Remember that weird spam we were recurrently getting in our index.php file? I spent several days looking for the source of it, to no avail. Turns out that our host, DreamHost, had been hacked and several thousand account passwords obtained. These were used—in our case I guess more than once, but details are still extremely hard to find—to access the index files of many sites. DreamHost have apparently sent out a letter to affected customers, but we were affected and haven’t heard a word, and as yet there’s nothing on their website, either. Here’s another person who was affected. All very frustrating. We’ve changed our shell passwords and all that, so I suppose we’ll just wait for some details and an explanation from DreamHost.
Update: I wrote to DH techsupport this morning, and just received a response. They say, in part:
We had not sent out the emails regarding dedicated machines yet, as we
were performing additional research. Those emails will be going out very
shortly. I do apologize for the delay, and discovering this on another
blog. To secure your account you will need to change your FTP password. The
logins that we were noticing tended to be automated, and frequently would
overwrite the same files repeatedly. While perhaps not comforting, this
does mean that they generally weren’t looking for personally identifiable
information or uploading other hacking scripts that could serve nefarious
purposes. … Again we are very sorry for the trouble this may
have caused; the email will be going out shortly.
So if they were aware that users with dedicated as well as shared servers were affected, maybe they’re weren’t undercounting the number of people hit by this. But if so then it wasn’t really true when they said all affected customers had been notified.