Page 1 of 5 1234 ... LastLast
Results 1 to 15 of 66
  1. #1

    3500 dreamhost FTP accounts compromised [MERGED]

    I just received this e-mail from dreamhost.

    I've complained before that they've moved all of their information about outages and the like to their dreamhoststatus weblog, where before people would get an e-mail if their server was affected. However, this message doesn't appear on their blog. Make of that what you will.

    No word on the cause, but apparently it only affected FTP accounts, so probably someone with shell access got hold of a passwd file.

    Hello -

    This email is regarding a potential security concern related to your
    '[REDACTED - moof]' FTP account.

    We have detected what appears to be the exploit of a number of
    accounts belonging to DreamHost customers, and it appears that your
    account was one of those affected.

    We're still working to determine how this occurred, but it appears
    that a 3rd party found a way to obtain the password information
    associated with approximately 3,500 separate FTP accounts and has
    used that information to append data to the index files of customer
    sites using automated scripts (primarily for search engine
    optimization purposes).

    Our records indicate that only roughly 20% of the accounts accessed -
    less than 0.15% of the total accounts that we host - actually had
    any changes made to them. Most accounts were untouched.

    We ask that you do the following as soon as possible:

    1. Immediately change your FTP password, as well as that of any other
    accounts that may share the same password. We recommend the use of
    passwords containing 8 or more random letters and numbers. You may
    change your FTP password from the web panel ("Users" section, "Manage
    Users" sub-section).

    2. Review your hosted accounts/sites and ensure that nothing has been
    uploaded or changed that you did not do yourself. Many of the
    unauthorized logins did not result in changes at all (the intruder
    logged in, obtained a directory listing and quickly logged back out)
    but to be sure you should carefully review the full contents of your
    account.

    Again, only about 20% of the exploited accounts showed any
    modifications, and of those the only known changes have been to site
    index documents (ie. 'index.php', 'index.html', etc - though we
    recommend looking for other changes as well).

    It appears that the same intruder also attempted to gain direct
    access to our internal customer information database, but this was
    thwarted by protections we have in place to prevent such access.
    Similarly, we have seen no indication that the intruder accessed
    other customer account services such as email or MySQL databases.

    In the last 24 hours we have made numerous significant behind-the-
    scenes changes to improve internal security, including the discovery
    and patching to prevent a handful of possible exploits.

    We will, of course, continue to investigate the source of this
    particular security breach and keep customers apprised of what we
    find. Once we learn more, we will be sure to post updates as they
    become available to our status weblog:

    [CANNOT POST URL DUE TO BOARD RESTRICTIONS - moof]

    Thank you for your patience. If you have any questions or concerns,
    please let us know.

    - DreamHost Security Team

  2. #2
    Join Date
    May 2007
    Posts
    31
    nice... they just lost 3500 people.. or atleast 1/3
    <<please see forum rules for signature formatting guidelines>>

  3. #3
    I felt a great disturbance in the blogosphere, as if 3500 useless websites suddenly cried out in terror and were suddenly silenced.

  4. #4
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,679
    Why nice.

    It can happen with any one.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  5. #5
    Quote Originally Posted by Engelmacher View Post
    I felt a great disturbance in the blogosphere, as if 3500 useless websites suddenly cried out in terror and were suddenly silenced.
    You're funny!

    But back on topic; Dreamhost will comment on the issue soon on their status blog.

    What is good about Dreamhost is that they are transparent, even if this hack is most unfortunate for everyone involved.

