I wanted to build on a comment (
http://www.dailykos.com/...) in Kos' Liberman thread, regarding the technical aspects of the alleged Denial Of Service attack. FWIW I'm UNIX Admin and I run some websites similar in nature to this setup, I'm sure there are many other tech folks on here, feel free to add on to this.
Quick Update/Summary: The site is setup on a single vulnerable server, with, apparently, no backup plan. At best, completely incompetent. At worst, downright Rovian. But since another site is running fine, on the same server, it's downright bizarre that they couldn't fix Joe's site in the last 18+ hours - it's obviously not a bandwidth (DoS or limitation) issue. It appears the party line is that the site was affected by a "SQL Injection" attack. Whether this was done via the open and non-firewalled MySQL port on the single linux server, or via poor form validation, we'll never know (if it was done at all). Regardless, there is no reason the database can't be cleaned up, restored or otherwise fixed, in 18 hours, as Matt Stoller points out.
Tech details below the fold.....
As you folks probably know, Joe Liebermans site (
http://joe2006.com) is redirecting to
http://server1.myhostcamp.com/... which gives a quick "under construction" page. A visit to
http://myhostcamp.com/ redirects to
http://suspended.page/ which is a bogus URL. Looks like the admin for myhostcamp made a config mistake, theres really no excuse for redirecting to a bogus domain other than incompetence.
Several folks have pointed out that a reverse whois via arin.net shows ThePlanet.com owns the IP (69.56.129.130) which joe2006.com resolves to. The DNS PTR record (aka reverse DNS entry) is consistent with this. So it appears that "myhostcamp" purchased a managed server from ThePlanet.com, and is reselling it to "Friends of Joe". Not exactly a big budget (re: quality) operation going on here, I hope they aren't charging them more than $20 a month or so.
The site (joe2006.com) resolves to 69.56.129.130, which, when TCP/IP fingerprinted for OS detection appears to be a Linux 2.4/2.5 host. I'm suprised a site with this much publicity isn't running on a load balancer, but it's not. Lookups on the IP from a variety of location appear to confirm that it is not load balanced via a round-robin DNS (where the DNS server hands out a different IP address to various requestors, either intelligently via load algorithms, or via simple rotation).
Now heres where it gets strange. A quick portscan shows a (large) variety of open ports, including a lot of ports which should NOT be publicly accessible - most noteably 3306/tcp (MySQL) and 6666/tcp (irc-serv). It does not appear that this machine is running a firewall. In this day and age, that is downright bizarre. Not only that, but IRC servers are notoriously open to DoS attacks, NO competent admins do let these run on their networks, unless they don't mind opening themselves up to DoS attacks.
A quick look at this from a semi-competent admin (myself) brings me to one of two conclusions. 1) The admin(s) of this site are TOTALLY incompetent, or 2) this server was made vulnerable on purpose, in order to attract or make possible a DoS attack, which could then be used to generate negative publicity and sympathy.
I don't know any admins stupid enough to fall into category #1, so I'm tending to believe it's #2.
Rob
More fuel for the conspiracy flames: Where did "Friends of Joe" dig up this provider from, anyways? A google of myhostcamp.com turns up only their website, while a google of myhostcamp turns up only seven links. The most notable of the links is from some sort of hit harvesting link directory page titled "Geometry.Net - Religion: Evangelical Free Church Of America". Strange bedfellows, huh?
And finally, a few notes & definitions for the semi/non techies out there. As usual, Wikipedia rocks (tho not as much as The Reptoids), so for a comprehensive definition, check them out:
DoS Attack - Denial Of Service attack. This is done in a variety of ways, but in short, the goal is to use up some limited resources on the server, whether its bandwidth (the most simple version of this attack, just give them SO much traffic that they use up all their bandwidth responding). More sophisticated version may target other limited resources, like available TCP connection buffers (small, finitely available sections of memory on the server, one of which would be dedicated to each connection. Say the server has 65,536 available TCP connections, so you quickly initiate 65,537 connections - it starts dropping some, or worse). There are many variations on this attack, as well as the DDoS (Distributed Denial of Service attack), which means the DDoS attack is launched off a variety of computers with some level of coordination (like they all do it at the same time).
SQL Injection - this is where a poorly written site gets taken advantage of. If interactive forms do not take care of proper data validation, one can sneak in escape sequences, or even create buffer overflows in form input areas. An example of a buffer overflow would be, if the site has a spot to enter your email address, you put in a very long string of junk. Poorly written software would neglect to check the length of the junk, and then attempt to enter it into the database, just as it would with a real email address. Somewhere along the way, there is a limitation (it could be in the type of variable used, the database libraries which interface the website to the database, or even the database itself), which is exceeded, and then chaos ensues. That is a somewhat oversimplified version of a "buffer overflow" attack, which can range from very primitive to very advanced, with a variety of possible outcomes.
If anyone has more articluate definitions, please submit 'em ;)