minor GC on tab close" (3ae3595f6a) - Revert "Issue #3092 - Initial idle GC implementation" (860d4457ae) - Revert "Issue #3092 - Implement parallel sweeping and compaction tasks" (52ce9ebea5) - Revert "Issue #3092 - Implement BackgroundFinalizeTask for parallel garbage collection finalization" (ac0510f380) - Revert "Issue #3092 - Add new GC sweep tasks." (e95b229db8) - Revert "Issue #3092 - Refactor WASM compilation handling" (d582d12ad8) - Revert "Issue #3092 - Safely parallelize GC background finalization" (c144b4f403) - [NSS] Fix use of uninitialized length after failed PK11_SignWithMechanism/SymKey. (2a26d9508b) - Bug 2029818 - avoid refcount over-release in CERT_CertChainFromCert error path. (62d731d2c2) - [DOM] Check values in audio resampling. (244c614a47) - [layout] Hide accessible carets when needed. (4bf236902c) - [libvorbis] Allocate memory with _ogg_malloc (e9c3451d54) - No issue - Remove ISO-2022-JP from menu, overridability and detector. (c690e26c67) - [gfx/layout] Simplify textruns (b611d80223) - Bug 1784128 - Assert count passed to PR_Read/PR_Write in nsFileStreamBase fits INT32_MAX. (f83e05cf23) - [DOM] Hold a strong ref to VoiceData in nsSynthVoiceRegistry::RemoveVoice. (2f73a3004b) - [media] ffvpx patch: Fix leak in flac decoder in case of alloc failure. (9afa7a80cc) - [DOM] Stop speech synthesis if the originating document is closed. (f041eb0607) No official Pale-Moon changes picked since my last build. No official Basilisk changes picked since my last build. Update Notice: - You may delete file named icudt*.dat and icu63.dll inside program folder when updating from old releases. * Notice: From now on, UXP rev will point to `custom` branch of my UXP repo instead of MCP UXP repo, while "official UXP changes" shows only `tracking` branch changes.

There has been a new release (finally ) by its author, Bellard, of the quickjs JS runtime, necessary for de-scrambling YouTube's nsig challenges (present on most yt_player_clients, except for ANDR-V); the 32-bit binary can be found on: https://bellard.org/quickjs/binary_releases/quickjs-win-i686-2026-06-04.zip (64-bit binary: https://bellard.org/quickjs/binary_releases/quickjs-win-x86_64-2026-06-04.zip) quickjs is the only supported JS runtime on "legacy" WinOSes, like XP SP3/Vista SP2/Win7 SP1; I can't check on XP SP3 x86, but the new release does launch here (Vista SP2 x86): qjs -h => QuickJS version 2026-06-04 usage: qjs [options] [file [args]] -h --help list options -e --eval EXPR evaluate EXPR -i --interactive go to interactive mode -m --module load as ES6 module (default=autodetect) --script load as ES6 script (default=autodetect) --strict force strict mode -I --include file include an additional file --std make 'std' and 'os' available to the loaded script -T --trace trace memory allocation -d --dump dump the memory usage stats --memory-limit n limit the memory usage to 'n' bytes (SI suffixes allowed) --stack-size n limit the stack size to 'n' bytes (SI suffixes allowed) --no-unhandled-rejection ignore unhandled promise rejections -s strip all the debug info --strip-source strip the source code -q --quit just instantiate the interpreter and quit Additionally, the quickjs-ng fork has also seen a new release: https://github.com/quickjs-ng/quickjs/releases/tag/v0.15.1 https://github.com/quickjs-ng/quickjs/releases/download/v0.15.1/qjs-windows-x86.exe This runtime officially supports Win7 SP1 and later, but it can also work under Vista SP2 (but NOT on XP SP3): qjs -h => QuickJS-ng version 0.15.1 usage: qjs [options] [file [args]] -h --help list options -v --version print version string and then exit -e --eval EXPR evaluate EXPR -i --interactive go to interactive mode -C --script load as JS classic script (default=autodetect) -m --module load as ES module (default=autodetect) -I --include file include an additional file --std make 'std', 'os' and 'bjson' available to script -T --trace trace memory allocation -d --dump dump the memory usage stats -D --dump-flags flags for dumping debug data (see DUMP_* defines) -c --compile FILE compile the given JS file as a standalone executable -o --out FILE output file for standalone executables --exe select the executable to use as the base, defaults to the current one --memory-limit n limit the memory usage to 'n' Kbytes --stack-size n limit the stack size to 'n' Kbytes -q --quit just instantiate the interpreter and quit Both are fully supported by latest yt-dlp; performance-wise, they shouldn't differ much, if at all...

