Page 1 of 2 12 LastLast
Results 1 to 40 of 66
  1. #1

    3500 dreamhost FTP accounts compromised [MERGED]

    I just received this e-mail from dreamhost.

    I've complained before that they've moved all of their information about outages and the like to their dreamhoststatus weblog, where before people would get an e-mail if their server was affected. However, this message doesn't appear on their blog. Make of that what you will.

    No word on the cause, but apparently it only affected FTP accounts, so probably someone with shell access got hold of a passwd file.

    Hello -

    This email is regarding a potential security concern related to your
    '[REDACTED - moof]' FTP account.

    We have detected what appears to be the exploit of a number of
    accounts belonging to DreamHost customers, and it appears that your
    account was one of those affected.

    We're still working to determine how this occurred, but it appears
    that a 3rd party found a way to obtain the password information
    associated with approximately 3,500 separate FTP accounts and has
    used that information to append data to the index files of customer
    sites using automated scripts (primarily for search engine
    optimization purposes).

    Our records indicate that only roughly 20% of the accounts accessed -
    less than 0.15% of the total accounts that we host - actually had
    any changes made to them. Most accounts were untouched.

    We ask that you do the following as soon as possible:

    1. Immediately change your FTP password, as well as that of any other
    accounts that may share the same password. We recommend the use of
    passwords containing 8 or more random letters and numbers. You may
    change your FTP password from the web panel ("Users" section, "Manage
    Users" sub-section).

    2. Review your hosted accounts/sites and ensure that nothing has been
    uploaded or changed that you did not do yourself. Many of the
    unauthorized logins did not result in changes at all (the intruder
    logged in, obtained a directory listing and quickly logged back out)
    but to be sure you should carefully review the full contents of your
    account.

    Again, only about 20% of the exploited accounts showed any
    modifications, and of those the only known changes have been to site
    index documents (ie. 'index.php', 'index.html', etc - though we
    recommend looking for other changes as well).

    It appears that the same intruder also attempted to gain direct
    access to our internal customer information database, but this was
    thwarted by protections we have in place to prevent such access.
    Similarly, we have seen no indication that the intruder accessed
    other customer account services such as email or MySQL databases.

    In the last 24 hours we have made numerous significant behind-the-
    scenes changes to improve internal security, including the discovery
    and patching to prevent a handful of possible exploits.

    We will, of course, continue to investigate the source of this
    particular security breach and keep customers apprised of what we
    find. Once we learn more, we will be sure to post updates as they
    become available to our status weblog:

    [CANNOT POST URL DUE TO BOARD RESTRICTIONS - moof]

    Thank you for your patience. If you have any questions or concerns,
    please let us know.

    - DreamHost Security Team

  2. #2
    Join Date
    May 2007
    Posts
    31
    nice... they just lost 3500 people.. or atleast 1/3
    <<please see forum rules for signature formatting guidelines>>

  3. #3
    I felt a great disturbance in the blogosphere, as if 3500 useless websites suddenly cried out in terror and were suddenly silenced.

  4. #4
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,722
    Why nice.

    It can happen with any one.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  5. #5
    Quote Originally Posted by Engelmacher View Post
    I felt a great disturbance in the blogosphere, as if 3500 useless websites suddenly cried out in terror and were suddenly silenced.
    You're funny!

    But back on topic; Dreamhost will comment on the issue soon on their status blog.

    What is good about Dreamhost is that they are transparent, even if this hack is most unfortunate for everyone involved.

