The Daily Blog under attack

Written By: - Date published: 4:46 pm, April 29th, 2015 - 110 comments
Categories: blogs - Tags:

Earlier today Martyn Bradbury reported that The Daily Blog was under attack:

The site has been up and down all afternoon.

If there is anything The Standard can do to help let us know.

Update:

Update: 2205

lprent; It looks like it is back up again. Good. I expect we will hear the reason shortly.

Nope – down again.. Looks like a late late night for someone. Godknows that I know what those are like. Good luck for an early complete.

110 comments on “The Daily Blog under attack ”

  1. esoteric pineapples 1

    Just noticed that myself so came here to check out what is going on – hmmmmmmm

    Good on The Standard for lending its support

  2. Murray Rawshark 2

    I expect we’ll see the GCSB leaping into action any minute now. After all, isn’t part of their job to protect Kiwis from cyber attacks?

  3. Anne 3

    +1
    Bomber has his failings but sometimes he really rises to the occasion, and he certainly did so over the pony-tail case harassment case. Maybe Lynn could assist if he has the time? Good diplomacy maybe?

    So typical of the National Party’s thugs eh.

    • lprent 3.1

      I have been having a great deal of CPU running on TS over the past day or so along with the hundreds of attempted logins. It may not be anything suspiciously local. We seem to be having one of those nasty botnet periods at present.

      But the usual defences weren’t getting challenged enough for me to look at. And the fan noise seemed to stop last night.

      TDB: Let me know if you need a hand or some tips about what to put in place.

      • Well said, Lprent. Solidarity between progressive blogs would be an unbeatable force for good!

        • lprent 3.1.1.1

          I’m not particularly into solidarity as I’m a person of extreme individuality. Just ask any author here past and present – I am sure that is the one thing they will agree on.

          However I’m usually merely irritating (Lyn’s words) when I’m not having to defend things that I am responsible for.

          Unless I decide that I want to change something (or write some code), in which case I tend towards the utterly implacable. Cameron Slater has an idea of what that is like.

          Just a personal set of traits.

    • saveNZ 3.2

      @Anne +1
      Bomber’s in big trouble after International Ponygate. Will we see the Jackboots matching in and seizing his computers aka Nicky Hager or maybe a more subtle and less public cyber attack…..

    • Tracey 3.3

      We don’t know what or who has caused it. Pretty early to label it a NP related thing? Isn’t it?

  4. mary_a 4

    I thought it was my computer for a while there.

    Bit suspicious I’d say, particularly coming so soon after TDB reported the Key/waitress issue!

    Many thanks TS for reporting this and for offering TDB support. And I wish Martyn and TDB team all the best for getting the site up and running again.

    Kia Kaha my friends.

  5. Hateatea 5

    I am sad to hear that this is happening. There seems little point to such behaviour but I suppose somewhere there is someone thinking that they are cool and clever.

    Kia kaha, kia maia, kia manawanui.

  6. Hone 6

    The GCSB was the ones doing the attack maybe.
    I noticed TDB was down and i knew it had too be pay back from the right wing nutters.

  7. Clemgeopin 7

    um, yes, I went there a little while ago to read their article about how the unite union was going to assist the victim, Amanda Bailey. I can see the front page and the article headings, but when I click the links to read more, it goes to error message, ‘server not found’!
    http://thedailyblog.co.nz/

  8. freedom 8

    Most of today it wouldn’t load at all.

    Then the front page would go up, sometimes, but any further in was met with a 404

    Now, the article pages can be accessed but are devoid of content. Just the banner, the article title and nothing else but a blank page.

    Kia kaha TDB

    • lprent 8.1

      Pretty obvious. The database is getting work backed up and timing out the web server worker threads trying to fetch data from it. The front page gets cached because it doesn’t have comments on it, so it tends to stay up when the posts do not.

      It could be because it had too many apache2/nginx processes and threads accessing it at the same time.

      However it could also be from the wordpress 4.2.1 security update that went through yesterday to correct for a exploit on long comments. Part of that update involved a sweep of all comments to remove possible harmful javascript. It took a couple of hour to run on TS with 900k+ comments. If it was a slow database without 8 cores and SSDs, it’d take somewhat longer.

      I got caught by that kind of problem in 2009 with a slow single core database system. It took me couple of hours to realize I wasn’t under attack.

