Website off-line for several days. What happend?

20 posts / 0 new
Last post
Proletarian Dy
Website off-line for several days. What happend?
Printer-friendly version

Thanks that the ICC site is back again. What happened?

Fred
I felt suddenly orphaned.

I felt suddenly orphaned. What happened?  

jk1921
It appears to have been a

It appears to have been a "Denial of Service Attack," at least that's what the message said during the outage. That could mean a lot of different things though. Is it possible to tell if it was an attack specifically against the ICC page, or was it against the host server itself?

webmaster
DDOS attack

It seems that this was a "Distributed Denial of Service" attack, which is extremely difficult to deal with because it involves the attacker using compromised machines anywhere in the world to launch a series of connections on the targeted website that take up so much resource that the system is unable to keep up. In our case, it caused the database server to use up all the memory and then hang because it was unable to handle more connections (you may have seen the "blue screen of death" at certain moments).

At first we tried to handle the problem be blocking incoming attacker IP addresses: one in the UK, one in France, and one in China that turned out to be on a blacklist. None of these provided more than very brief solutions.

In the end, we seem to have sorted the problem (more or less, the Spanish site is still down and there are a few bits and pieces that need dealing with) by setting up a kind of security screen between our servers and the Internet - which seems to work for now at least.

As to whether we were being deliberately targeted or just suffered as collateral damage, it's impossible to say. At all events, one thing it does show is how easily the state could take us offline if it wished to. No illusions in "freedom of the Internet", I think - and that's rather apposite in the light of the article on the NSA spying "scandal"!

One advantage - hopefully - is that you should see a significant improvement in the site's speed

Red Hughs
Glad to you back online    

Glad to you back online

 

 

Alf
Glad to hear from you Red

Glad to hear from you Red Hughes! What's been happening out there on on the West Coast? With the 'milieu' I mean

webmaster
Site hacked again

Some may have noticed that the site disappeared again - and apparently we have some "followers" out on the Internet who are spreading the rumour we don't pay our bills.

We do pay our bills, and this is the third time in the year that the site has been brought down as a result of a deliberate attack (impossible to say how many attacks fail on the other hand). We're doing our best to bring it back online bit by bit, but you may see some odd error messages in the meantime.

In August 2013 we were the subject of a DDOS attack, then in December 2013 the site was hacked with files being deleted - this looks like a reoccurrence of the December attack.

We're working to tighten up the security.

Draw your own conclusions as to the reasons for this...

Redacted
I've been studying security

I've been studying security and penetration testing. If you'd like I might be able to help.

Was it really a DDOS or just a DOS? How many IPs were pinging the site? Is there a problem with your PHP shells? I've seen some backdoors myself when the site was down.

Be careful this site is the most important for left communist discussion on the internet right now and I'd do anything to help defend it. Cheers

Theft
Just to say that rumour was

Just to say that rumour was my fault, as someone that has used webservers for a long time. Someone went on there phone to look for a article and the ICC site was down and all we could see was a holding advertisment page which often you get from webserver providers if a domain expires which is what I told them it looked like, but anyway glad the site is back up.

Redacted
What was that group that

What was that group that started a big stink on Libcom? With the homophobic/anti-semetic, etc bullshit? Didn't Alf and others sort of expose them? I would implicate them from what little info I have. Would love to see those IPs though...

radicalchains
Glad it's back, the website

Glad it's back, the website is an important resource and sorry to hear it is being targeted. 

webmaster
Thanks for the offer...

Thanks for the offer Jamal, we'll try to work out whether it would be possible to set up a test like that. You can understand we're a bit reluctant actually to invite people to come and try to break the site!

As for your question about DDOS, because we don't have full control of the server (and because we don't have any security experts) we're pretty dependent on the providers to say what is going on - all I can tell you is that the IP addresses that we identified were spread all over the world, from China, Russia, Europe, to the USA. And as soon as we slammed one, another popped up - which of course is in the nature of a DDOS.

Also, it's interesting to see people coming back to say "glad the site is back" - rather confirms what the webmaster posted earlier about there actually being far more people looking at the site than one sometimes thinks (don't forget the "science and marxism" thread which got more than 140,000 reads!)

Marin Jensen
Stink?

Jamal wrote:

What was that group that started a big stink on Libcom? With the homophobic/anti-semetic, etc bullshit? Didn't Alf and others sort of expose them? I would implicate them from what little info I have. Would love to see those IPs though...

I can only think of two "big stinks" (though I don't follow libcom regularly), one was the homophobic group with a certain ambiguity on nationalism that the ICT was in cahoots with (there's detail in a post on this forum by Eretik) and the other was the well-known Aufheben which was exposed by the Greek group TPTG (we have written about this) as including a known police collaborator among its "thinkers"

Redacted
Admin, it's very possible to

Admin, it's very possible to find out which IPs are connecting to the site, especially during the attack, if you guys don't log them otherwise. Are there any other high profile websites on the server that could have been the real target of the attack?

The countries you listed are the top countries that attacks almost always originate from. If there was any in addition from Thailand, Estonia, Ukraine, it's almost guarenteed someone has got their botnet aimed at you.

Botnets and zombie PCs are rooted (secretly taken control of) and sold for profit among hackers. So you are definitely looking at an experienced hacker to pull of a DDOS like that, could be looking for a for hire hacker, and most of the for hire hackers I know of originate in Eastern Europe, specifically Ukraine.

The first group LL mentioned is exactly the one I was thinking of, and hasn't the ICT distanced themselves from them after they were exposed? Weren't they of Ukrainian origin? Occam's razor tells me you guys have your prime suspect.

Oh and PS - Offensive security is the best security. That's why you need a pen tester on your side!!!

Proletarian Dy
Other languages not yet normalize?

I tried to open the Filipino site but can't open yet. 

Anyway, it's nice that the English site and the forum are back to normal now 

Redacted
http://www.coolhackingtrick.c
radicalchains
Well Ukraine would make sense

Well Ukraine would make sense if there is propaganda denouncing all sides of an imperialist carve up don't you think. Or some as you say disgruntled people who have lost an argument. But there's always the chance maybe high that it is unconnected completely to the politics of the site.

radicalchains
Have you got rid of all the

Have you got rid of all the forums and kept just the English one?

Alf
For the moment, yes. The

For the moment, yes. The French one was very quickly infested by people who hate the ICC with a passion. Possibly also the Spanish, but I wasnt able to keep up with that one, not having the language. But in any case, we were not able to invest the necessary resources and felt it would be better to suspend them. 

radicalchains
Thanks for clearing that up

Thanks for clearing that up Alf. I hadn't read it for a long time and only by google translation. But it seemed substantially less active than the English forum. I don't recall anything nasty on there but as I say I haven't read it for months.