Subscribe"It's entirely possible the Lieberman Campaign was indeed paid up on whatever hosting package they purchased, but they had not purchased sufficient bandwidth to meet the demans. It's important to understand the difference between not paying your bill, or just not planning properly. I suspect for the Lieberman Campaign, who appear to be leaning toward being luddites, simply didn't know or plan for the bandwidth demand their site might see.
Certainly Lamont cannot be blamed for Lieberman or his campaign aides being ignorant."
...I own a web hosting company (***********.com) that uses the same software as the Lieberman site. That screenshot that the Lamont folks grabbed is a standard automated warning from a website control panel known as "Cpanel". Most large webhosts host many thousands of domains and their systems are automated. If a bill goes unpaid, or bandwidth is exceeded by a specified amount, the site gets auto-suspended and that Cpanel page replaces the index page. It's possible that the site was suspended for exceeding their bandwidth allotment as opposed to not paying their bills, but for someone like Joe Lieberman to not have his ducks in a row on the night before an election like this is quite telling.Other knowledgeable emailers suggest the same possibility -- not that Joe folks necessarily forgot to pay their bill but that they tripped some bandwidth or server load limit and hadn't made arrangements in advance to keep the site online if this happened." -- Josh Marshall
OK, so http://joe2006.com/ is hosted by http://www.myhostcamp.com which is currently redirecting to http://suspended.page/ which is obviously not a proper address. Looks like their ISP is INCOMPETENT, speaking as a UNIX admin, there is no excuse for redirecting to an invalid domain other than stupidity. I was thinking that the redirects could be done as a last ditch attempt on a load balancer if the server farm was overwhelmed, but guess what. There is no load balancer, a tcp fingerprinting shows its a Linux host, and not only that, it's not even running a firewall.. MySQL is running on an open port (pretty sizable security hole), and oddly enough, it's running an IRC daemon - which is a notoriously stupid thing to run if you value your bandwidth (its a service just begging to be used for DoS). Looks to me like it's either 1) amazing incompetent admins or, more likely 2) a honeypot server just asking to be crashed so someone can point fingers. No admins I know are stupid enough to setup a server like this.
...so it looks like a managed server which planet.com leases to myhostcamp.com, who runs multiple domains on that one machine (unless its a round robin DNS load balancing scheme, but I haven't detected that after resolving from four different locations, so it looks like a single machine).
Oddly enough, myhostcamp.com has a very small (re: almost no) online presence, tho it does show up here: http://www5.geometry.net/... "Geometry.Net - Religion: Evangelical Free Church Of America" some sort of click harvesting link page.
Strange going ons, looks pretty phony to me. [source]
That looks pretty good to me. A traceroute also indicates all packets are go for that IP address.$ ping 69.56.129.130
PING 69.56.129.130 (69.56.129.130) 56(84) bytes of data.
64 bytes from 69.56.129.130: icmp_seq=1 ttl=55 time=35.5 ms
64 bytes from 69.56.129.130: icmp_seq=2 ttl=55 time=35.8 ms
64 bytes from 69.56.129.130: icmp_seq=3 ttl=57 time=36.4 ms
64 bytes from 69.56.129.130: icmp_seq=4 ttl=55 time=35.6 ms
64 bytes from 69.56.129.130: icmp_seq=5 ttl=57 time=35.4 ms
64 bytes from 69.56.129.130: icmp_seq=6 ttl=57 time=30.1 ms
64 bytes from 69.56.129.130: icmp_seq=7 ttl=57 time=35.6 ms
--- 69.56.129.130 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6062ms
rtt min/avg/max/mdev = 30.188/34.966/36.419/1.975 ms
...it's clear that Lieberman's website isn't suffering from a Denial of Service attack.[source]
But now I have the definitive answer as to why Lieberman's site went down.
They are paying $15/month for hosting at a place called MyHostCamp, with a bandwidth limit of 10GB. MyHostCamp is currently down, along with all their clients.
Here's the deal -- you get what you pay for. My hosting bill is now over $7K per month. A smaller site doesn't need that much bandwidth, but if you're paying $15 because your $12 million campaign is too freakin' cheap to pay for quality hosting, then don't go blaming your opponent when your shitty service goes out.
