We kicked ass regardless of hack attempts
Site Information
About Us
- RonPaulForums.com is an independent grassroots outfit not officially connected to Ron Paul but dedicated to his mission. For more information see our Mission Statement.
We kicked ass regardless of hack attempts
Last edited by xao; 12-17-2007 at 12:08 AM.
The information showing up in the widget is part of the feed it is parsing. Under the heavy load the server probably just didn't probably write the file resulting in a missing tab or end of line character.
Besides, even if something was injected into the widget it would not effect the main databases. All the widget does it display the information it pulls from a URL address. You can totally mess with it if you modify your host file and redirect it to a different server.
“It is in war that the State really comes into its own: swelling in power, in number, in pride, in absolute dominion over the economy and the society.” -- Murray Rothbard
Well, if anyone was considering an injection attack, they know how to do it now...
just kidding.
Want to help Dr. Paul's campaign? Canvass! Learn how at http://www.ronpaulreveres.com/
Want to coordinate your canvassing? Become a Precinct Leader! http://voters.ronpaul2008.com/grassroots/
Rough Draft: Final Notice of Fiscal Burden
http://www.ronpaulforums.com/showthread.php?t=92802
JPEG Graphic of Final Notice of Fiscal Burden http://www.ronpaulforums.com/showthread.php?t=96659
Because the thread title is, "Widget was hacked..." Not "the database was hacked". The widget itself does not accept data, so a sql injection type attack would not work on it. I did mention the submission form would be the attack point, not the widget (as the thread title suggests). The fact that the widget is "flash" has nothing to do with it and I don't think I implied so.
Like I said before, more than likely it was the character used as a seperator in the data string for the widget that screwed it up.
From what I have seen the RP IT people or the hosting company (appears to be rackspace) are not utilizing a DDOS protection product. Being a 12+ year sysadmin, it makes me cringe when a website such as this goes down when it really shouldn't if designed and implemented properly. Servers are cheap, bandwidth is even cheaper, and Linux is free. There is no reason a website of this importance should have a single second of downtime.
yea===i SAW that 18 mark!--
Let me explain what happened more thoroughly. In the submit form, there is embedded PHP or another strong web-coding language used to track stats, which is generally done with things similar to hit-counters you see on webpages. What they do is execute a function that will output the latest results of the input + output or whatever other formulas they use in a fashion which can then be interpreted by reading the page to inherit the values in any language that can recognize the different flags, for example:
&something - variable used to store virtually any web-related data type which is, in turn, processed by the parser and/or formulas for its next action.
| - this is the same as the %7C you see in the link here. This is used to separate character strings in the variables (for the widget ticker.)
I assume the widget processes the input like this:
Update -> Store current value as old value -> Store new value as old value plus the ticker increase amount -> Update display by the ticker increase amount (which should be checked for negative values and isn't)
The bank would not allow those characters to go through, but the statistics logging function did. When they check whether or not the person chose to allow their name and location to be shown, they should also check whether or not the donation amount variable is not zero or below, and if so, chuck it out as an accident (this is commonly referred to as error handling.)
The donor clearly managed to truncate some variables in his/her donation information which would not have been executed had the attacker not chosen to allow their name to display. The widget is made with Flash, and it reads the statistics database linked above [thanks jcims]. The statistic-saving function adds names to the database for processing then outputs them in flash-friendly strings and stores them at certain time intervals. The widget updates every 30 seconds [again jcims] and stores multiple donors' information (that chose for it to be shown) and creates a queue. The string is processed and the variables are updated [time, total donation, etc etc] and are again filtered for display. This is why in that screenshot you see no "&", "=", or "|". They are filtered out by the flash display. The variables still were processed and that's why you saw the decline. The good news is, somehow there was a sanity-check (I assume the server might query the bank for statistics/total amount on x minutes/hrs intervals). This really shouldn't have happened, but I don't think it hurt; in fact, I and quite a few other supporters I've spoken to were actually motivated to donate MORE because we were frantic hoping to hit $18m by midnight EST. We're also safe on the monetary side because the bank processes the input information differently and would _never_ allow for a negative deposit. Hopefully this'll clear up some of the worries and confusion.
Also, to whomever takes care of the widget and such, &time=1197867180 would be the area to look at (11:53pm) if you can access the database. You can see everything that was included in the parameters the person submitted at or around that time
Last edited by andJusticeForALL; 12-17-2007 at 03:20 AM.
dang I taugh hackers were on our side. Do we have any on right now?
Any chance of us getting an explanation from HQ rather than being armchair conspiracy theorists?
**dust
Last edited by CriticalThinker; 12-17-2007 at 03:38 AM.
Do you think the campaign would tell you? That would lower their donations next time from paranoid people. Think about it people?
That doesn't look like any sort of (successful) attack to me..
The information should be forwarded to the FBI - attempt to hack, and hacking, computer systems involving credit card information is a federal crime under 18 USC 1030.
In the #ronpaul IRC channel we were pulling directly the raw text data that the widget uses, like the graph sites do.
After the 11 p.m. minibomb we saw some great donation rate, for example at 23:36:13 EST 2007 we had:
last 3.1 minutes: $42,491 from 523 donations ($81.24 avg donation, $13,560/min, 166.9 donors/min)
Overall the bomb after 11 p.m. seemed to have really a lot of small donations, so the number of donors/minute was very high during the last hour before midnight.
And just to compare it with the overall for the teaparty:
online total: $6,022,995 from 58,840 donations ($102.36 avg donation, $4,198/min, 41.0 donors/min)
However the exact accuracy of that overall number is unclear, because during the last 10 minutes before midnight, the data that was being pulling stopped making sense, in particular data that was pulled at a later time had lower numbers than data that was pulled earlier, and about 10 minutes after midnight it jumped back.
Whether someone tried to hack it during the last 10 minutes, or whether it just collapsed due to the 11 p.m. minibomb that contained tons of small donations, I don't know.
But anyway all of this is related to the numbers that feed the widget, and the real amount in donations isn't affected by this, so the campaign should calculate the exact number and publish it.
SQL injection attacks are a non-issue if they use parameterized queries. I'd hope they are doing that.
There's now press release on ronpaul2008.com that says $6 million total, but it's rather vague. I followed the online donations data during the teaparty and I think the online donations total was higher than $6m in the end (cannot be sure because of what happened in the last 10mins), plus the $400k+ in offline donations that the campaign added at 11 p.m., so shouldn't the total be $6.4m?
its crazy what people will do to try and mess with this revolution
Support Marijuana Legalization WORLDWIDE
I do have the 11:53 p.m. file from the direct feed. All the data before it made sense, and had to wait until 12:10 a.m. or so until it let me pull another file that made sense. In between the numbers were messed up.
But what is the total for the teaparty?? $6m total? Or $6m online total + $400k offline total = $6.4m total as I suspect? Or what? Anyone knows?
If it's $6m total, does it mean that the online total was about $5.6m? How can that be when the numbers I have between Dec. 15 midnight and Dec. 16 midnight progress towards a number higher than $6m? (these numbers track online donations only)
Now ronpaul2008.com says $6.04m total... so how come it's not $6.4m total?
Connect With Us