AstroSkipper

I don't mind a typo. I don't think @VistaLover owns a time machine either :

I don’t need to stroke my ego. I don’t need to do that, as I know exactly what I’m capable of. But it was simply a reminder of all the hard work I’ve put in since 21 May – work for which any expert would be paid, but which I’ve, of course, offered to the forum free of charge. Your comment is therefore inappropriate and unnecessary.

eagyspider webshell? I think you meant EasySpider webshell, didn't you? As I have never heard or read anything about eagyspider. EasySpider Malware: Type: Backdoor / SEO Spam Injector Infection class: Cross-Site Contamination (as it has been carried over from WordPress to the forum) Mechanism: Dynamic Cloaking & User-Agent Sniffing In any case, a form of "Cloaking" as I predicted here in this thread last Saturday https://msfn.org/board/topic/187801-msfn-and-its-lack-of-search-results-in-google-bing-and-all-search-engines-depending-on-them/page/3/#findComment-1287744 and finally last Sunday https://msfn.org/board/topic/187801-msfn-and-its-lack-of-search-results-in-google-bing-and-all-search-engines-depending-on-them/page/5/#findComment-1287780 So, good to see that you've found it. And that you have already started to delete some of these thousands of fake or sniffer accounts I mentioned here: https://msfn.org/board/topic/187801-msfn-and-its-lack-of-search-results-in-google-bing-and-all-search-engines-depending-on-them/page/8/#findComment-1287893 In any case, I'm glad this thread has served its purpose and that everything turned out well.

Works in Mypal 78, but not in New Moon 28 and Serpent 52. The reason lies in this poorly written function performDownload (line 26, column 119) within the download.js script on the sooftware.com server: function performDownload(num) { event.preventDefault(); ... Strictly speaking, of course, the variable `event` (line 26, column 140) is not defined that way. But Mypal 78 and Supermium seem to be able to handle it. The function performDownload should actually have been constructed this way: function performDownload(event,num) { event.preventDefault(); ... New Moon 28 and Serpent 52 are very sensitive to things like that.

As already mentioned, the next problem I have investigated is the large number of 0-post accounts without any activity created up until 16 January 2026 and one from today. It must be thousands as far as I could see. These were created automatically using a script or other methods over the last years. Maybe, some of them are genuine but most of them aren't. A key indicator for those accounts is whether they have never been visited or only once when creating. Fake accounts, or so-called ‘sleeper’ accounts, could be all those where it says: ‘Last visited: Never’ or ‘Last visited: [Date of creation]’ if looking into them. A genuine account is usually visited in the moment of creation and later from time to time. Real, new members set up all necessary things and take a look into their accounts. Anyway, those accounts are the ‘sleeper cells’ of the attack. They were not used to carry out the infection itself (the malicious code was introduced onto the server via a security vulnerability), but serve as infrastructure to make the spam appear legitimate to Google. Here are two typical examples – accounts that really stand out because of their names and status ‘Last visited: Never’ which does not make any sense at all : 1. Building ‘domain trust’ (initial trust) Large forums such as MSFN have safeguards in place against brand-new accounts. If a bot registers today and immediately posts 50 links, the system raises the alarm and blocks it. Attackers therefore use automated scripts to register thousands of accounts in advance and simply leave them dormant for months. To the forum software (and to Google), the account ages. An account that has existed since “January 2026” will enjoy much greater trust in June 2026 than an account that is only 5 minutes old. 2. The profile spam method (hidden profile links) This is probably the most common use case: every forum member has their own profile page (msfn.org/board/profile/XXXXX-username). A normal user fills in their biography there. A spam bot uses the ‘Website’, ‘About me’ or ‘Signature’ fields to insert Thai keywords and casino links there. The key point: as these accounts have 0 posts, they never appear in active threads. No moderator and no member ever sees them in normal forum activity. But for the Google bot, these profile URLs do exist! The malicious code on the server (our cloaking parasite) now ensures that it feeds the Google bot internal lists of all registered profiles. Google crawls these profile pages, finds the Thai links and indexes them. 3. Exploitation of internal messaging systems (PM spam) or hidden drafts Some sophisticated forum bots use dormant accounts to send spam messages (PMs) to other members in the background (which would, of course, have been noticed), or they create hundreds of posts in the ‘Drafts’ section. These drafts are never published, but exist as data fragments in the database. If the server-side malicious script specifically accesses these tables, it can trick the Google bot into believing that this content is public. 4. Why did the wave of registrations come to an end in January 2026? The fact that no further accounts of this kind were created after January 2026 suggests two possible scenarios: 4.1. The loophole was (unintentionally) closed: The administrators may have installed an update to the forum software in January, activated a new CAPTCHA (e.g. Cloudflare or Google reCAPTCHA), or blocked registration for certain IP ranges or email providers. 4.2. The quota was full: By January, the attackers had generated enough ‘sleeper’ accounts to run their campaign for 2026 and withdrew the registration bots, as the accounts now simply had to ‘mature’. These accounts are used for what is known as profile injection spam. They do not harm the forum database itself, but they serve as a ‘host’ for the hidden links that the server parasite then sends exclusively to Google. For the administrator @xper, this means: not only he has to delete the malicious code, but he must also use a simple database command (SQL) to completely eliminate all accounts with 0 posts that were created over the last years and never visited or visited on the date of creation only, or contain dubious links in their profiles. Or much better, delete them all if there is no genuine activity, as they are then superfluous anyway, apparently not needed and pose a potential risk.

