# Army.ca Hacked



## Mike Bobbitt (22 Dec 2010)

All,

As some of you know, earlier this morning, the site was hacked by a self proclaimed Muslim. The hack has been reversed, and I am investigating the mechanics used in the breach to ensure it doesn't happen again. I can assure you that the nature of the breach was small... the hacker was able to overwrite one small but critical file to subvert the site. *No information was compromised in the breach.* It was a "blind" attack where the hacker could replace a file, but not read unintended information.

My apologies for the inconvenience, and thanks for your patience as we move forward.

To the perpetrator, I have just one thing to say: Merry Christmas.


Cheers
Mike

Edit: I've attached a screenshot for those who missed it.


----------



## Strike (22 Dec 2010)

Can you track this guy down at all or is it even worth it?  Quick google search of his handle revealed that he likes to play cheesy internet games and might even be a Twilight fan.  Oh, and he speaks French.


----------



## George Wallace (22 Dec 2010)

My Google Search took me to a group in Gaza.


----------



## Mike Bobbitt (22 Dec 2010)

I'll attempt to track him for the purposes of blocking the IP (or entire range) at the firewall, but beyond that there's very little recourse. Legal action against someone on the other side of the world is expensive, time consuming and prone to disappointing outcomes.


----------



## Hammer Sandwich (22 Dec 2010)

This kind of behaviour saddens me. 

But I'm sure welcoming the Birth of my Lord & Saviour, as I carve the Christmas ham with my family and friends may assuage some of the pain.

 :yellow:
HS


----------



## Dissident (22 Dec 2010)

LOL.

What a wanker. I wonder what kind of reward you get for waging jihad on the internet!

"Alluah Ackbahr, I Kill Your internet. Now back to team Jacob.


----------



## George Wallace (22 Dec 2010)

So ........ New fund raising venture to buy the "Reverse Hacker Server Fryer" from Norenco.  It is a device that takes the Hacker's code and reverses the 'hack' to fry the Hacker's Server to a pile of steaming solder, wire and plastic.


----------



## Dissident (22 Dec 2010)

George Wallace said:
			
		

> So ........ New fund raising venture to buy the "Reverse Hacker Server Fryer" from Norenco.  It is a device that takes the Hacker's code and reverses the 'hack' to fry the Hacker's Server to a pile of steaming solder, wire and plastic.



How much you need?


----------



## Haletown (22 Dec 2010)

For sure .  .  a very, very, very Merry Christmas to all the good little jihadis out there.


----------



## toughenough (22 Dec 2010)

I'm a web developer civi side. So *nerd alert*.

Did he replace a physical file, or replace content in the database? Both have very different possibilities for what allowed him to breach, and very different possible outcomes and worst case scenarios.

Glad to hear it was fixed quickly though.


----------



## Jarnhamar (22 Dec 2010)

He probably heard about our game Afghan Ops and just wanted to try out the game.

Merry Christmas guy!


----------



## ModlrMike (22 Dec 2010)

Have we witnessed the internet version of self detonation?


----------



## George Wallace (22 Dec 2010)

Grimaldus said:
			
		

> He probably heard about our game Afghan Ops and just wanted to try out the game.
> 
> Merry Christmas guy!



Perhaps a colleague of Julian Assange.   >


----------



## George Wallace (22 Dec 2010)

ModlrMike said:
			
		

> Have we witnessed the internet version of self detonation?



No.  But we have once again witnessed the panic of army.ca withdrawl symptoms showing up.


----------



## a_majoor (22 Dec 2010)

Find the perp's physical address and send a Christmas ham....


----------



## The Bread Guy (22 Dec 2010)

Mike:  sorry you have to spend your time having to take care of this - thanks much.  PM inbound.

Maybe I'm being paranoid, but since this is a public forum, it _might_ be wise to be cautious about what's written before hitting send.  One never knows what's going to end up quoted where these days.


----------



## vonGarvin (22 Dec 2010)

Mike
Thank you for your hard and diligent work in keeping this site as hack-free as possible.


----------



## Jarnhamar (22 Dec 2010)

milnews.ca said:
			
		

> Maybe I'm being paranoid, but since this is a public forum, it _might_ be wise to be cautious about what's written before hitting send.  One never knows what's going to end up quoted where these days.



"Alledged" CF members wish hacker merry Christmas"


----------



## The Bread Guy (22 Dec 2010)

Grimaldus said:
			
		

> "Alledged" CF members wish hacker merry Christmas"


Yeah, like THAT's the part that'll end up in the headline.....