  6. #6
    Join Date
    Jul 2006
    Posts
    88

    Got a dreamhost account? W00PS! 3500 passwords leaked

    Originally Posted by Dreamhost

    From: DreamHost Security Team
    Subject: URGENT: FTP Account Security Concerns…
    Hello -
    This email is regarding a potential security concern related to your
    ‘XXXX’ FTP account.
    We have detected what appears to be the exploit of a number of
    accounts belonging to DreamHost customers, and it appears that your
    account was one of those affected.
    We’re still working to determine how this occurred, but it appears
    that a 3rd party found a way to obtain the password information
    associated with approximately 3,500 separate FTP accounts and has
    used that information to append data to the index files of customer
    sites using automated scripts (primarily for search engine
    optimization purposes).
    Our records indicate that only roughly 20% of the accounts accessed -
    less than 0.15% of the total accounts that we host - actually had
    any changes made to them. Most accounts were untouched.
    We ask that you do the following as soon as possible:
    1. Immediately change your FTP password, as well as that of any other
    accounts that may share the same password. We recommend the use of
    passwords containing 8 or more random letters and numbers. You may
    change your FTP password from the web panel (”Users” section, “Manage
    Users” sub-section).
    2. Review your hosted accounts/sites and ensure that nothing has been
    uploaded or changed that you did not do yourself. Many of the
    unauthorized logins did not result in changes at all (the intruder
    logged in, obtained a directory listing and quickly logged back out)
    but to be sure you should carefully review the full contents of your
    account.
    Again, only about 20% of the exploited accounts showed any
    modifications, and of those the only known changes have been to site
    index documents (ie. ‘index.php’, ‘index.html’, etc - though we
    recommend looking for other changes as well).
    It appears that the same intruder also attempted to gain direct
    access to our internal customer information database, but this was
    thwarted by protections we have in place to prevent such access.
    Similarly, we have seen no indication that the intruder accessed
    other customer account services such as email or MySQL databases.
    In the last 24 hours we have made numerous significant behind-the-
    scenes changes to improve internal security, including the discovery
    and patching to prevent a handful of possible exploits.
    We will, of course, continue to investigate the source of this
    particular security breach and keep customers apprised of what we
    find. Once we learn more, we will be sure to post updates as they
    become available to our status weblog:
    http://www.dreamhoststatus.com/
    Thank you for your patience. If you have any questions or concerns,
    please let us know.

  7. #7
    Join Date
    May 2007
    Location
    New York
    Posts
    72
    It happens.

  8. #8
    That's interesting. Seems to be a rash of ftp hacks lately.

  9. #9
    Thank you for searching WHT before posting

  10. #10
    Join Date
    May 2007
    Location
    San Francisco, CA
    Posts
    1,138

    Dreamhost leaks 3,500 FTP passwords

    // Extra Moose - Modern Web Design with Usability in mind.

  11. #11
    Join Date
    Mar 2005
    Posts
    520
    Really sad....
    ||| HostEcon.com - Professional Off-Shore Hosting Provider
    ||| Shared || Reseller || Semi-Dedicated || Dedicated Services
    ||| We offer highly anonymous off-shore domain names

  12. #12
    Got Dream account yesterday.
    during today setup 2 domains, and don't why, but type "who"

    here is output

    Code:
    [stratus]$ who
    myaccountname   pts/1        Jun  6 17:34 (**.**.**.MYIP)
    myaccountname   pts/2        Jun  6 08:34 (**.**.**.MYIP)
    cghuber  pts/7        Jun  6 15:22 (e176174130.adsl.alicedsl.de)
    hmm .. so who is cghuber?
    any idea, try to search in google [adsl.alicedsl.de] or [adsl.alicedsl.de + dreamhost] and 99% topics are statistic or spam related

    any idea?
    Your Health Encyclopedia
    Medical and health consumer information resources containing comprehensive and unbiased information in patient-friendly language

  13. #13
    Join Date
    Jan 2006
    Location
    Roswell, GA
    Posts
    192
    Ouch! That could cause some problems. Hopefully DH got the news out quick enough to mitigate any damage.

  14. #14
    Join Date
    Dec 2003
    Posts
    543
    Quote Originally Posted by 3-rx View Post
    Got Dream account yesterday.
    during today setup 2 domains, and don't why, but type "who"

    here is output

    Code:
    [stratus]$ who
    myaccountname   pts/1        Jun  6 17:34 (**.**.**.MYIP)
    myaccountname   pts/2        Jun  6 08:34 (**.**.**.MYIP)
    cghuber  pts/7        Jun  6 15:22 (e176174130.adsl.alicedsl.de)
    hmm .. so who is cghuber?
    any idea, try to search in google [adsl.alicedsl.de] or [adsl.alicedsl.de + dreamhost] and 99% topics are statistic or spam related

    any idea?
    You aren't on a server by yourself; it's a shared host. cghuber is another customer that's logged in via ssh.

  15. #15
    Join Date
    Feb 2004
    Location
    Southern California
    Posts
    749

  16. #16
    Join Date
    Dec 2003
    Posts
    543
    Quote Originally Posted by PWRKen View Post
    Ah Dreamhost... does the fun ever end...
    It's funny how people here make digs on the bigger hosts such as Dreamhost - especially in times like this.

    At least Dreamhost informs customers; many hosts wouldn't.