Would you please stop with that. You have absolutely no clue what I’m dealing with personally and privately, which is why I don't have time to constantly check the server. MSFN is a one-man show. And how do you know I won't say thanks? On top of that, I’ve wanted to shut MSFN down several times over the last few months because of this situation. So back off. Stick to software, hardware discussion or go find another forum. I don't care. Just be careful. Have a nice night or day or whatever.

Fixed.

Nothing was reset. I just pruned some inactive members. Found breach, egyspider webshell. Old WP plugin. Took me 4 days to clean up everything. Reindex sitemap and requested new Google indexing. We are getting back on google. As for country flag, I will fix that. Thanks for pointing it out. Anyway, I do as much as I can. Not much spare time.

just missed, applied as https://github.com/roytam1/UXP/commit/811b13e76c

you need sending proper Referer header or you will get a cloudflare's captcha page.

As already mentioned, the next problem I have investigated is the large number of 0-post accounts without any activity created up until 16 January 2026 and one from today. It must be thousands as far as I could see. These were created automatically using a script or other methods over the last years. Maybe, some of them are genuine but most of them aren't. A key indicator for those accounts is whether they have never been visited or only once when creating. Fake accounts, or so-called ‘sleeper’ accounts, could be all those where it says: ‘Last visited: Never’ or ‘Last visited: [Date of creation]’ if looking into them. A genuine account is usually visited in the moment of creation and later from time to time. Real, new members set up all necessary things and take a look into their accounts. Anyway, those accounts are the ‘sleeper cells’ of the attack. They were not used to carry out the infection itself (the malicious code was introduced onto the server via a security vulnerability), but serve as infrastructure to make the spam appear legitimate to Google. Here are two typical examples – accounts that really stand out because of their names and status ‘Last visited: Never’ which does not make any sense at all : 1. Building ‘domain trust’ (initial trust) Large forums such as MSFN have safeguards in place against brand-new accounts. If a bot registers today and immediately posts 50 links, the system raises the alarm and blocks it. Attackers therefore use automated scripts to register thousands of accounts in advance and simply leave them dormant for months. To the forum software (and to Google), the account ages. An account that has existed since “January 2026” will enjoy much greater trust in June 2026 than an account that is only 5 minutes old. 2. The profile spam method (hidden profile links) This is probably the most common use case: every forum member has their own profile page (msfn.org/board/profile/XXXXX-username). A normal user fills in their biography there. A spam bot uses the ‘Website’, ‘About me’ or ‘Signature’ fields to insert Thai keywords and casino links there. The key point: as these accounts have 0 posts, they never appear in active threads. No moderator and no member ever sees them in normal forum activity. But for the Google bot, these profile URLs do exist! The malicious code on the server (our cloaking parasite) now ensures that it feeds the Google bot internal lists of all registered profiles. Google crawls these profile pages, finds the Thai links and indexes them. 3. Exploitation of internal messaging systems (PM spam) or hidden drafts Some sophisticated forum bots use dormant accounts to send spam messages (PMs) to other members in the background (which would, of course, have been noticed), or they create hundreds of posts in the ‘Drafts’ section. These drafts are never published, but exist as data fragments in the database. If the server-side malicious script specifically accesses these tables, it can trick the Google bot into believing that this content is public. 4. Why did the wave of registrations come to an end in January 2026? The fact that no further accounts of this kind were created after January 2026 suggests two possible scenarios: 4.1. The loophole was (unintentionally) closed: The administrators may have installed an update to the forum software in January, activated a new CAPTCHA (e.g. Cloudflare or Google reCAPTCHA), or blocked registration for certain IP ranges or email providers. 4.2. The quota was full: By January, the attackers had generated enough ‘sleeper’ accounts to run their campaign for 2026 and withdrew the registration bots, as the accounts now simply had to ‘mature’. These accounts are used for what is known as profile injection spam. They do not harm the forum database itself, but they serve as a ‘host’ for the hidden links that the server parasite then sends exclusively to Google. For the administrator @xper, this means: not only he has to delete the malicious code, but he must also use a simple database command (SQL) to completely eliminate all accounts with 0 posts that were created over the last years and never visited or visited on the date of creation only, or contain dubious links in their profiles. Or much better, delete them all if there is no genuine activity, as they are then superfluous anyway, apparently not needed and pose a potential risk.