----------



## Ex-Dragoon (22 Dec 2010)

milnews.ca said:
			
		

> Mike:  sorry you have to spend your time having to take care of this - thanks much.  PM inbound.
> 
> Maybe I'm being paranoid, but since this is a public forum, it _might_ be wise to be cautious about what's written before hitting send.  One never knows what's going to end up quoted where these days.



That is something we caution about time and time again, what it boils down to is for each member to be self policing as the DS can only do so much. We do too much and we are accused of censorship. We do too much and some run amok.


----------



## Navalsnpr (22 Dec 2010)

/\
Agreed... Always do the Globe and Mail check before hitting 'Post'!!


----------



## Mike Bobbitt (22 Dec 2010)

toughenough, it was a handful of files that had their contents replaced. Direct access to the database was never obtained, and overall the hack was not very destructive. I have backups of all the original files, and have reverted all the changes back. Based on what I'm seeing in the logs, this was not done 'by hand' but an automated tool that exploits site weaknesses was used. It just tried all the doors and windows until it found one unlocked.


----------



## Danjanou (22 Dec 2010)

Dissident said:
			
		

> LOL.
> 
> What a wanker. I wonder what kind of reward you get for waging jihad on the internet!



40 cyber virgins? 8)


----------



## The Bread Guy (22 Dec 2010)

Ex-Dragoon said:
			
		

> That is something we caution about time and time again, what it boils down to is for each member to be self policing as the DS can only do so much. We do too much and we are accused of censorship. We do too much and some run amok.


Seen - no quarrel at all w/the mods (who do a pretty important, mostly thankless job), just reminding others posting.


----------



## Loachman (22 Dec 2010)

Catchy music, though, especially with numerous tabs open. I wonder if he sells CDs?


----------



## Jarnhamar (22 Dec 2010)

George Wallace said:
			
		

> So ........ New fund raising venture to buy the "Reverse Hacker Server Fryer" from Norenco.  It is a device that takes the Hacker's code and reverses the 'hack' to fry the Hacker's Server to a pile of steaming solder, wire and plastic.



I'll donate towards this.


----------



## PuckChaser (22 Dec 2010)

Mike Bobbitt said:
			
		

> Based on what I'm seeing in the logs, this was not done 'by hand' but an automated tool that exploits site weaknesses was used. It just tried all the doors and windows until it found one unlocked.



AKA no talent script kiddie. Probably wasted more of his/her time watching the script work than your time to fix it.


----------



## ModlrMike (22 Dec 2010)

Mike: on the bright side, it allowed you to close a hole you were previously unaware of.


----------



## armyvern (22 Dec 2010)

In an effort to aid the site, I am going to offer up my own bit of counter-muslim-hacker content.

I have decided that, as I live in Ontario, and as it is legal here for me to be topless, that I am going outside right now to shovel the damn driveway topless and will post a counter-muslim-hacker pic of said activity ...

That should keep them the hell away (if not laughing endlessly for their remaining years of life). 

Beware of earthquake advisories, which are apparently caused by non jiggles such as I am about to demonstrate; ready the DART for response to said disaster.

Merry Christmas!!


----------



## Harris (22 Dec 2010)

Dare you.   >


----------



## Container (22 Dec 2010)

This is my new favorite thread.


----------



## The Bread Guy (22 Dec 2010)

ArmyVern said:
			
		

> In an effort to aid the site, I am going to offer up my own bit of counter-muslim-hacker content.
> 
> I have decided that, as I live in Ontario, and as it is legal here for me to be topless, that I am going outside right now to shovel the damn driveway topless and will post a counter-muslim-hacker pic of said activity ...
> 
> ...


Give ya a loonie if you include pictures.....


----------



## Sapplicant (22 Dec 2010)

ArmyVern said:
			
		

> In an effort to aid the site, I am going to offer up my own bit of counter-muslim-hacker content.
> 
> I have decided that, as I live in Ontario, and as it is legal here for me to be topless, that I am going outside right now to shovel the damn driveway topless and will post a counter-muslim-hacker pic of said activity ...
> 
> ...




This has 'bad idea' written all over it. What if you cause a boobquake on the ocean floor? You might cause a tittle wave.


----------



## Old Sweat (22 Dec 2010)

milnews.ca said:
			
		

> Give ya a loonie if you include pictures.....



