- 206.319.0255
- Contact Us
-
Chat
- |
- Client Login
We can hardly believe it ourselves, the CEO of an open source software company (LoopFuse - marketing and sales automation) not only comes onto our blog and trashes us for a bad review, he then creates a PR nightmare for himself and his company by launching what appeared to be a DOS attack.
It all began with a simple blog review about four analytics software packages. Lauren, our SEO, spent four months testing a trial of each, and paying close attention to their usefulness and value. Her, and our, least favorite was LoopFuse, and she said as much in the entry. Within a day of the post, Roy Russo comes on our blog and comments:
“LoopFuse is a Marketing Automation Suite, NOT a web analytics package. Hence the price, hence the “extra functionality”.
… and you can view the click-stream. Trial’s are free, brain-cells aren’t.
Thanks for the plug, though.
Bad form to say the least…
After that comment, there were a few back and forths where Roy showed himself to be a sarcastic and seemingly self-destructive troll, but it didn’t really get crazy until the blog got a little bit of attention. Yesterday (June 22nd), a blogger (MK) that heard about the story through a friend of a friend of a person who we share a forum with, featured a story on our little flame war and how inappropriate Roy’s behavior was. And the real kicker is that MK managed to get the story to the front page of Google shortly after posting!
So of course we start hearing from Roy again. Things continued to escalate, with Roy furiously smearing his smarm now across two blogs, until we noticed something a bit odd.
All of a sudden our inbox is full of comments! Looks like people are really starting to get into this… but wait, there aren’t any visitors other than Loopfuse right now…
Attack Started : 22/Jul/2008:19:15:04 -0400
Attack Ended : 22/Jul/2008:19:42:30 -0400 (After we called his house)
68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-" 68.219.***.*** - - [22/Jul/2008:19:25:37 -0400] "POST /blog/wp-comments-post.php HTTP/1.1" 200 - "-" "-"
The attack threw strings like these :
xg53dnzbs6y41rmc0kh7vw
g3×7z1cvm2wyh9sqtj50pb
varying between 15-35 POSTs/sec. We assumed it a DOS attack, since the strings didn’t have any escape characters or anything resembling exploit code. At the time we were pretty nervous, wondering what the hell was going on, but then Sam (our super star server-side sophist) started poking into it and realized it was a *very* weak attempt and either:
a. meant to rattle us, but not do any harm, or
b. the saddest attempt at something resembling a hack he’d ever seen.
Our first step was to call Roy Russo’s house (luckily for us, his number was available via that beautiful series of tubes). And surprise of surprises, the attack stopped.
Our next step was to look a little closer at our traffic and server logs. A lot of things started looking fishy: visitor information started showing up inconsistently, we started getting traffic and links from some questionable neighborhoods, and, frankly, we started wondering if it was even possible that the CEO of a software company would sink so low.
We spread our net, hoping to make sense of this mess. We did more research on LoopFuse, Roy, and all our traffic sources. Let me tell you, the web can be a convoluted place, but after a few hours we started get an idea of what had just happened.
After we contacted the attacker’s ISP and forwarded the logs, we decided to play it safe and pull the comments. At this point, we were still unclear as to the extent Roy’s involvement - with everything our research turned up, it seemed completely possible that some of Roy’s comments may be spoofed and we didn’t want to sully anyone’s name undeservingly.
But then this morning we got an email from Roy - a backwards apology and an offer of a live demo of his project. Once again, we decided to give Roy a call, this time to the number featured on the LoopFuse corporate website. Roy answered the phone himself, we established who we both were, and we asked him if in fact he was the same Roy Russo who had posted his venom to our blog.
He not only confirmed that he had in fact commented, but also laughed off that an “engineer” of his had conducted the attack and that it was being dealt with “internally.”
Is it just me, or is this absolutely absurd?