@xper@Tripredacus@Dave-H So basically from what I can see we have 4 problems right now: A forum hack that as a result de-indexed MSFN from search results Spam accounts that lead to registration block Lack of donations to pay for Invision software Lack of maintenance #1 and #2 are the most important ones right now and it may very well be that due to lack of maintenance the forum remained at old software versions which is much worse for servers than it is for client devices. And eventually got hacked. Cleaning the malware is one thing and securing the software so that the vulnerabilities aren't there anymore is another and I think it may actually be easier to just redo the forum board from the ground-up. A fresh board can be brought to life with just a few hours. But I think it's important to keep MSFN alive due to the incredible amount of useful info already there, the fact that there is no forum quite like it: eclipse.cx and legacydev.org suffer from dramas causing a large portion of users not being reachable on one or the other and a lot of the actual software development happens here (especially drivers nowadays). And MSFN is a really active forum for the technical state that it's currently in. Now what IMO has to be done: Archive everything as it is Put up a fresh install of a free forum software like phpBB Transfer users (with more than 0 posts) and emails so that they can redo their password using email verification on the new board Strip the old forum of any javascript/php code to clear malware and put it in read only mode somewhere like archived.msfn.org Maybe transfer the contents of some of the most active topics. Consider giving some maintenance access to most trusted forum admins so that the software gets properly updated And there you go, it requires some work, but problems solved, if a change like this happens I promise to donate to the forum and I'm sure many users would do the same, I think they just don't really want to donate right now due to lack of maintenance happening anyway. And phpBB unlike invision is free!

I have most installers in my archive. But try first this site: https://panda-free-antivirus.sooftware.com/windows/download/401339

@nicolaasjan I'm currently trying to figure out why nothing is showing up with MojeekBot or Bravebot. It seems, however, that the malicious script or code on the MSFN server wherever it may be hiding isn't playing nice with Mojeek or Brave. And that is most likely why Mojeek and Brave don't really have any issues with MSFN at the moment. But maybe, the hackers will update their malware at some point, and then that will be the end of those two search engines, too, when it comes to search results regarding MSFN. And as things stand right now, they have all the time in the world, since the administrator @xper or supervisor @Tripredacus hasn't taken any action yet.

I totally forgot to say: Very tricky! Good idea!

No idea! I’m just compiling facts, analyzing connections and drawing conclusions. And that doesn’t come particularly hard for me, as I’ve been doing nothing else for decades, and it’s second nature to me. Let’s hope he might still take action! I’ve never had any contact with @xper. To me, he’s always been a bit of a mystery.

I just changed `general.useragent.override.msfn.org` to: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) But why doesn't the administrator do something about it?

It is precisely observations like these that are important and useful. Thank you, @nicolaasjan!

If @xper or @Tripredacus can bring themselves to take my comments seriously and investigate the MSFN server, they must do so very thoroughly, as the infection is more or less hidden or invisible. In IT security, this phenomenon is known as "cloaking" (making content visible only to search engines) or shadow injection. Here is an attempt at a factual, technical explanation of why this Thai content was invisible to visitors in their browser: 1. The phenomenon of "cloaking" (the user-agent switch) The malware that has infected the forum checks the user agent (the visitor’s identifier) every time a page is loaded: If you, as a normal user, visit the site using a browser, the server sees: “Ah, a normal person.” The script ignores you and delivers the completely clean, familiar MSFN forum. You don’t see a single spam post. When the Google bot (Googlebot/2.1) visits the page, the malicious script recognises the identifier and switches over. It injects the Thai keywords, casino text and spam links into the HTML code specifically for this one bot. As the Google bot sees this, it stores it in its index. As a user, you won’t notice a thing until you search for MSFN via Google and wonder about the hieroglyphics. 2. Exploiting the internal search function (URL injection) Many forum software packages have a vulnerability in the way they process search queries. Bots send millions of specially crafted search queries containing Thai terms to MSFN. The forum then dynamically generates a page with the title: "Results for the search: [Thai casino link]" . The bots copy this generated URL and link to it en masse on dubious external websites. When Google follows these links, the bot lands on MSFN on a Thai results page (which exists for it) that never appears in normal forum operation or in the sub-forums. 3. Hidden system files (database level) Often, the attackers do not embed themselves in the visible text area of the threads, but instead modify a deep-level system file (such as the .htaccess file on the server or a core file of the forum software). This file intercepts the data stream and adds the Thai code in the background – but only if the request comes from a search engine. Conclusion: There’s no need to worry: the forum on MSFN that people use and love every day is clean in terms of its content. The database of genuine threads remains unaffected. This is a purely technical "parasite infestation" running in the background, specifically optimised to deceive the Google bot and exploit MSFN’s reputation (domain authority) for illegal advertising purposes. As the administration doesn’t see this malicious code during normal forum operations, it usually only comes to light when Google’s hammer strikes mercilessly in the wake of a core update.

