MSFN and its lack of search results in Google, Bing, and all search engines depending on them

[NotHereToPlayGames]

Well, it is called a Japanese Thai Hack.  And that ad is for some "Japanese Trick".  

[EliraFriesnan]

3 hours ago, NotHereToPlayGames said:

Wow!  I use Stylus and uBO both to prevent the ads and ad containers here at MSFN.  I do that because some of the ads would get me FIRED if female coworkers took them out of context.

I just disabled, reloaded the page, and got the below!  Now then, imagine what a female coworker would think if she saw this but was standing too far away to read it was about Sleep Apnea.

"Japanese Trick" is posted in English, looks legit. No Siamese "affairs".

[EliraFriesnan]

3 hours ago, NotHereToPlayGames said:

Well, it is called a Japanese Thai Hack.

We don't know whether it comes from Thailand, it might be Cambodia, Myanmar, also Siamese language.

Do we have Asian linguists to distinguish the dialect?

wikipedia.

[AstroSkipper]

3 hours ago, NotHereToPlayGames said:

That has already been DENIED by @Tripredacus and @xper way back in March:

https://msfn.org/board/topic/187750-sometimes-redirecting-to-spamgamble-site-when-accessing-msfnorgboard/page/4/#findComment-1285830

They are IN DENIAL that the problem is ON THEIR SERVER, they have PUBLICLY said so.

And they "refuse" to admit that they were WRONG in that assessment.

 

That’s not the point. I said that unlike February, it now can no longer be denied. I always express myself very precisely and would appreciate it if a native speaker like you would take the words at face value. This is starting to get on my nerves.  Avoid any interpretations if possible! Facts are facts.

4 hours ago, AstroSkipper said:

There is a significant difference compared to February. We have proven here, unequivocally and beyond any doubt – with mathematical precision, so to speak – that the MSFN server has been compromised by malicious code. This can no longer be denied.  Any attempt to deny this would be embarrassing and would call into question the server operator’s technical competence. 

Everything @xper and @Tripredacus said in March is now null and void. The MSFN servers are infected and therefore compromised with 100% statistical certainty. 

Edited yesterday at 05:34 PM by AstroSkipper
Update of content

[NotHereToPlayGames]

F

[AstroSkipper]

@nicolaasjan This is an attempt to explain what happens when the contaminated MSFN server meets other search engine bots than Googlebot or bingbot.

For everyone else, it refers to @nicolaasjan's test and observation:

20 hours ago, nicolaasjan said:

I tested with the Mojeek bot:

MojeekBot/2.0 (compatible; http://www.mojeek.com/bot.html)

It sees nothing now  :

Why alternative bots (like MojeekBot) trigger the "Welcome Loading ..." freeze

1. The mechanics of the attack: The server-side user agent sniffer

The malware installed on the server uses a conditional script (usually written in PHP within core files like index.php or .htaccess rewrites). This script scans the incoming request for specific keywords in the User-Agent string to determine whether to serve the clean forum to a human user or the spam payload to a search engine.

2. The Googlebot trigger vs. the MojeekBot catch-all fault

With Googlebot: The malware has a fully defined template. When it detects Googlebot, it successfully injects the hidden HTML container containing the Thai spam, links, and keywords, allowing the page to render fully for the crawler.
With MojeekBot (and potentially other secondary search bots): The malware's sniffing routine recognizes the word Bot or Bot/ (via a regular expression or wildcard check like *bot*), flagging it as a search engine. However, the malware's backend does not have a valid spam-template or correct database-routing configured for this specific bot identifier.

3. The cause of the freeze: Broken Document Object Model (DOM) & JavaScript execution

The string "Welcome Loading ..." is part of the forum’s native lazy-loading or initialization layout (often used during the initial handshaking phase between the server and the browser's JavaScript engine).
When MojeekBot hits the server, the malware triggers, intercepts the request, but then crashes or terminates prematurely (e.g., throwing a silent PHP Fatal Error or an unhandled exception because the variable for the payload is empty or undefined).
The backend script crashes mid-execution:
It completely fails to fetch and load the actual forum database content (the threads, posts, and UI).
It leaves the HTML document incomplete and broken, trapping the page forever in the initial "Welcome Loading..." state.

This observation proves that the infection is not a static HTML injection into old threads, but an active, dynamic routing script on the server. It intercepts all automated crawlers based on a broad User-Agent filter, but breaks completely when encountering bots it wasn't explicitly optimized for (like Mojeek).
To fix this, the administrator @xper or supervisor @Tripredacus needs to look for malicious conditional statements filtering user agent keywords inside the server configuration or core PHP initialization scripts.

Edited 19 hours ago by AstroSkipper
Update of comment

[AstroSkipper]

On 6/1/2026 at 3:24 PM, AstroSkipper said:

On 6/1/2026 at 2:54 PM, NotHereToPlayGames said:

Agreed...

