[funsec] What exactly happened to the Lieberman Web site this week?

Richard M. Smith rms at bsf-llc.com
Fri Aug 11 12:00:11 CDT 2006

 Between Joe's Webheads, Stories Differ
By Justin Rood - August 9, 2006, 6:12 PM 

I've spoken at length with the two men closest to Sen. Joe Lieberman's
((D/I?)-CT) re-election Web site, joe2006.com, to understand at length what
happened to the site yesterday morning. Their versions appear to differ,
although it's not immediately clear why. Sam Hubbell, proprietor of
myhostcamp.com, which hosted the site, is more involved in the health of the
server than Dan Geary, who designed the site and interfaces with the

Geary runs a small web consulting shop -- not much bigger than himself -- in
Nevada, and sometimes uses Hubbell for design work, he told me when we spoke
yesterday evening. For his part, Hubbell -- whom I spoke with this afternoon
-- told me that myhostcamp.com consists of himself, a co-owner, and fewer
than 10 servers located at a facility in Texas. Support, he said, is mostly
handled by the Texas facility, Server Matrix.

So, guys, what happened?

On Monday morning, Dan told me, "It was as if suddenly all these people
showed up to hit the video files. . . but it was everywhere, emails, FTP

(For non-techies, FTP is how site managers upload, download, move and erase
files on their server.) Hundreds and hundreds of emails to nonexistent
"joe2006.com" addresses were pouring in, he said. "They all did go down,"
Geary said, referring to the other sites sharing space on joe2006.com's
server. "When we took Joe2006 off, they all went back up again."

Hubbell, however, told me this afternoon the attack affected only
joe2006.com's Web site and email. "FTP was fine," he said. And the other
sites? "The server lagged a little bit." Otherwise, Hubbell said, they were
only interrupted because he had to keep restarting the server.

Their first action, according to Geary, was to "suspend [the] domain. [Then]
we tried putting up a single blank white page," but it was immediately
bombarded with traffic. "So at that point, we were like, 'Oh my God!' We
dropped the whole thing -- suspended the site, pulled the site files down,
and pulled the account down."

Hubbell recalls differently. "We put a hold on the account," he said, but
did not delete it. "We stripped out various modules and components in the
content management system. . . additional questionaire forms, photo
galleries, videos," to see if that would help. "[But] there was something
else going on, and that's when we began to investigate more."

The site uses a software package called Joomla to manage its content,
according to both men. Hubbell insists his company kept the servers
up-to-date with all security upgrades and patches. Right now, he theorizes
that an as-yet-unreported flaw in Joomla was exploited by a hacker to bring
the site down.

"It was potentially various components and modules, we haven't figured out
which one," Hubbell said. "That's kind of the guess. . . . The security
patches were so fresh that. . . there might have been an additional
undocumented loophole that someone got through."

A hacked module -- a form, Hubbell theorized -- was generating thousands of
emails to joe2006.com addresses. Even after removing various functions from
the site, the problems persisted, Hubbell told me. "There were multiple spam
attacks," he recalled. "It seemed like it was internally spamming itself,
and there was also potentially an outside source that was hitting it."

"There's. . . some investigation going on to as to seeing where the
[outside] spamming came from," Hubbell said. "That's offsite, more on where
the Lieberman committee is at."

Do you mean that the Lieberman campaign is investigating the spamming
itself? "Yes," Hubbell replied.

Does any of this ring true? Does it make sense? And what do the emerging
details of the web site's less-than-stellar hosting tell us? I'll have more
on that tomorrow.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20060811/e2c5a7b8/attachment.html

More information about the funsec mailing list