      • lprent 8.1.1

        BTW: the vulnerability that wordpress 4.2.1 fixed was a brute

        https://wordpress.org/news/2015/04/wordpress-4-2-1/

        http://developers.slashdot.org/story/15/04/28/0227244/new-zero-day-disclosed-in-wordpress-core-engine

        WordPress security issues have for the most part involved a vulnerable plug-in, but a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver. Juoko Pynnonen of Klikki Oy reported a new and unpatched stored cross-site scripting vulnerability in the platform; a similar bug was patched this week by WordPress developers, but only 14 months after it was reported. The vulnerability allows an attacker to inject JavaScript in the WordPress comment field; the comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed, Pynnonen said.

        “An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” Pynnonen said. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”

        In other words a classic buffer overflow bug allowing for malicious code to gte past the KSS checker.

        Because I am a teeny bit paranoid there has always been a character limit on comments here. It is pretty large, which is why Penny Bright fails to hit it. But I suspect BLip has a couple of times when he has posted a list as a comment.

      • lprent 8.1.2

        Umm.

        It could also be malicious code pushed into the site code (usually by not closing permissions for write or admin access) and then chewing up server processes.

        That is what the damn bots have been trying to get access to on this site pretty strongly in the last month. I had to lock them out more firmly last month.

        There are a lot of possibilities

  9. Anne 9

    No, Hone. We may not like what the GCSB is doing in connection with the Five Eyes programme, but harassing little internal blog-sites is way beyond their brief. That responsibility lies with the SIS and they have much, much bigger fish to ‘worry’ about.

    If it turns out someone is blocking the site I’d say… ask a certain well known whale what he knows in the first instance.

    • humPrac 9.1

      “That responsibility lies with the SIS”
      “They have much, much bigger fish to ‘worry’ about”
      If they go for “bigger fish”, then the responsibility does not lie upon them, therefore making your statement contradictory which deems your argument void.

      • Olwyn 9.1.1

        You are reading Anne’s argument rather oddly. “That responsibility lies with the SIS” and “they have much bigger fish to worry about” can both be true at the same time and you do not have to think hard to see that. Anne is saying, if it turns out that someone is blocking the site, you can rule out the GCSB because they have different job. And you can probably rule out the SIS as well, since while it is their responsibility, they have bigger fish to worry about. Therefore, you need to look somewhere else. There is a well-known whale who is generally well informed about such matters so perhaps you should ask him. Nothing wrong with it!

    • Tracey 9.2

      IF someone deliberately does something like that to a site, is it a kind of vandalism? And therefore the police need to be notified?

    • schwen 9.3

      “If it turns out someone is blocking the site I’d say… ask a certain well known whale what he knows in the first instance”

      Who? the fat german hacker whale aka kdc?

  10. Paul 10

    Show solidarity.
    Make an offer to Martin Bradbury the option of guest posts here until it is resolved.

    • Agree. I think it’s kinda covered in the OP, if not explicitly. TDB made a similar offer when TS was down a couple of months ago, so I imagine there wouldn’t be a problem reciprocating here. An injury to one is an injury to all.

    • lprent 10.2

      I’d prefer to resolve it there rather than having to add the 30+ authors listed on TDB piling into here.

      There are usually just two types of attacks. The classic DoS at the switch that his ISP (probably voyager like me) can handle. Then the one that targets wordpress.

      In the latter case paying for wordfence gets rid of most of it at the .htaccess level, and the plugin I use for comments gets rid of the rest.

      • lprent 10.2.1

        But if needs must then I have another server here. I’d just have to give up playing games for a while.

        • TheContrarian 10.2.1.1

          What are you playing these days? I just rebooted Dead Space 2 for a bit of shits and giggles.

          • lprent 10.2.1.1.1

            Mostly Civ5 at present. I’m mostly playing for zen whilst background thinking. A little of some old games like Homeland2

            But I only use linux at home so that is limiting. But I also can’t be bothered learning new games. I have too many lumps of code to get into at present.

  11. In Vino 11

    Ditto, It looks like Martyn has done something right…

    I fear that the internet may in the future not turn out to be the free info. avenue that so many of us hope for.
    But I rather hope that it will, and such sabotage will not turn into domination, and thereby censorship.

