On 11 August 2014 several members of the sciencemadness.org noticed that their accounts had been taken over by an unknown party. Who did it? Manifest!

The server

Activity indicating use of the compromised accounts was traced from server logs to At the time of discovery the server was open to the public for browsing over HTTP, so I mirrored the contents. The server hosted a combination of hacking tools, password lists, logs of hacking attempts, pictures and videos of pyrotechnic/explosive devices, and recordings of (prank?) phone calls. The pictures, videos, and phone calls hint to me that the attacker was a juvenile with an interest in explosives, not just a random script kiddie who picked sciencemadness as a target of opportunity. I tentatively believe that the attacker is located near Derry, Northern Ireland, and attends or attended school there at Lumen Christi College.

Pictures and videos from the server

Here's some pictures of a pyrotechnic device, sadly no interesting data in the EXIF.

Here are two videos. Again nothing interesting in the metadata. Nobody's face is visible but there is sound. Can anyone hear anything interesting in the audio?



A disgruntled student of the Lumen Christi College Co-educational Grammar School?

In the second video, bomb2.AVI, you see that the person lighting the fuse is wearing dark slacks and a tie. Who wears dark slacks and a tie to play with pyrotechnics?! Perhaps someone who is forced to wear a uniform by their Catholic grammar school. Here are several files found on the server indicating unauthorized access attempts to Lumen Christi accounts and related resources:

Browsers hijacked by a third party site?

The attacker appears to have installed a script, iframe, or malicious link somewhere -- I'm not sure where, but maybe sciencemadness.wikia.com, or maybe a sciencemadness post? -- that directs the browser to load a file from The file automatically triggers a POST action on the sciencemadness site, such as changing the user's email address. Once the attacker has changed the email address they can request a password reset on the account and get full control. The attack is opportunistic: it only works if a sciencemadness member is already logged in at the time they encounter the malicious code.
This is one of the files. It would change a member's email address if a logged-in user loaded it. I have changed the file extension to .txt from .html so you can see what the code looks like instead of triggering the action.

Miscellaneous password guessing attempts

Sciencemadness was not the only or earliest victim of whoever-it-is.

Recorded phone calls to a Derry McDonald's

I didn't listen to these recordings all the way through. My American ears find them a little hard to follow. Are they prank calls? Reports of any interesting content appreciated. According to the phone number helpfully embedded in the file name they are to a McDonald's in Derry, which is also where Lumen Christi College is located.

IRC Logs

Grab the IRC log file below and search for the first mention of Northern Ireland. The same person uploaded videos to his Youtube account that match the videos from the attacker's server.