And to complete the puzzle, there’s still one key piece missing. And that’s the 0-post accounts, which were created in large numbers during a specific period, or periodically, or stand out because of their name or other unusual characteristics. I’m currently looking into this in more detail, as far as I am able, and trying to identify any obvious connections.

There is a significant difference compared to February. We have proven here, unequivocally and beyond any doubt – with mathematical precision, so to speak – that the MSFN server has been compromised by malicious code. This can no longer be denied. Any attempt to deny this would be embarrassing and would call into question the server operator’s technical competence. And it is, of course, perfectly clear that the infection was already present in February and that @LoneCrusader was already seeing it at that time: It could therefore have been nipped in the bud back in February, had it been investigated professionally, deeply and thoroughly. That is very regrettable and is completely beyond my comprehension.

I have most installers in my archive. But try first this site: https://panda-free-antivirus.sooftware.com/windows/download/401339

@nicolaasjan This is an attempt to explain what happens when the contaminated MSFN server meets other search engine bots than Googlebot or bingbot. For everyone else, it refers to @nicolaasjan's test and observation: Why alternative bots (like MojeekBot) trigger the "Welcome Loading ..." freeze 1. The mechanics of the attack: The server-side user agent sniffer The malware installed on the server uses a conditional script (usually written in PHP within core files like index.php or .htaccess rewrites). This script scans the incoming request for specific keywords in the User-Agent string to determine whether to serve the clean forum to a human user or the spam payload to a search engine. 2. The Googlebot trigger vs. the MojeekBot catch-all fault With Googlebot: The malware has a fully defined template. When it detects Googlebot, it successfully injects the hidden HTML container containing the Thai spam, links, and keywords, allowing the page to render fully for the crawler. With MojeekBot (and potentially other secondary search bots): The malware's sniffing routine recognizes the word Bot or Bot/ (via a regular expression or wildcard check like *bot*), flagging it as a search engine. However, the malware's backend does not have a valid spam-template or correct database-routing configured for this specific bot identifier. 3. The cause of the freeze: Broken Document Object Model (DOM) & JavaScript execution The string "Welcome Loading ..." is part of the forum’s native lazy-loading or initialization layout (often used during the initial handshaking phase between the server and the browser's JavaScript engine). When MojeekBot hits the server, the malware triggers, intercepts the request, but then crashes or terminates prematurely (e.g., throwing a silent PHP Fatal Error or an unhandled exception because the variable for the payload is empty or undefined). The backend script crashes mid-execution: It completely fails to fetch and load the actual forum database content (the threads, posts, and UI). It leaves the HTML document incomplete and broken, trapping the page forever in the initial "Welcome Loading..." state. This observation proves that the infection is not a static HTML injection into old threads, but an active, dynamic routing script on the server. It intercepts all automated crawlers based on a broad User-Agent filter, but breaks completely when encountering bots it wasn't explicitly optimized for (like Mojeek). To fix this, the administrator @xper or supervisor @Tripredacus needs to look for malicious conditional statements filtering user agent keywords inside the server configuration or core PHP initialization scripts.