For their part, the Lamont campaign has offered its technical expertise to get Lieberman's site back up (which could be done in an hour by a competent sysadmin), and has added a link to the googlecached version of Lieberman's site at the top of their blog.
One side is acting mature, the other is running around making baseless accusations.
Update: Dan Gerstein, Lieberman spokesperson, admits they have no evidence Lamont's campaign or his supporters are behind their website woes.
I'm telling you, it's down because they were too cheap to pay for quality hosting. That's a lesson to all of you campaigns skimping on hosting. $15 won't cut it."
1. Unless and until Lieberman's hosting provider releases his logfiles (gateway router, www server, mail server, DNS server) for forensic review, all of this is speculation.[source]
2. Using the following information:a. the site has been down for 18 hours3. It's highly unlikely this is a true DoS of DDoS attack. This is because we can ping all the IPs noted above and we can see the page at http://server1.myhostcamp.com/suspended page. If this was a real DoS or DDoS attack, we'd not be able to see any of this and their servers would not be answering their ping at an average of 50ms (millisecond) per packet. True attacks bring down servers, routers and networks. From all available outside evidence this does not appear to be the case.
b. email to (and from?) Joe2006.com addresses has been affected
c. Joe2006.com and mail.joe2006.com resolve to IP 69.56.129.130
d. the reverse lookup on that IP is 82.81.3845.static.theplanet.com
e. joe2006.com now forwards to http://server1.myhostcamp.com/
suspended.page/
4. Here what might have happened:a. Web traffic spikes as national focus on the campaign grows5. Regardless of the explanation (3 or 4), here is what you do when that happens:
b. Based on (2b) above, if the webserver is throttled by traffic (due to actual traffic or poor response tuning or an attack or a combination of the three), this would also affect mail delivery to joe2006.com. It could also affect outbound mail if users on that domain use that address for SMTP service.
c. The server is most likely a shared one, since the name, server1.myhostcamp.com, implies lots of other hosts live on it.Steps a-e can be accomplished, especially with the kind of site Joe had up and running before this incident (nothing particularly complex), in less than an hour or so by a competent sysadmin."
a. You grab your local backup (you do have a local backup of your files (both scripts and database snapshots, right?).
b. You find a host that specialized in high bandwidth hosting and you get an account going ASAP. There are plenty of ISPs that would take your money to expedite this.
c. You move your files up, test that everything is working
d. You redirect your DNS so that Joe2006.com points to you new server; this change doesn't take very long to propagate because you make sure that the DNS update uses a very low TTL (time to live).
e. If needed, you separate your mailserver mail.joe2006.com from your webserver joe2006.com/www.joe2006.com so as to keep your mail up and going.
"For the past twenty-four hours my toaster oven has been acting funny. I turn the little darkness thingy all the way up and the toast still comes out only half toasted. I believe this is a retaliation by my political opponents for my blogging about their dirty tricks.[signed] BranfordBoy
Since becoming a left-wing wacko I have lived my commitment to being lax on security by occasionally leaving my front door unlocked. It would be child's play for my political opponents to sneak in, diddle with my toaster oven, and slink back out into the night their nefarious diddling accomplished. Of course, it's totally unreasonable to expect me to be able to fix it myself.
I call on Senator Lieberman to make an unequivocal statement denouncing this kind of dirty campaign trick and to demand whoever is responsible to cease and desist immediately. Any attempt to suppress voter participation (how can you vote when you're worried sick about your toaster oven?) and undermine the voting process on Election Day by depriving me of decent toast on which to slather my peanut butter is deplorable and has no place in our democracy."
$ dig joe2006.com mx1) joe2006.com has an mx record. (They only have one. Silly rabbits.)
(trimmed stuff from here -- eriko)
joe2006.com. 86364 IN MX 10 mail.joe2006.com.
$ telnet mail.joe2006.com 25
Trying 69.56.129.130...
Connected to mail.joe2006.com.
Escape character is '^]'.