How about a twoonie if you don't? This offer is made to protect the uncorrupted members of this site, and is not meant to be judgemental about . . . I quit before I get myself in real trouble.


----------



## Mike Baker (22 Dec 2010)

Old Sweat said:
			
		

> How about a twoonie if you don't? This offer is made to protect the uncorrupted members of this site, and is not meant to be judgemental about . . . I quit before I get myself in real trouble.


I was going to say a double double from Timmies


----------



## jeffb (22 Dec 2010)

George Wallace said:
			
		

> So ........ New fund raising venture to buy the "Reverse Hacker Server Fryer" from Norenco.  It is a device that takes the Hacker's code and reverses the 'hack' to fry the Hacker's Server to a pile of steaming solder, wire and plastic.



I'll at least take this opportunity to finally subscribe...


----------



## Dissident (22 Dec 2010)

Waiting...


----------



## HavokFour (22 Dec 2010)

Script kiddie detected.


----------



## Veovius (23 Dec 2010)

George Wallace said:
			
		

> So ........ New fund raising venture to buy the "Reverse Hacker Server Fryer" from Norenco.  It is a device that takes the Hacker's code and reverses the 'hack' to fry the Hacker's Server to a pile of steaming solder, wire and plastic.



Nah man, you need the .............Trace...Buster.........Buster.........Buster.......Buster!  8)

*props to those who get it....*


----------



## Nostix (23 Dec 2010)

See if you can create a GUI interface using Visual Basic to track his IP!
 ;D


----------



## kratz (3 Feb 2011)

Ok,

Almost any sub-forum or post I read on Navy.ca now wants to download a file. My computer blocks the attempt and a mesage pops up.
This started two days ago in a few forums and is now extended to all of the sub-forums. 
Is this a change to the site that I should accept or this a virus?


----------



## Nfld Sapper (3 Feb 2011)

Haven't noticed anything on the army.ca side of the house.... have you scanned your system?


----------



## 2010newbie (3 Feb 2011)

Nothing on milnet.ca either. I checked a couple posts on Navy.ca and I wasn't getting any download warnings.


----------



## The Bread Guy (3 Feb 2011)

2010newbie said:
			
		

> Nothing on milnet.ca either. I checked a couple posts on Navy.ca and I wasn't getting any download warnings.


Same here as of this post.


----------



## MJP (3 Feb 2011)

kratz said:
			
		

> Ok,
> 
> Almost any sub-forum or post I read on Navy.ca now wants to download a file. My computer blocks the attempt and a mesage pops up.
> This started two days ago in a few forums and is now extended to all of the sub-forums.
> Is this a change to the site that I should accept or this a virus?



I had this before as well.  It is malware of some sort and a run of Ad-Aware solve it for me.

Ad-Aware


----------



## Mike Bobbitt (3 Feb 2011)

kratz, I've had one other user report the same thing... it may be that both of you are suffering from the same malware, but I've taken it as a sign to check over the system. So far it's clean.

What sort of file is it asking you to download? (I still recommend you don't actually download it...)


----------



## dapaterson (3 Feb 2011)

File is "xd_proxy.css"

Content is:

.app_content_51546247891 a.uiLinkSubtle { display: none; }
.app_content_51546247891 a.UIImageBlock_ICON_Image { display: none; }


#bootloader_Zvucx { height: 42px; }


Windows XP Pro SP_3, IE 7.


----------



## kratz (3 Feb 2011)

Thank you for the tips everyone.
I'm in the middle of a virus check (nothing so far). 
I've also cleared my history/cookies, just to be sure.
I've scanned for the "xd_proxy.css" file and it can not be found.

Mike,

That is part of the reason I posted. Just in case anyone else was having the problem. The pop-up is not letting me see/read what it is that wants to dowload. The item appears at random. It has been hard to get it to appear twice in the same location.


----------



## Scott (3 Feb 2011)

I reported this to Mike yesterday but it hasn't happened since I brought it up in the staff forum. I also haven't run a system scan but am going to start one right away.

I do not know what type of file it was, I just dismissed it, the two times it happened to me, as a bug.


----------



## dapaterson (3 Feb 2011)

See:

http://forum2.aimoo.com/computerhelp/WINDOWS-PC/RE-xd_proxy-css-showing-up-on-my-laptop-1-939256.html

Looks like it's a known issue with Facebook's "Like" button and IE.


----------



## Mike Bobbitt (3 Feb 2011)

Thanks for the info... I have disabled the "like" button here for now, hopefully that will resolve the issue.


----------