  6. #6
    Join Date
    Jul 2006
    Posts
    80

    Got a dreamhost account? W00PS! 3500 passwords leaked

    Originally Posted by Dreamhost

    From: DreamHost Security Team
    Subject: URGENT: FTP Account Security Concerns…
    Hello -
    This email is regarding a potential security concern related to your
    ‘XXXX’ FTP account.
    We have detected what appears to be the exploit of a number of
    accounts belonging to DreamHost customers, and it appears that your
    account was one of those affected.
    We’re still working to determine how this occurred, but it appears
    that a 3rd party found a way to obtain the password information
    associated with approximately 3,500 separate FTP accounts and has
    used that information to append data to the index files of customer
    sites using automated scripts (primarily for search engine
    optimization purposes).
    Our records indicate that only roughly 20% of the accounts accessed -
    less than 0.15% of the total accounts that we host - actually had
    any changes made to them. Most accounts were untouched.
    We ask that you do the following as soon as possible:
    1. Immediately change your FTP password, as well as that of any other
    accounts that may share the same password. We recommend the use of
    passwords containing 8 or more random letters and numbers. You may
    change your FTP password from the web panel (”Users” section, “Manage
    Users” sub-section).
    2. Review your hosted accounts/sites and ensure that nothing has been
    uploaded or changed that you did not do yourself. Many of the
    unauthorized logins did not result in changes at all (the intruder
    logged in, obtained a directory listing and quickly logged back out)
    but to be sure you should carefully review the full contents of your
    account.
    Again, only about 20% of the exploited accounts showed any
    modifications, and of those the only known changes have been to site
    index documents (ie. ‘index.php’, ‘index.html’, etc - though we
    recommend looking for other changes as well).
    It appears that the same intruder also attempted to gain direct
    access to our internal customer information database, but this was
    thwarted by protections we have in place to prevent such access.
    Similarly, we have seen no indication that the intruder accessed
    other customer account services such as email or MySQL databases.
    In the last 24 hours we have made numerous significant behind-the-
    scenes changes to improve internal security, including the discovery
    and patching to prevent a handful of possible exploits.
    We will, of course, continue to investigate the source of this
    particular security breach and keep customers apprised of what we
    find. Once we learn more, we will be sure to post updates as they
    become available to our status weblog:
    http://www.dreamhoststatus.com/
    Thank you for your patience. If you have any questions or concerns,
    please let us know.

  7. #7
    Join Date
    May 2007
    Location
    New York
    Posts
    72
    It happens.

  8. #8
    That's interesting. Seems to be a rash of ftp hacks lately.

  9. #9
    Thank you for searching WHT before posting

  10. #10
    Join Date
    May 2007
    Location
    San Francisco, CA
    Posts
    1,138

    Dreamhost leaks 3,500 FTP passwords

    // Extra Moose - Modern Web Design with Usability in mind.

  11. #11
    Join Date
    Mar 2005
    Posts
    520
    Really sad....
    ||| HostEcon.com - Professional Off-Shore Hosting Provider
    ||| Shared || Reseller || Semi-Dedicated || Dedicated Services
    ||| We offer highly anonymous off-shore domain names

  12. #12
    Got Dream account yesterday.
    during today setup 2 domains, and don't why, but type "who"

    here is output

    Code:
    [stratus]$ who
    myaccountname   pts/1        Jun  6 17:34 (**.**.**.MYIP)
    myaccountname   pts/2        Jun  6 08:34 (**.**.**.MYIP)
    cghuber  pts/7        Jun  6 15:22 (e176174130.adsl.alicedsl.de)
    hmm .. so who is cghuber?
    any idea, try to search in google [adsl.alicedsl.de] or [adsl.alicedsl.de + dreamhost] and 99% topics are statistic or spam related

    any idea?
    Your Health Encyclopedia
    Medical and health consumer information resources containing comprehensive and unbiased information in patient-friendly language

  13. #13
    Join Date
    Jan 2006
    Location
    Roswell, GA
    Posts
    192
    Ouch! That could cause some problems. Hopefully DH got the news out quick enough to mitigate any damage.

  14. #14
    Join Date
    Dec 2003
    Posts
    535
    Quote Originally Posted by 3-rx View Post
    Got Dream account yesterday.
    during today setup 2 domains, and don't why, but type "who"

    here is output

    Code:
    [stratus]$ who
    myaccountname   pts/1        Jun  6 17:34 (**.**.**.MYIP)
    myaccountname   pts/2        Jun  6 08:34 (**.**.**.MYIP)
    cghuber  pts/7        Jun  6 15:22 (e176174130.adsl.alicedsl.de)
    hmm .. so who is cghuber?
    any idea, try to search in google [adsl.alicedsl.de] or [adsl.alicedsl.de + dreamhost] and 99% topics are statistic or spam related

    any idea?
    You aren't on a server by yourself; it's a shared host. cghuber is another customer that's logged in via ssh.
    Tom / COO @ Site5.com

  15. #15
    Join Date
    Feb 2004
    Location
    Southern California
    Posts
    749
    Ah Dreamhost... does the fun ever end...
    SkyLineHost.com
    ▓ ▓ Shared hosting that soars above the competition
    ▓ ▓ ▓ Based in Los Angeles. sales@skylinehost.com

Page 1 of 5 1234 ... LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •