Re: What exactly happened to the Lieberman Web site this week?

["<...>" <massimo () grandmedia si>]

for a followup:
http://www.zone-h.org/content/view/14012/31/

  ----- Original Message ----- 
  From: Richard M. Smith 
  To: funsec () linuxbox org 
  Sent: Friday, August 11, 2006 7:00 PM
  Subject: [funsec] What exactly happened to the Lieberman Web site this week?


  http://www.tpmmuckraker.com/archives/001311.php

   Between Joe's Webheads, Stories Differ
  By Justin Rood - August 9, 2006, 6:12 PM 
  I've spoken at length with the two men closest to Sen. Joe Lieberman's ((D/I?)-CT) re-election Web site, joe2006.com, 
to understand at length what happened to the site yesterday morning. Their versions appear to differ, although it's not 
immediately clear why. Sam Hubbell, proprietor of myhostcamp.com, which hosted the site, is more involved in the health 
of the server than Dan Geary, who designed the site and interfaces with the campaign.

  Geary runs a small web consulting shop -- not much bigger than himself -- in Nevada, and sometimes uses Hubbell for 
design work, he told me when we spoke yesterday evening. For his part, Hubbell -- whom I spoke with this afternoon -- 
told me that myhostcamp.com consists of himself, a co-owner, and fewer than 10 servers located at a facility in Texas. 
Support, he said, is mostly handled by the Texas facility, Server Matrix.

  So, guys, what happened?

  On Monday morning, Dan told me, "It was as if suddenly all these people showed up to hit the video files. . . but it 
was everywhere, emails, FTP access."

  (For non-techies, FTP is how site managers upload, download, move and erase files on their server.) Hundreds and 
hundreds of emails to nonexistent "joe2006.com" addresses were pouring in, he said. "They all did go down," Geary said, 
referring to the other sites sharing space on joe2006.com's server. "When we took Joe2006 off, they all went back up 
again."

  Hubbell, however, told me this afternoon the attack affected only joe2006.com's Web site and email. "FTP was fine," 
he said. And the other sites? "The server lagged a little bit." Otherwise, Hubbell said, they were only interrupted 
because he had to keep restarting the server.

  Their first action, according to Geary, was to "suspend [the] domain. [Then] we tried putting up a single blank white 
page," but it was immediately bombarded with traffic. "So at that point, we were like, 'Oh my God!' We dropped the 
whole thing -- suspended the site, pulled the site files down, and pulled the account down."

  Hubbell recalls differently. "We put a hold on the account," he said, but did not delete it. "We stripped out various 
modules and components in the content management system. . . additional questionaire forms, photo galleries, videos," 
to see if that would help. "[But] there was something else going on, and that's when we began to investigate more."

  The site uses a software package called Joomla to manage its content, according to both men. Hubbell insists his 
company kept the servers up-to-date with all security upgrades and patches. Right now, he theorizes that an 
as-yet-unreported flaw in Joomla was exploited by a hacker to bring the site down.

  "It was potentially various components and modules, we haven't figured out which one," Hubbell said. "That's kind of 
the guess. . . . The security patches were so fresh that. . . there might have been an additional undocumented loophole 
that someone got through."

  A hacked module -- a form, Hubbell theorized -- was generating thousands of emails to joe2006.com addresses. Even 
after removing various functions from the site, the problems persisted, Hubbell told me. "There were multiple spam 
attacks," he recalled. "It seemed like it was internally spamming itself, and there was also potentially an outside 
source that was hitting it."

  "There's. . . some investigation going on to as to seeing where the [outside] spamming came from," Hubbell said. 
"That's offsite, more on where the Lieberman committee is at."

  Do you mean that the Lieberman campaign is investigating the spamming itself? "Yes," Hubbell replied.

  Does any of this ring true? Does it make sense? And what do the emerging details of the web site's less-than-stellar 
hosting tell us? I'll have more on that tomorrow.



------------------------------------------------------------------------------


  _______________________________________________
  Fun and Misc security discussion for OT posts.
  https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
  Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.