  17. #17
    Join Date
    Nov 2001
    Location
    London
    Posts
    4,856
    It shouldn't happen in the first place though. If I were a customer, I'd be pretty angry.
    Matthew Russell | Namecheap
    Twitter: @mattdrussell

    www.namecheap.com - hosting from a registrar DONE RIGHT!

  18. #18
    Join Date
    Jan 2007
    Posts
    1,107
    Quote Originally Posted by tbonekkt View Post
    It's funny how people here make digs on the bigger hosts such as Dreamhost - especially in times like this.

    At least Dreamhost informs customers; many hosts wouldn't.
    The main question is whether this is just one of those things -- or whether DreamHost could have done something to prevent it. But lacking evidence of that, I would just accept this as something that could not have been avoided.
    Best,
    Captain Marvel
    Host/Executive Producer, The Paracast, www.theparacast.com
    I do not represent the hosting industry!

  19. #19
    Join Date
    Jan 2006
    Location
    Ontario, Canada
    Posts
    958
    "Dreamhost - Serving up your personally data on a silver platter since 1997!"
    Kdoubt.net - Gameing discussion, arcade, all around good fun

  20. #20
    The status-blog "explanation" is on Digg now; http://digg.com/security/Dreamhost_e...ecurity_Breach

  21. #21
    See their status blog post (via Digg): http://digg.com/security/Dreamhost_e...ecurity_Breach

  22. #22
    Join Date
    Jul 2006
    Posts
    88
    I bet they've lost a lot of customers, if this happened to me I would of canceled my account already

  23. #23
    It is the infamous Iframe attack. Basically the hacker run an automated operation from some remote hosts. I believe they have ftp into the user accounts through root pass. If not, they couldn't have access to so many accounts. Worse is if dreamhost used the same root password to multiple servers. This will increase the exposure of the accounts.
    Affordable Managed Hosting Solutions for Professional & Business since 2001
    Mxhub.com - Global : USA - UK - Canada - Europe - Asia Pacific


  24. #24
    If these defacers got access via root, How did they gain root access?

  25. #25
    Join Date
    Jun 2005
    Location
    Internet
    Posts
    449
    Its ok, everyone gets vulnerable sometime or the other.
    Just patch up the weak ends.

  26. #26
    Join Date
    May 2004
    Posts
    142
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?

    Normally whenever I can't remember a password I pop into the control panel to look it up, and I was recently thinking that it wasn't safe practice. I had even forgotten that it is a simple thing to log on via SSH and change the password whenever you want, and it shouldn't show up in the DH control panel anymore.
    Unless their server retains the plain text passwords.

    Silly me

    It must be said that given how large a host dreamhost are, the administrative headache of people forgetting passwords would be unbearable, given the authentication process which would be required via either email or by phone.

  27. #27
    Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.

    This company is a joke.
    CouponShock.com - Web Hosting and Registrar Coupons

    Web Hosts, click here to add your coupons to our database!

  28. #28
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by CouponShock View Post
    Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.

    This company is a joke.
    What's their blog have to do with anything?

    At any rate I think Josh @ the blog does a great job So does Dreamhost 'on a whole' -- amazing operation for a company that large & with those sort of resource allocations.

    Kudos to them as always.
    David
    Web hosting by Fused — For businesses with more important things to do than worry about their hosting.

  29. #29
    Join Date
    Jun 2005
    Location
    CT, USA
    Posts
    607
    Quote Originally Posted by CouponShock View Post
    Dreamhost is by far the worst host I've ever used. Servers go down all the time! And they feel they can get away with it through their blog where they project a web2.0ish lack of formality and professionalism.

    This company is a joke.
    You cannot please everyone, but I think from the general reviews of DreamHost I have read here it seems they do a pretty good job for their customers.

    As David said, for the size of their company they do have quite a lot of work in maintaining things, more so than a small company as us.

    I wonder what they will be doing for those customers who will be sticking around with them after this, if they do anything at all. What do you do for or say to a customer when their password has been leaked out and possible compromising of their data?
    SwiftModders - Professional Web Design Services & WHMCS Themes
    Web Designs catered to web hosting and software providers!
    Check out the top-rated WHMCS Admin Panel Theme by SwiftModders

  30. #30
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by AH-John View Post
    I wonder what they will be doing for those customers who will be sticking around with them after this, if they do anything at all. What do you do for or say to a customer when their password has been leaked out and possible compromising of their data?
    You do exactly what you would in any other situation.
    1. Reassure the clients the source of the leak is resolved.
    2. Ensure that it doesn't reoccur & explain the preventative measures put in place.