220-server1.myhostcamp.com ESMTP Exim 4.52 #1 Tue, 08 Aug 2006 13:36:59 -0700
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
HELO
250 server1.myhostcamp.com Hello [XXX.XXX.XXX.XXX]
The campaign of Senator Joseph I. Lieberman admitted that their website was not “hacked” on the day of the Democratic primary race for the United States Senate between Mr. Lieberman and Ned Lamont, a Greenwich multimillionaire whose antiwar candidacy proved unexpectedly strong, but that it "crashed" due to the “gross incompetence” of the system administrator responsible for maintaining their technical operations. “It’s true,” said Mr. Lieberman’s campaign manager, Sean Smith, “We should have never listened to Senator Stevens’ recommendation that we hire a television repairman to maintain our tubes on the Internet.” Smith, referring to Senator Ted Stevens (R.-Alaska) recent claim that the Internet is a series of tubes, and “not a truck,” added, “It is unconscionable that our opponent did not inform us earlier that we were operating a sub-par website and e-mail operation. Furthermore, how dare they wait until the day of the election to offer us their technical support at the time of our greatest need?”I doubt it.
http://www.meetned.com/ 69.56.129.130DoS attacks don't affect particular accounts on a server. They bring down the whole server. The attack site is up, their campaign site is down. This isn't a DoS attack.
http://www.joe2006.com/ 69.56.129.130
MeetNed.com - Up.
Joe2006.com - Down.
Lieberman's internet consultant Dan Geary, who oversees Joe2006.com, says he's still sure that their site suffered a "malicious attack." But when pressed, he said that they weren't sure that it was a "Denial of Service" attack, as he'd said earlier. He didn't have any more information about the nature of the supposed attack. "I've spent 99% of my time speaking [to reporters] about the story," he said.(emphasis mine)
"Why the hell is Joe Lieberman’s campaign site hosted by these people (site down — probably not because of dirty deeds, by the way) under the cheapest plan available? And why do Lieberman’s FEC filings say he’s paying $1500 to a different company for web hosting? No, we seriously want to know. These aren’t rhetorical questions.
We have to assume that Lieberman paid the guys named above (click to enlarge slightly) to find hosting, and “2 Dog Media” went with the cheapest option available..."
"Joe2006.com was setup by Dan Geary who has an e-mail address at Hotmail and no discernable website. Likely, someone in the Lieberman camp knew Geary to be 'technical' and someone who could help out. I’ve never heard of myhostcamp and I’ve been working with websites and website providers a long time, making it possible that Geary personally knows, or is even involved with, the myhostcamp.com hosting company.
While it’s possible that someone actually hacked joe2006.com, from what I’ve seen, this seems to be the least likely option. More likely, this whole episode started last night with a simple over-usage of bandwidth....This looks to be simply the work of an inexperienced technical consultant...." more ...
Diane Farrell for Congress
Norwalk Democrats
Senator Bill Finch
Anyway, this looks like a DoS attack to me.1Presuming you're not equating high volume, legitimate traffic, like the Slashdot Effect, with a denial of service attack, would you mind taking a few minutes share what evidence you've seen that lead you to conclude this?
Being from CT, Lamont winning is probably not a good thing.2In a few hours we'll find out if most of Connecticut's Democrat's agree with you as long as Lieberman doesn't contest the election. However, Lieberman, as you know from his vice presidential run in 2000, does have a history of contesting elections.
Error
An unexpected error has occurred on this page.The system administrators have been notified.
The error occurred in:
http://www.statementofvote-sots.ct.gov/StatementOfVote/WebModules/ReportsLink/USSenCountyView.aspx?Parameter=08/08/2006-Primary
Error Message:
A Crystal Reports job failed because a free license could not be obtained in the time allocated. More licenses can be purchased direct from Crystal Decisions or through the Crystal Decisions Online Store.
server1.myhostcamp.com/suspended.page/
'Suspended'. Accounts are generally suspended for one of two reasons: 1) inappropriate or illegal content (which we can obviously rule out in this case), or 2) from lack of payment. And that would make sense given that the first screen when Lieberman's site went down was, indeed, a request that the website owner contact their billing department."
[source]
posted by ericb at 11:23 AM on August 8, 2006