But remember, this was brought to their attention in FEBRUARY !!!

We *HAVE* been patient!  VERY patient!

There is a significant difference compared to February. We have proven here, unequivocally and beyond any doubt – with mathematical precision, so to speak – that the MSFN server has been compromised by malicious code. This can no longer be denied.  Any attempt to deny this would be embarrassing and would call into question the server operator’s technical competence. 

And it is, of course, perfectly clear that the infection was already present in February and that @LoneCrusader was already seeing it at that time:

On 2/14/2026 at 12:26 AM, LoneCrusader said:

I haven't seen this directly, but searching for msfn.org/board on Google yielded this. It seems to have propagated out into search results.
This is Firefox 115.32.0esr under Windows 7.

 

It could therefore have been nipped in the bud back in February, had it been investigated professionally, deeply and thoroughly. That is very regrettable and is completely beyond my comprehension.  

Edited 5 hours ago by AstroSkipper

[AstroSkipper]

And to complete the puzzle, there’s still one key piece missing. And that’s the 0-post accounts, which were created in large numbers during a specific period, or periodically, or stand out because of their name or other unusual characteristics. I’m currently looking into this in more detail, as far as I am able, and trying to identify any obvious connections.

Edited 9 hours ago by AstroSkipper

[AstroSkipper]

As already mentioned, the next problem I have investigated is the large number of 0-post accounts without any activity created up until 16 January 2026 and one from today. It must be thousands as far as I could see. These were created automatically using a script or other methods over the last years. Maybe, some of them are genuine but most of them aren't. A key indicator for those accounts is whether they have never been visited or only once when creating. Fake accounts, or so-called ‘sleeper’ accounts, could be all those where it says: ‘Last visited: Never’ or ‘Last visited: [Date of creation]’ if looking into them. A genuine account is usually visited in the moment of creation and later from time to time. Real, new members set up all necessary things and take a look into their accounts. Anyway, those accounts are the ‘sleeper cells’ of the attack. They were not used to carry out the infection itself (the malicious code was introduced onto the server via a security vulnerability), but serve as infrastructure to make the spam appear legitimate to Google.

Here are two typical examples – accounts that really stand out because of their names and status ‘Last visited: Never’ which does not make any sense at all :







1. Building ‘domain trust’ (initial trust)
Large forums such as MSFN have safeguards in place against brand-new accounts. If a bot registers today and immediately posts 50 links, the system raises the alarm and blocks it.
Attackers therefore use automated scripts to register thousands of accounts in advance and simply leave them dormant for months. To the forum software (and to Google), the account ages. An account that has existed since “January 2026” will enjoy much greater trust in June 2026 than an account that is only 5 minutes old.

2. The profile spam method (hidden profile links)
This is probably the most common use case: every forum member has their own profile page (msfn.org/board/profile/XXXXX-username).
A normal user fills in their biography there.
A spam bot uses the ‘Website’, ‘About me’ or ‘Signature’ fields to insert Thai keywords and casino links there.
The key point: as these accounts have 0 posts, they never appear in active threads. No moderator and no member ever sees them in normal forum activity. But for the Google bot, these profile URLs do exist! The malicious code on the server (our cloaking parasite) now ensures that it feeds the Google bot internal lists of all registered profiles. Google crawls these profile pages, finds the Thai links and indexes them.

3. Exploitation of internal messaging systems (PM spam) or hidden drafts
Some sophisticated forum bots use dormant accounts to send spam messages (PMs) to other members in the background (which would, of course, have been noticed), or they create hundreds of posts in the ‘Drafts’ section. These drafts are never published, but exist as data fragments in the database. If the server-side malicious script specifically accesses these tables, it can trick the Google bot into believing that this content is public.

4. Why did the wave of registrations come to an end in January 2026?
The fact that no further accounts of this kind were created after January 2026 suggests two possible scenarios:
 4.1. The loophole was (unintentionally) closed: The administrators may have installed an update to the forum software in January, activated a new CAPTCHA (e.g. Cloudflare or Google reCAPTCHA), or blocked registration for certain IP ranges or email providers.
 4.2. The quota was full: By January, the attackers had generated enough ‘sleeper’ accounts to run their campaign for 2026 and withdrew the registration bots, as the accounts now simply had to ‘mature’.
 
These accounts are used for what is known as profile injection spam. They do not harm the forum database itself, but they serve as a ‘host’ for the hidden links that the server parasite then sends exclusively to Google.
For the administrator @xper, this means: not only he has to delete the malicious code, but he must also use a simple database command (SQL) to completely eliminate all accounts with 0 posts that were created over the last years and never visited or visited on the date of creation only, or contain dubious links in their profiles. Or much better, delete them all if there is no genuine activity, as they are then superfluous anyway, apparently not needed and pose a potential risk.

Edited 21 minutes ago by AstroSkipper