Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Much Ado Over Whether Lieberman Campaign Site Was Hacked

From: bkfsec <bkfsec () sdf lonestar org>
Date: Wed, 16 Aug 2006 13:47:04 -0400
Rowland wrote:


Some questioning of the Kos version here:

http://www.brendanloy.com/2006/08/apparent-dos-attack-takes-out-lieberman-website.html


On Tue, 2006-08-08 at 15:21, kaiser scapegoat wrote:
MSNBC has been reporting that the Lieberman campaign site was hacked. There have been numerous theories on this since it was reported yesterday. Thought you all might be interested in the attempt at technical analysis taking place on Daily Kos: 

http://www.dailykos.com/story/2006/8/8/144119/5628
The "www.brendanloy.com" rebuttal is actually relatively poorly written and ignores a lot of the facts that existed on the ground on that day.
I had the opportunity on that day to look into the events and, though I'm not part of either campaign, I was intrigued by the possibility that a DDoS could have been happening during a political campaign like that. And I can say that from the facts on the outside, it doesn't appear that the site was actually under DoS... consider the following facts, as they were shown on the day:
1. The site was down for an extended period of time -- far longer than it takes to handle a basic DDoS... 2. Ping tests to www.joe2006.com returned normal or excellent results. 3. Ping tests to the IP of www.joe2006.com returned normal or excellent results. 4. There was no lag accessing the service site for the ISP - OK, that could be explained via the use of separate networks on each, but is still not indicative of a DDoS. 5. Attempts to manually access the mail server for joe2006.com (not run by myself, run by others) showed no issues with attempting to relay mail. (This is pretty damning considering the fact that the lieberman campaign claimed it's mail server was entirely down and they were incapable of sending e-mail back and forth.) 6. At various points during the day, the content of the site changed... at the beginning of the day, we had the "billing/support" message that everyone posted screenshots of... then in the middle of the day, something odd happened and messages from the Lieberman campaign appeared on the site that claimed that the site was being attacked by the Lamont campaign, essentially, and those messaged changed about once every ten minutes... then after a little while all of those went away and the site reverted to a new account template, or so it seemed. It's important to note that there wasn't any lag accessing the site when the messages were coming up.
At the beginning of the day, some Lieberman staffers seemed to be reporting that they were hacked and that the site was defaced, oddly referencing a defacement from July and claiming it was happening on the day of the primary... and others were claiming that the site was under DDoS and their mail server was down. Conflicting stories don't bode well, but could be explained through confusion.
While I can't say that it wasn't a hack or a DoS, I can say that from that gathered information, it doesn't look like a classical DDoS. I do have an alternate theory, though, based entirely on conjecture and considering the environment at the time -- The day before the primary, when the site is first reported to have gone down, not anticipating extreme traffic, the Lieberman site hit its bandwidth limit. As is normal, traffic will spike at a candidate's site just before the primary/election. (It was reported that day that the Lamont site saw a similar spike in traffic, and had no difficulties.) Having run out of bandwidth alotment, all the blogs lit up with news of "Joe-mentum's site is down!" and everyone and their mother opened up their browser and typed "www.joe2006.com" and, sure enough, the message about contacting support/billing came up. At this point, the hosting site would begin to show an odd and extreme spike in traffic to the site that was not a pattern for its history. Hits from, probably, all over the world would be coming into the site. People were also reporting that they were pinging and portscanning the site, this would only add to the confusion at the hosting center. An amateur admin might have the initial gut reaction that "this looks like a DDoS", because it kind of would to them, especially considering the fact that people were refreshing their connections to see if the site was really down for good or not. The campaign would then have up'ed their bandwidth alotment at that point and thus, they started posting nasty messages about being attacked.
I'll leave it to conjecture as to whether it was confusion or spin that was the driving factor.
However, allow me to consider the possibility that what Joe-mentum's staff was saying was entirely true. Ask yourself the following question: Do you want a Senator who can't even handle a basic DDoS attack on his site on a primary day to be a part of handling response to a terrorist attack (and/or forming policy towards the handling thereof)?
With all his tough talk about who's best to defend America, here we have a turn-coat traitor who can't even defend his campaign site... 

            -bkfsec



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: