Thursday, May 15, 2014 Servers Hacked!

The servers at, the hardcore libertarian, antiwar web site, is under attack. The front page of the web site is reporting:
A malware assault has been launched against the server hosting news.antiwar, original.antiwar, and the blog. Of course it's just a "coincidence" that this has occurred just as we've launched our fundraising drive. Or is it? We've traced it to the region close to Ukraine, so Ukrainian hackers could be responsible. Alternatively, as Glenn Greenwald has reported, the NSA is now in the business of spreading "industrial strength malware" to "enable the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites."That is precisely what is happening to us right now.
We don't have the resources to defend against this type of attack. We need your help now. We can't let them win.Please donate now. You can still donate securely. The Donate Page is on a secure server at another location, so that is secure.
Eric Garris the publisher of posted the following on the blog:
Loyal Readers: has been hacked. We do not yet know the seriousness of this attack. Users going to any pages with the subdomains,, and the blog may see a warning page put up by Google. If you see that page, we recommend that you do not proceed for now. If you are on a Mac or a browser not displaying the warning, you are safe to proceed.

The front page and donate page are not affected. These are on a different server and are not a problem.

We are running a MalWare scan on the server. It will take several hours to run the scan and fix the infected files. It will then take as much as a day to get Google to untag the site as dangerous.
Justin Raimondo sent out these tweets on Wednesday:


  1. namecoin. problem solved.

  2. Pretty much all hacking and spamming in the world appears to originate from Ukraine and Russian Federation, so I wouldn't read much into that.

    Without any forensics, it's really leaping to conclusions to state this is the NSA. It could just be an unpatched vulnerability.

    The timing with a fundraising drive is likely targeted, though, since the site would be seeing increased traffic during the period and there would be greater potential to capture payment info.

    1. Or China. I have a lab set up in my apartment so I can practice for my Cisco certifications, and I'm always seeing Ukraine and China IP addresses trying to VTY into my gear. When I contracted for Uncle Sam, we'd hear about China breaking into part of the network at least once every couple weeks. But you're right, that doesn't really mean much.

    2. This is factually incorrect. China is the biggest originator of hacking--mostly directed at the Dalai Lama. Second most is of course the land of the free and home of the brave. Russia scores 4th and Ukraine isn't even in the top 10, according to Bloomberg (

    3. Those numbers don't come from Bloomberg, they come from an Akamai report on attacks against Akamai customers. Here is a more recent report:

      To me it looks like if you want to break down the numbers, it becomes unclear exactly what percentage each country the IP address hitting the server originates, given that the most likely vector of attack against was port 80 or port 443.

      All of my access logs are filled with IP addresses in Ukraine and the Russian Federation sniffing for vulnerabilities and depositing various different types of spam. I suspect there may be sample bias in the Akamai report.

      As the report states, this is only the IP address hitting the server, and provides no insight into the location of the hacker.

      I just ran an SSLLABS test on, and wow, they should just close that port.

  3. It will be interesting to see if finds the source of the hacking. When you have multiple enemies (Neocons, Obama-liberals, chickenhawk hyper patriot conservatives, FBI, NSA, etc) its a bit difficult to pinpoint the one responsible for a single attack.