  12. The Gormless Fool formerly known as Oleolebiscuitbarrell 12

    My server has also been under a sustained attack.

    • Your keyboard knows how it feels!

    • lprent 12.2

      You don’t have a server listed? What is it?

      • The Gormless Fool formerly known as Oleolebiscuitbarrell 12.2.1

        Erm, I’m not telling.

        • lprent 12.2.1.1

          Yes. That is a totally believable story then…

          /sarc

          • The Gormless Fool formerly known as Oleolebiscuitbarrell 12.2.1.1.1

            Do you want to tell me details about my server? Why would I do that?

            My IT guy says it’s under attack. I have no reason to disbelieve him, but you are free to.

            • lprent 12.2.1.1.1.1

              Every server in the world is under attack at present. It is like background noise.

              My mailbox shows blockages from compromised machines everywhere in the world being locked out of The Standard when they try to login.

              • weka

                Is that usual what’s going on?

                • Clemgeopin

                  Only the expert Iprent can answer that for sure, although we all know that a server was under constant attack by the Prime Minister, of all people, of this country!

                • lprent

                  About every other year we get a widespread major botnet attack of some kind. This year it appears to be picking author names off the posts and then trying to login to them. Needless to say I have some pretty fierce protection. They violate it and get locked out for a few hours and I get a email message.

                  At present, I get message every 4 or 5 minutes from machines being blocked from login.

                  We have very few author or above logins, and they all have adequete passwords. I also get notified when editor and above login it. My daemons also look at where they login fom.

    • Tracey 12.3

      have you told the police so they can help your wife?

  13. ianmac 13

    Yep. Cannot access TDB. “502 Bad Gateway”

    • mary_a 13.1

      @ posters (11) & (12) Ditto. Same here.

      So much for free speech then! As long as dear leader isn’t challenged or criticized, then NZ is able to speak as freely as it likes! Yeah right!

      • The Gormless Fool formerly known as Oleolebiscuitbarrell 13.1.1

        That’s right mary_a, it is undoubtedly John Key who has attacked Bradbury’s dog’s breakfast of a website. There’s just no other explanation.

        • Realblue 13.1.1.1

          Indeed Gormless, Bradbury is so important and a threat to the Government, he must be attacked. His strategising for Mana was incredibly effective, so I’m picking the CIA. That or he has shit security.

          • The Gormless Fool formerly known as Oleolebiscuitbarrell 13.1.1.1.1

            Do you want to tell me details about my server? Why would I do that?

            My IT guy says it’s under attack. I have no reason to disbelieve him, but you are free to.

          • The Gormless Fool formerly known as Oleolebiscuitbarrell 13.1.1.1.2

            There’s precedent. Remember when “they” had to silence him on National Radio not (specifically and emphatically not) because he was a boring fucktard who read out long pre-prepared speeches, but because he was sticking it to the man.

            “They” hate him because he’s turning New Zealanders onto socialism.

        • Tracey 13.1.1.2

          I agree with Gormless, there are so many possibilities, to assume some kind of government link is a bit OTT at this stage.

  14. Bomber has finally got up their noses enough and now they are paying back. This will increase the street cred of TDB and Bomber – at least after this attack has been repulsed. Kia kaha Bomber.

    • Realblue 14.1

      “Street cred”? Jesus you’re lame.

    • SHG 14.2

      Anyone who has the pleasure of administering a website running WordPress deals with these sorts of attacks on a regular basis. Just one of those things.

      • Kevin T 14.2.1

        We’ve a web developer. A popular website being attacked and taken down is not unusual these days. The core WordPress technology used here tends to get more malicious bot traffic and more attacks than most, simply because it is the worlds most popular CMS platform.

        The last week has seen very similar attacks on tens of thousands of websites worldwide. There is nothing here that tells me that thedailyblog attack was politically motivated or done by right wing activists etc. Likely just another random denial of service (DOS) attack, which those of us who build blogs for a living see on a regular basis. However I suspect the developers will learn from this and as we all do, put in place additional measures to minimise it occurring again. It’s an ongoing battle, but just part of the job for those who build high traffic websites or blogs.

  15. millsy 15

    Chaos and Mayhem strike again.

