Results 26 to 50 of 66
-
06-07-2007, 12:28 PM #26WHT Addict
- Join Date
- May 2004
- Posts
- 143
Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?
Normally whenever I can't remember a password I pop into the control panel to look it up, and I was recently thinking that it wasn't safe practice. I had even forgotten that it is a simple thing to log on via SSH and change the password whenever you want, and it shouldn't show up in the DH control panel anymore.
Unless their server retains the plain text passwords.
Silly me
It must be said that given how large a host dreamhost are, the administrative headache of people forgetting passwords would be unbearable, given the authentication process which would be required via either email or by phone.
-
06-07-2007, 12:52 PM #27Newbie
- Join Date
- Jun 2007
- Posts
- 12
Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.
This company is a joke.CouponShock.com - Web Hosting and Registrar Coupons
Web Hosts, click here to add your coupons to our database!
-
06-07-2007, 12:59 PM #28Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
-
06-07-2007, 01:16 PM #29Frontend Web Developer
- Join Date
- Jun 2005
- Location
- CT, USA
- Posts
- 620
You cannot please everyone, but I think from the general reviews of DreamHost I have read here it seems they do a pretty good job for their customers.
As David said, for the size of their company they do have quite a lot of work in maintaining things, more so than a small company as us.
I wonder what they will be doing for those customers who will be sticking around with them after this, if they do anything at all. What do you do for or say to a customer when their password has been leaked out and possible compromising of their data?█ SwiftModders - Premium WHMCS Themes, Blesta Themes, and WordPress Development
█ View my top-rated WHMCS Themes trusted by over 1,000 businesses!
█ Now offering Blesta Themes to transform your Blesta client area!
-
06-07-2007, 01:20 PM #30Web Hosting Master
- Join Date
- Oct 2003
- Posts
- 9,264
You do exactly what you would in any other situation.
1. Reassure the clients the source of the leak is resolved.
2. Ensure that it doesn't reoccur & explain the preventative measures put in place.
3,500 for Dreamhost is a very tiny sliver of their clientbase. The company has over 500 thousand domains hosted on their service.
They didn't get to that size making critical errors. This situation won't even make a dent in their clientbase nor should it. A large number of companies I know of wouldn't have even made a peep to the users affected.
-
06-07-2007, 01:20 PM #31That's all it takes?
- Join Date
- Aug 2001
- Location
- Canada
- Posts
- 2,124
www.idologic.com - Reseller, VPS and dedicated hosting - Friendly Customer Service - DirectAdmin - cPanel - InterWorx
-
06-07-2007, 01:21 PM #32Junior Guru Wannabe
- Join Date
- Oct 2006
- Posts
- 34
im so glad that i have cancelled with them but its not a very good thing for their marketing, 3500 passwords is a huge amount and not to mention the fact that quite a few of them will use the same password for online banking etc
-
06-07-2007, 01:40 PM #33Junior Guru Wannabe
- Join Date
- Jan 2005
- Posts
- 41
not to mention the fact that quite a few of them will use the same password for online banking etcHard Rock
The Stars Dev Company
-
06-07-2007, 02:01 PM #34Web Hosting Master
- Join Date
- Apr 2006
- Posts
- 2,204
It's not just your imagination
Any online banking service that doesn't use a double challenge password response system (preferrably an external codebox) is a service that you should not use under any circumstance.
If the bank uses a single sign-on password that you on top of that is allowed to pick yourself as a client is just foolish
-
06-07-2007, 03:18 PM #35Web Hosting Master
- Join Date
- Apr 2001
- Location
- Pittsburgh, PA
- Posts
- 1,306
-
06-07-2007, 04:11 PM #36Junior Guru Wannabe
- Join Date
- Jul 2006
- Posts
- 99
-
06-08-2007, 03:37 AM #37******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
Does dreamhost use anything like disabling ftp logins after X number of failed attempts?
edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
06-08-2007, 06:29 AM #38Web Hosting Master
- Join Date
- Apr 2006
- Posts
- 2,204
Probably, however bruteforce is not a cause of the problem.
There's been an update to the Dreamhost status blog:
UPDATE: 2007/06/07 6:49PM PDT - We are in the middle a more thorough investigation and some new information has turned up. While we did detect some unauthorized access to our user web control panel, in at least some cases it looks like that may not be to blame for the compromised ftp accounts. In some isolated cases it appears that there may be security problems on end-user computers as well. If you have been affected by this, please do whatever checks on your own computer you can as a precaution. Our investigation is covering all possible attack points and this is one of the possibilities.
Also note that we now have confirmed information that these ftp account hijackings are happening on other web hosts as well and it looks very likely like there’s more to this situation than just the security problem we detected within our own system.
We are now forcing all of the affected users who have not yet changed their passwords to do so before they will be able to upload anything again. This is necessary so we can continue to monitor the situation and see clearly what’s going on.
-
06-08-2007, 06:42 AM #39Web Hosting Master
- Join Date
- Apr 2006
- Posts
- 2,204
The story made it to The Register (via digg).
-
06-08-2007, 03:06 PM #40Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Frankly you got to give it to them to own up to it and take measures like a responsible company should. I am not saying being hacked is a good thing, just that many users do not understand the complexities in securing servers, especially shared servers choke full of 3rd party software such as control panels. As a sysadmin, you potentially need to block hundreds, or thousands of possible ways to exploit a system, but a hacker need only to find one hole to render all your other protections fruitless. That's not all, it's a moving target, with new exploits, vulnerabilities discovered daily, some of which are not even disclosed and simply used by hackers to do their dirty work.
So I think you guys should give them a bit of credit for their response, and also think from the shoes of the host. Frankly this could have happened to any host, and I am personally sure that most host are probably vulnerable, just unknowingly so, or that the hackers aren't really interested in them to invest sufficient effort to break in.••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
06-08-2007, 03:33 PM #41Web Hosting Master
- Join Date
- Apr 2006
- Posts
- 2,204
Yes, I agree in that Dreamhost has been fairly open about all of this. However, as it looks now it was a hole in their own control panel in combination with passwords being shown in cleartext that brought all of this on, which is quite a dodo on Dreamhost's behalf.
But in any case; Dreamhost provides a super service for the price they are charging and there are a lot of knowledgeable people over at that company.
-
06-08-2007, 04:53 PM #42Newbie
- Join Date
- Feb 2007
- Posts
- 17
You're right, the panel did use to show the passwords, which means they were being stored in the 'central database' (the one connected to the panel, and to webmail - irregardless of which server your website runs off, which is often unresponsive or down).
The update implies that evil hackers got into the panel (with elevated priviliges you would assume), but at the same time tries to blame users. Hmm.
I've noticed that in their analog stats config files they exclude https://uebernet.dreamhost.com/ from the referrer stats. When you visit this URL now, you get an access denied error - before, there was a login screen identical to the panel for regular customers. So, it would appear that this 'ueber' control panel was hacked into, and also showed passwords in plain text.
-
06-08-2007, 11:25 PM #43Web Hosting Master
- Join Date
- Nov 2004
- Location
- Dallas
- Posts
- 740
Geeez, just a few days ago I was considering hosting some backup files with them, but at the end I decided to go with hostgator.... close call hahaha, that sucks
-
06-09-2007, 12:04 AM #44Newbie
- Join Date
- Mar 2005
- Posts
- 17
Even if Dreamhost is our competitor , I feel everyone should cut them some slack for the way DH handled after getting the hint, some determined hacker did this and DH have their own panel , they came open about it and thing is being sorted. so this should not be held as benchmark but a incident.
I feel for the companies/users who suffered. apparently some big names hosting the webpages got affected too. theregister.co.uk has good coverup on this. i cant post URLs ( i will sooon).
-
06-09-2007, 12:14 AM #45Web Hosting Master
- Join Date
- Jan 2007
- Posts
- 1,107
I agree here. As a former DreamHost client, I don't see any indication that they have failed to properly secure their service. Stuff happens. I just hope everyone learns from the experience and does better next time.
Meantime, it doesn't hurt to change your passwords from time to time. I notice that the new cPanel 11 -- something I've only used a short time -- rates passwords when you establish one for, say, an email account. That's helpful for those that have the new version. Maybe DreamHost should incorporate something like that in their home-grown control panel.Best,
Captain Marvel
Host/Executive Producer, The Paracast, www.theparacast.com
I do not represent the hosting industry!
-
06-09-2007, 12:22 AM #46Newbie
- Join Date
- Mar 2005
- Posts
- 17
@gene,
well, I am sure they are going to crank up on password system now... they might even start sending passwords to any requesting user in morse code... well ok not that much.
-
06-09-2007, 12:25 AM #47Web Hosting Master
- Join Date
- Jan 2007
- Posts
- 1,107
Best,
Captain Marvel
Host/Executive Producer, The Paracast, www.theparacast.com
I do not represent the hosting industry!
-
06-09-2007, 12:29 AM #48******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
it doesn't hurt to change your passwords from time to timeedgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
06-09-2007, 12:36 AM #49Web Hosting Master
- Join Date
- Jan 2007
- Posts
- 1,107
Best,
Captain Marvel
Host/Executive Producer, The Paracast, www.theparacast.com
I do not represent the hosting industry!
-
06-09-2007, 12:49 AM #50Web Hosting Master
- Join Date
- Aug 2003
- Location
- East Coast
- Posts
- 2,082
Why is everyone giving them the Thumbs up for stepping forward? This was reported "before" they stepped up. Their announcement was a reactionary measure at best.