That’s not the point. I said that unlike February, it now can no longer be denied. I always express myself very precisely and would appreciate it if a native speaker like you would take the words at face value. This is starting to get on my nerves. Avoid any interpretations if possible! Facts are facts. Everything @xper and @Tripredacus said in March is now null and void. The MSFN servers are infected and therefore compromised with 100% statistical certainty.

There is a significant difference compared to February. We have proven here, unequivocally and beyond any doubt – with mathematical precision, so to speak – that the MSFN server has been compromised by malicious code. This can no longer be denied. Any attempt to deny this would be embarrassing and would call into question the server operator’s technical competence.

@NotHereToPlayGames We shouldn’t take ourselves – or MSFN – too seriously. We’re talking about a forum here, tragically classified by @xper for some time now as a ‘communication forum’, but which I and most others still regard as a 'technology forum', with no infrastructure attached to it, where people can seriously come to harm. Perhaps both are away on holiday or at work, but that can’t be the case forever, of course. And anyone stupid enough to fall for one of those Thai posts scams is beyond help.

Right! We'll have to wait some time. But this period will definitely come to an end, as the damage it is causing to MSFN is becoming increasingly severe.

@NotHereToPlayGames I would appreciate it if we could remain as objective as possible, even though I cannot understand the administrator/supervisor’s stance.

@nicolaasjan I'm currently trying to figure out why nothing is showing up with MojeekBot or Bravebot. It seems, however, that the malicious script or code on the MSFN server wherever it may be hiding isn't playing nice with Mojeek or Brave. And that is most likely why Mojeek and Brave don't really have any issues with MSFN at the moment. But maybe, the hackers will update their malware at some point, and then that will be the end of those two search engines, too, when it comes to search results regarding MSFN. And as things stand right now, they have all the time in the world, since the administrator @xper or supervisor @Tripredacus hasn't taken any action yet.

Same here. But I used the MojeekBot user agent Mozilla/5.0 (compatible; MojeekBot/0.11; +https://www.mojeek.com/bot.html) And the Bravebot Mozilla/5.0 (compatible; Bravebot/1.0; +https://search.brave.com/help/brave-search-crawler) behaves in the same way. I also tested again the Googlebot and the bingbot. And with these bots, you can clearly see the Thai/Siamese-contaminated MSFN sites caused by "Cloaking". Here is a screenshot when using the bingbot user agent:

Anyway, it depends entirely on the filters and bots used by Brave and Mojeek.

As you can see, I already did it first.

Ok. You're right. I can confirm these two Thai results. Perhaps the "Brave bot" behaves in the same way as the Google bot for these two results only. Just an assumption. I don't know how Brave exactly acts.

In your screenshot I cannot see either the search engine used or the search term entered. Such screenshots are unfortunately meaningless.

None of your search terms bring up any Thai results on Brave, at least here in Germany.

@deomsh A search engine can't find and show websites which weren't indexed before. This is usually the job of their automated web crawler.

I totally forgot to say: Very tricky! Good idea!

No idea! I’m just compiling facts, analyzing connections and drawing conclusions. And that doesn’t come particularly hard for me, as I’ve been doing nothing else for decades, and it’s second nature to me. Let’s hope he might still take action! I’ve never had any contact with @xper. To me, he’s always been a bit of a mystery.

It is precisely observations like these that are important and useful. Thank you, @nicolaasjan!