Ok, I’m now in a position to pinpoint the error, bug or whatever setting has been set. After two days of zero views, today there’s a number other than zero: 55 replies and 694 views: It seems to be the case that the forum software counts views of posts only periodically. Of course, this is just a theory that has yet to be proven. I hope this might be helpful.

AGREED. But remember, not all Cloudflare capcha's are "identical". The one for my city utilites goes into an ENDLESS LOOP for SUPERMIUM v144, Chrome v144, and Chromium v144. But yet that is the "newest" we have for SUPERMIUM. Supermium CAN pass the Cloudflare capcha offered up by BING if I want an AI-generated javascript kick-in-the-right-direction. But it can NOT pass the Cloudflare capcha to pay my city utilities.

And here is another example to demonstrate what Google has done with their index: For years, the ProxHTTPSProxy and HTTPSProxy thread has ranked number 1 in Google for the search term "httpsproxy windows xp", as it still does for Mojeek and Brave only at the moment. Zero results which means Google doesn't even know me anymore and technical knowledge is withheld from users of this search engine. To hell with Google Search! Complete de-indexing, as with everything else. Just an example!

Yes, searching for "msfn.org/board" on Bing also gives me sh*t results... So, Copilot is clearly hallucinating.

@modnar Thanks for your confirmation! It doesn't really matter whether you use Startpage or DuckDuckGo instead of Google. They are all slave search engines which get their results from Google or Bing. Google is the actual monopolist, Bing is desperately trying to keep up, whilst the others are taking advantage of both. That is the big problem when there is practically no competition left. Monopolies always spell disaster. I have to say, I really admire the two larger search engines that are still around and have managed to carve out their own niche: Brave and Mojeek. At least, for now.

If I just do "MSFN Windows XP" then there are no results from msfn.org If I do site:msfn.org "MSFN Windows XP" then there are lots of msfn.org results. Again, a mixture of correct and hacked results. A 'site' search seems to reveal the results that are otherwise hidden. Ben.

I can get msfn results from google if I do a site:msfn.org search, I then get a mixture of correct results and the hacked results. So, there are results there but it's as if the Google crawler has been fed the hacked results. As I still can't find a way to arrive on one of these hacked pages I assume it's Google's own crawler that has been compromised. FWIW, this is https://msfn.org/robots.txt User-agent: * Allow: / Ben.

@Dietmar Yeeeeeeeeeeeaaaaaaaaaaaa! I patched hal.dll to fix reboot WinXP 64-bit booted on UEFI mode 0x106BB: 7F 0F > 74 24 0x106E1: CC CC CC CC CC CC CC CC CC > B0 06 66 BA F9 0C EE EB FE Tested problematic PC's: Gemini Lake (Dell Wyse 5070), Valleyview SoC (Asus J1800I-C). Now WinXP reboot properly under pure UEFI The patch should work on 95% of PCs, especially Intel ones. @Dietmar Please test reboot on yours Dell Wyse and report. Test also my kdcom.dll patch for WinDbg

I would recommend updating to version 144, that opens Cloudflare sites OK for me. Incidentally, they are now blocked on 360Chrome too, so I think that's the beginning of the end for any further use of that browser!

Searching engines are a disaster now, yes. I will give Brave and Mojeek a run and see. This has nothing to do with legacy, and definitely with oligopolistic (duopolistic, actually) behavior. Next step: charging you for prime search services. PS: disappointed on e-tools.ch. It used to be my engine of choice for 2-3 years, now it only works if you go to preferences and manually set base to important... A pain in the neck.

eagyspider webshell? I think you meant EasySpider webshell, didn't you? As I have never heard or read anything about eagyspider. EasySpider Malware: Type: Backdoor / SEO Spam Injector Infection class: Cross-Site Contamination (as it has been carried over from WordPress to the forum) Mechanism: Dynamic Cloaking & User-Agent Sniffing In any case, a form of "Cloaking" as I predicted here in this thread last Saturday https://msfn.org/board/topic/187801-msfn-and-its-lack-of-search-results-in-google-bing-and-all-search-engines-depending-on-them/page/3/#findComment-1287744 and finally last Sunday https://msfn.org/board/topic/187801-msfn-and-its-lack-of-search-results-in-google-bing-and-all-search-engines-depending-on-them/page/5/#findComment-1287780 So, good to see that you've found it. And that you have already started to delete some of these thousands of fake or sniffer accounts I mentioned here: https://msfn.org/board/topic/187801-msfn-and-its-lack-of-search-results-in-google-bing-and-all-search-engines-depending-on-them/page/8/#findComment-1287893 In any case, I'm glad this thread has served its purpose and that everything turned out well.

