hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : 3500 dreamhost FTP accounts compromised [MERGED]
Reply

Forum Jump

3500 dreamhost FTP accounts compromised [MERGED]

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Newbie
 
Join Date: Feb 2007
Posts: 17

3500 dreamhost FTP accounts compromised [MERGED]


I just received this e-mail from dreamhost.

I've complained before that they've moved all of their information about outages and the like to their dreamhoststatus weblog, where before people would get an e-mail if their server was affected. However, this message doesn't appear on their blog. Make of that what you will.

No word on the cause, but apparently it only affected FTP accounts, so probably someone with shell access got hold of a passwd file.

Hello -

This email is regarding a potential security concern related to your
'[REDACTED - moof]' FTP account.

We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.

We're still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -
less than 0.15% of the total accounts that we host - actually had
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel ("Users" section, "Manage
Users" sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.

Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. 'index.php', 'index.html', etc - though we
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:

[CANNOT POST URL DUE TO BOARD RESTRICTIONS - moof]

Thank you for your patience. If you have any questions or concerns,
please let us know.

- DreamHost Security Team



Sponsored Links
  #2  
Old
Junior Guru Wannabe
 
Join Date: May 2007
Posts: 31
nice... they just lost 3500 people.. or atleast 1/3

__________________
<<please see forum rules for signature formatting guidelines>>

  #3  
Old
Disabled
 
Join Date: Jul 2002
Posts: 452
I felt a great disturbance in the blogosphere, as if 3500 useless websites suddenly cried out in terror and were suddenly silenced.

Sponsored Links
  #4  
Old
Always Learning...
 
Join Date: Aug 2002
Location: Bharat
Posts: 4,669
Why nice.

It can happen with any one.

__________________
Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
Offering domains, shared, reseller & VPS hosting.
Reliable Domain Reseller Account Resell Domains with Confidence

  #5  
Old
Web Hosting Master
 
Join Date: Apr 2006
Posts: 2,201
Quote:
Originally Posted by Engelmacher View Post
I felt a great disturbance in the blogosphere, as if 3500 useless websites suddenly cried out in terror and were suddenly silenced.
You're funny!

But back on topic; Dreamhost will comment on the issue soon on their status blog.

What is good about Dreamhost is that they are transparent, even if this hack is most unfortunate for everyone involved.

__________________
Need personalized hosting or consulting?

Twitter


  #6  
Old
Junior Guru Wannabe
 
Join Date: Jul 2006
Posts: 80
Got a dreamhost account? W00PS! 3500 passwords leaked

Originally Posted by Dreamhost

From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…
Hello -
This email is regarding a potential security concern related to your
‘XXXX’ FTP account.
We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.
We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).
Our records indicate that only roughly 20% of the accounts accessed -
less than 0.15% of the total accounts that we host - actually had
any changes made to them. Most accounts were untouched.
We ask that you do the following as soon as possible:
1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel (”Users” section, “Manage
Users” sub-section).
2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.
Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc - though we
recommend looking for other changes as well).
It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.
In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.
We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:
http://www.dreamhoststatus.com/
Thank you for your patience. If you have any questions or concerns,
please let us know.

  #7  
Old
Junior Guru Wannabe
 
Join Date: May 2007
Location: New York
Posts: 72
It happens.

  #8  
Old
Web Host
 
Join Date: Jun 2002
Posts: 1,791
That's interesting. Seems to be a rash of ftp hacks lately.

  #9  
Old
Web Hosting Master
 
Join Date: Apr 2006
Posts: 2,201
Thank you for searching WHT before posting

__________________
Need personalized hosting or consulting?

Twitter


  #10  
Old
Entrepreneur & Designer
 
Join Date: May 2007
Location: San Francisco, CA
Posts: 1,138
Dreamhost leaks 3,500 FTP passwords


__________________
// Extra Moose - Modern Web Design with Usability in mind.

  #11  
Old
Web Hosting Evangelist
 
Join Date: Mar 2005
Posts: 520
Really sad....

__________________
||| HostEcon.com - Professional Off-Shore Hosting Provider
||| Shared || Reseller || Semi-Dedicated || Dedicated Services
||| We offer highly anonymous off-shore domain names


  #12  
Old
Web Hosting Master
 
Join Date: Jan 2005
Posts: 609
Got Dream account yesterday.
during today setup 2 domains, and don't why, but type "who"

here is output

Code:
[stratus]$ who
myaccountname   pts/1        Jun  6 17:34 (**.**.**.MYIP)
myaccountname   pts/2        Jun  6 08:34 (**.**.**.MYIP)
cghuber  pts/7        Jun  6 15:22 (e176174130.adsl.alicedsl.de)
hmm .. so who is cghuber?
any idea, try to search in google [adsl.alicedsl.de] or [adsl.alicedsl.de + dreamhost] and 99% topics are statistic or spam related

any idea?

__________________
Your Health Encyclopedia
Medical and health consumer information resources containing comprehensive and unbiased information in patient-friendly language

  #13  
Old
Junior Guru
 
Join Date: Jan 2006
Location: Roswell, GA
Posts: 192
Ouch! That could cause some problems. Hopefully DH got the news out quick enough to mitigate any damage.

  #14  
Old
Web Hosting Evangelist
 
Join Date: Dec 2003
Location: DFW
Posts: 529
Quote:
Originally Posted by 3-rx View Post
Got Dream account yesterday.
during today setup 2 domains, and don't why, but type "who"

here is output

Code:
[stratus]$ who
myaccountname   pts/1        Jun  6 17:34 (**.**.**.MYIP)
myaccountname   pts/2        Jun  6 08:34 (**.**.**.MYIP)
cghuber  pts/7        Jun  6 15:22 (e176174130.adsl.alicedsl.de)
hmm .. so who is cghuber?
any idea, try to search in google [adsl.alicedsl.de] or [adsl.alicedsl.de + dreamhost] and 99% topics are statistic or spam related

any idea?
You aren't on a server by yourself; it's a shared host. cghuber is another customer that's logged in via ssh.

__________________
Tom / COO @ Site5.com

  #15  
Old
Web Hosting Master
 
Join Date: Feb 2004
Location: Southern California
Posts: 749
Ah Dreamhost... does the fun ever end...

__________________
SkyLineHost.com
▓ ▓ Shared hosting that soars above the competition
▓ ▓ ▓ Based in Los Angeles. sales@skylinehost.com

Reply

Related posts from TheWhir.com
Title Type Date Posted
DreamHost Listing 2013-12-09 19:28:42
DreamHost Listing 2013-12-09 19:28:41
DreamHost Listing 2013-12-09 19:28:41
DreamHost Listing 2013-12-09 19:28:40
DreamHost Listing 2013-12-09 19:28:39


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?