    • Tracey 15.1

      I think you give him too much credit

      When this site has some troubles, does everyone go to other sites and blame the Government or NAts or WO and it turns out to be a techncial issue?

  16. Mike the Savage One 16

    The Whale or so may be behind this. Never trust the rotten brigade in power, and their allies and underlings.

  17. esoteric pineapples 17

    Unfortunately I’m using my phone so can’t post the link but go to No Right Turn to find the tool the government plans to use to shut down political dissent on the Internet. It’s the law that will put people in prison for up to two years for causing someone else “emotional harm” by posting something.This could apply to anything from a Facebook comment to a newspaper’s online content (Even the same stuff that is okay to print on paper I imagine). The implications for free speech on the Internet are huge.

  18. TheContrarian 18

    Serious question – people believe government agencies are attacking The Daily Blog?

    • felix 18.1

      More likely it’s the usual bunch of creepy contractors.

      • TheContrarian 18.1.1

        Like the last time TDB was hacked….those right-wing bastards redirected him to a Eastern European gambling site. Bomber had proof it was the govt. but we had to take his word for it.

        • felix 18.1.1.1

          Why would the govt attack TDB?

          National Party Dick Squad, sure, but govt? Nah.

          • lprent 18.1.1.1.1

            Yeah, but the dick squad are pretty damn useless incompetents who succeed almost by accident and then almost certainly because someone organised them (probably Jason Ede).

            They certainly aren’t technically competent. Generally the technically competent grow out of the childish joys of cracking and get on to building as they leave adolescence. Most actual cracks carried out by adults are either crims needing cash and paying some kids to do it for them, or they are disgruntled ex or current employees.

          • weka 18.1.1.1.2

            And it being TheContrarian, it’s safe to assume there is some anti-Bradbury spin in that comment.

            • TheContrarian 18.1.1.1.2.1

              Of course, Bradbury is tool. I don’t deny my anti Bradbury tendency. He is a class a douche.

    • lprent 18.2

      Not me. If they were then it would have just cut out.

      I suspect that he has either found he has a slow database while updating, or something nasty got into his code. Those are the most likely scenarios.

      But they are usually either those or dying hardware (I remember a hard drive and a switch – both caused a lot of hassle) or failed upgrades after hikes in traffic.

      But Occams razor is that likely to be more prosaic than a crack or DoS

      I’m quite willing to get a survival site up if TDB needs it or to lend expertise if it is required. I doubt if there are many things that I haven’t had die on this site since it started.

      • Hateatea 18.2.1

        lprent, if I ever seem ungrateful for all that you do for this site, it will be unintentional. I don’t understand the technical jargon in your replies here but I am humbled in the face of your knowledge. Respect, sir, much respect 🙂

        • lprent 18.2.1.1

          I have the hide of a rhino, especially because I am an total arrogant techhead elitist programmer. And that is on top of the usual MBA attitudes.

          I have problems considering the concept at an emotional level that anyone who can’t write a million lines of code may be human. I allow exceptions for people who can write 500 page books or put together a feature length film (I have seen people do both, and it looks like it is as hard).

          However I think that a number of authors and commenters here are getting there

          😈
          /parody off

          There is a little of Sheldon in us all.

        • Anne 18.2.1.2

          Well, he could be talking a load of gobbeldygook for all I know Hateatea but it does sound very impressive I grant you. 😛

        • Puddleglum 18.2.1.3

          Ditto Hateatea.

          There’s only one way to gain the kind of mastery over a technical area that lprent clearly has – thousands of hours actually doing the stuff and being fully focused on it (and, of course, having the cognitive and emotional predisposition to be able to and want to do it).

          I’m very grateful lprent has spent that time and has put it to use by building and maintaining this site.

    • Tracey 18.3

      I don’t on what I have read so far.

  19. Murray Rawshark 19

    Given what’s been said here about wordpress, I’d say the most likely option is that some malicious code has got in somewhere. They try constantly. The enemy never leaves the gate, but it’s not always the government.

    I wouldn’t rule out some NAct idiots having a go at TDB, but it wouldn’t be high on the list of things I’d consider. More dangerous will be the new internet law, when some NAct backbencher claims to have their feelings deliberately hurt. The freedom and anarchy of the internet are seen as threatening by the powers that be/establishment/man/illuminati/(insert other favourite group). They don’t know how to handle it and will use very blunt instruments. I think things will be very different ten years from now.

    • lprent 19.1

      What is interesting is that the claim of having their feelings hurt is in itself defamatory. I wonder what their feelings will be like after a defamation suit.

      This proposal has a great hole in it because I will make anyone trying to use it truly miserable, then I will start on whoever tried to enforce it. Civil law is interesting. Expensive, but very very interesting.

    • Tracey 19.2

      Maybe someone, like WO(?) does keep an eye on sites for any vulnerabilities arising after something has happened, like this? They may exploit a weakness but I don’t imagine they would instigate it?

  20. Maui 20

    We’re at DEFCON 1 now, this is war. Have we got a nuke aimed at Whale Oil? 🙂

    [lprent: Threats of violence in comments, even in play, will earn you a quick kick exit from this site. ]

  21. Dale Cross 21

    If tdb has been hacked then it’s for the public good. No political blog site is safe. Wonder who will write the book exposing all bummers private emails?

  22. esoteric pineapples 22

    The Internet has become the world’s brain/nervous system. There is no way in the world that governments/whatever are going to allow it to be unmolested.

  23. Kim dandy 23

    I wouldn’t put anything past ‘this’ Government, however I am hoping the problem has been caused by overloading – thousands of NZer’s trying to get onto the site to read Amanda Bailey’s side of the story…

  24. ropata 24

    http://www.digitalattackmap.com

    Choose “unusual” and you’ll see that NZ and Brazil are experiencing a bit of extra botnet traffic at the moment.
    Nothing like some of the massive ~400 Gbps attacks last year though

  25. CLEANGREEN 25

    Untied we stand – divided we fall, good on the standard offering support to our fabulous Martyn Bradbury.

    Why doesn’t all opposition parties place a court injunction and request half of the public owned NVNZ/RNZ be placed under Opposition control.

    It is wrong to have only the Government controlling all our taxpayer funded public media for their benefit and give no voice for the opposing political parties.

    Every time an opposing media site goes down it serves to remind us all that we have possibly the most repressive control on freedom of our voices of anywhere globally.

    Get organised for our sake opposition Parties and put your pettiness aside for our common good please.

    • mary_a 25.1

      @ CLEANGREEN (24) Hear hear my friend.

      Having withdrawal symptoms without TDB already.

      However, really do appreciate The Standard team being so supportive, accepting comments from Martyn’s regular visitors/posters.

  26. Stuart Munro 26

    In terms of reposting TDB material, it seems reasonable to presume that the attack on TDB may be intended to suppress access to the Amanda Bailey material.

    This material perhaps could be accommodated here – particularly the original pieces.

  27. vto 27

    Of course it is. A website is property. That property has been damaged.

    However the police are on the side of the right wing so nothing will happen

    edit: not sure why this ended up here, was in response to tracey somewhere up above

  28. Pasupial 28

    I just ran into a glitch on TS about 10am. Clicked away on a link (to Scoop), then when I came back all the comment fields were blank. This persisted when I reloaded the page from bookmarks. But now that I’ve restarted the browser a couple of times after doing other things (thus clearing cookies), it seems fine.

    TDB is back up now.

    • Same thing happened to me. Seemed to clear itself after a few minutes. It’ll be interesting to hear what happened on TDB, though I suspect its the nature of these things that the originator of the attack won’t be found (assuming it was a DDoS and not just a glitch in hardware or software).

    • freedom 28.2

      re TDB, still getting “504 Gateway Time-out” here

  29. The Murphey 29

    TDB has come under ‘attack’ from a few ‘regulars’ on this site in recent times

    [not aimed at you Rob – can you check why my comments seem to still be going to moderation please] – Cheers

    [lprent: I usually look at releasing bans around lunch time. I was otherwise engaged today. ]

  30. freedom 30

    Anyone else having similar trouble getting onto scoop today?
    have also tried from the feeds here, but something is broken

    Direct address is failing as are any links to the site

    502 in the tab title
    Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /.(address of storylink)

    Reason: Document contains no data

    Apache/1.3.41 Server at http://www.scoop.co.nz Port 80

  31. Dave 31

    Lol alert level is back to calf shit yellow. No threats imminent.

The server will be getting hardware changes this evening starting at 10pm NZDT.
The site will be off line for some hours.