I only use 32-bit Supermium and haven't experienced any significant problems on normal sites, even the heavy app ones like Discord or YouTube. The multi-process nature allows the browser to use all available memory. On XP you can "only" access about 1.5 gigs per process. The site I ran into problems tried to load ffmpeg webassembly for converting media files in the browser. The native exe is just over 100 MB. But the site used over 3 GB of RAM after switching to the 64-bit version. That is insane.

@NotHereToPlayGames We shouldn’t take ourselves – or MSFN – too seriously. We’re talking about a forum here, tragically classified by @xper for some time now as a ‘communication forum’, but which I and most others still regard as a 'technology forum', with no infrastructure attached to it, where people can seriously come to harm. Perhaps both are away on holiday or at work, but that can’t be the case forever, of course. And anyone stupid enough to fall for one of those Thai posts scams is beyond help.

Same here. But I used the MojeekBot user agent Mozilla/5.0 (compatible; MojeekBot/0.11; +https://www.mojeek.com/bot.html) And the Bravebot Mozilla/5.0 (compatible; Bravebot/1.0; +https://search.brave.com/help/brave-search-crawler) behaves in the same way. I also tested again the Googlebot and the bingbot. And with these bots, you can clearly see the Thai/Siamese-contaminated MSFN sites caused by "Cloaking". Here is a screenshot when using the bingbot user agent:

As you can see, I already did it first.

@deomsh A search engine can't find and show websites which weren't indexed before. This is usually the job of their automated web crawler.

True, I do not know if client hints are the real culprit. I only know that UA is *not*, that CH is *not*, and that both combined are *not*. FALSE, I do not now, nor have I ever, relied on "research" of any kind from ANY member herein that begins with a *D*. That is your obcession, not mine!

Indeed. This is what the bot sees when visiting this particular thread (screenshot of part of a long page):

Google cares about Google. And nothing else. When they say that new optimisations have been performed, then they have minimised their costs and maximised their profit. Google doesn't really care about consumers or preserving knowledge for future generations.

Thank you dear @AstroSkipper, good to know! But the searches on Yahoo UK, overall, are better than with Bing and Google, and they still have one proper link to MSFN, despite the shown Siamese façade.

As far as I know, it is a slave of Bing (Microsoft) and far from being independent. Since 2009, Yahoo! partners with Bing and uses its search results.

Very selfless and noble of you. Former captain Schettino should have taken a leaf out of your book.

Here is a screenshot taken from Bing with the search term "msfn.org": Sorry, I can't see any notable difference to Google's search results. Bing uses the same filters as Google, according to an internal source. Bing (Microsoft) is a pathetic copycat of Google and can’t seem to come up with anything of its own.

@deomsh A big thank you from Germany to you too for your confirmation!

<disregard previous statement. e3k is both faster by score *and* faster by duration of test.> <granted, this also compares v144 to v150 because those are the most recent of both forks> <I personally like e3k *way more* than Supermium. BUT... I would also call it more of a "gut feeling" than a "scientific justification".> <Plus, in my readings throughout the 'net, there are DOZENS of forks that REFERENCE e3k as their "base" and *NONE* that reference Supermium as their "base".> Here is my Supermium test result: Here is my e3k test result:

Thanks for your confirmation! My last remaining beta tester concurs with the findings of the others. Very good! As I already said to @mina7601, the programming of ActivateProxy.exe was a bit more complicated. Anyway, glad it works for you, too!

I'm partway through building the patch for MS10-073, but parts of the MS patch DO NOT LOOK RIGHT AT ALL. I would swear that the patches to xxxSetWindowLong(), _SetWindowWord(), and xxxSetClassData() result in indeterminate behavior -- the variables they use as default values in their extra validation code are not initialized if they go through the entire class atom list and don't find a match. The code in NtUserRegisterClassExWOW() is similar -- it has the same extra validation code, but initializes the default value to 0. I'm going to assume that this should be the case in the other three routines, but this worries me. If someone has a contact at MS, I'd advise giving them a heads-up. I checked MS10-098 since that also patches win32k.sys to see if they fixed it, but the code is the same. I think they missed it, and it looks like a real vulnerability to me.