    3,500 for Dreamhost is a very tiny sliver of their clientbase. The company has over 500 thousand domains hosted on their service.

    They didn't get to that size making critical errors. This situation won't even make a dent in their clientbase nor should it. A large number of companies I know of wouldn't have even made a peep to the users affected.
    David
    Web hosting by Fused — For businesses with more important things to do than worry about their hosting.

  31. #31
    Join Date
    Aug 2001
    Location
    Canada
    Posts
    2,123
    Quote Originally Posted by MxHub View Post
    believe they have ftp into the user accounts through root pass.
    That's not possible on proftpd as far as I know.

    I've seen these same attacks on a smaller scale and they *never* involved the root password, always the user's FTP password.

    And hashing a password doesn't stop a determined person, just look for john the ripper.
    www.idologic.com - Reseller, VPS and dedicated hosting - Friendly Customer Service - DirectAdmin - cPanel - InterWorx

  32. #32
    im so glad that i have cancelled with them but its not a very good thing for their marketing, 3500 passwords is a huge amount and not to mention the fact that quite a few of them will use the same password for online banking etc

  33. #33
    not to mention the fact that quite a few of them will use the same password for online banking etc
    If you use the same password for online banking as you do for your webhosting then you pretty much are asking for trouble.

  34. #34
    Quote Originally Posted by voipfc View Post
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?
    It's not just your imagination


    Quote Originally Posted by MyfilePlaceServ View Post
    im so glad that i have cancelled with them but its not a very good thing for their marketing, 3500 passwords is a huge amount and not to mention the fact that quite a few of them will use the same password for online banking etc
    Any online banking service that doesn't use a double challenge password response system (preferrably an external codebox) is a service that you should not use under any circumstance.

    If the bank uses a single sign-on password that you on top of that is allowed to pick yourself as a client is just foolish

  35. #35
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,304
    Quote Originally Posted by voipfc View Post
    Is it just my imagination, or have dreamhost stopped displaying account passwords in the control panel?
    They used to do that?! Holy Moly.

    Kevin

  36. #36
    Join Date
    Jul 2006
    Posts
    88

    Red face

    Quote Originally Posted by Hard Rock View Post
    If you use the same password for online banking as you do for your webhosting then you pretty much are asking for trouble.
    That's what I was worried about!

  37. #37
    Does dreamhost use anything like disabling ftp logins after X number of failed attempts?
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  38. #38
    Quote Originally Posted by plumsauce View Post
    Does dreamhost use anything like disabling ftp logins after X number of failed attempts?
    Probably, however bruteforce is not a cause of the problem.

    There's been an update to the Dreamhost status blog:
    UPDATE: 2007/06/07 6:49PM PDT - We are in the middle a more thorough investigation and some new information has turned up. While we did detect some unauthorized access to our user web control panel, in at least some cases it looks like that may not be to blame for the compromised ftp accounts. In some isolated cases it appears that there may be security problems on end-user computers as well. If you have been affected by this, please do whatever checks on your own computer you can as a precaution. Our investigation is covering all possible attack points and this is one of the possibilities.
    Also note that we now have confirmed information that these ftp account hijackings are happening on other web hosts as well and it looks very likely like there’s more to this situation than just the security problem we detected within our own system.
    We are now forcing all of the affected users who have not yet changed their passwords to do so before they will be able to upload anything again. This is necessary so we can continue to monitor the situation and see clearly what’s going on.

  39. #39
    The story made it to The Register (via digg).

  40. #40
    Frankly you got to give it to them to own up to it and take measures like a responsible company should. I am not saying being hacked is a good thing, just that many users do not understand the complexities in securing servers, especially shared servers choke full of 3rd party software such as control panels. As a sysadmin, you potentially need to block hundreds, or thousands of possible ways to exploit a system, but a hacker need only to find one hole to render all your other protections fruitless. That's not all, it's a moving target, with new exploits, vulnerabilities discovered daily, some of which are not even disclosed and simply used by hackers to do their dirty work.

    So I think you guys should give them a bit of credit for their response, and also think from the shoes of the host. Frankly this could have happened to any host, and I am personally sure that most host are probably vulnerable, just unknowingly so, or that the hackers aren't really interested in them to invest sufficient effort to break in.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •