Spam Again

by Kieran Healy on June 6, 2007

Remember that weird spam we were recurrently getting in our index.php file? I spent several days looking for the source of it, to no avail. Turns out that our host, DreamHost, had been hacked and several thousand account passwords obtained. These were used—in our case I guess more than once, but details are still extremely hard to find—to access the index files of many sites. DreamHost have apparently sent out a letter to affected customers, but we were affected and haven’t heard a word, and as yet there’s nothing on their website, either. Here’s another person who was affected. All very frustrating. We’ve changed our shell passwords and all that, so I suppose we’ll just wait for some details and an explanation from DreamHost.

Update: I wrote to DH techsupport this morning, and just received a response. They say, in part:

We had not sent out the emails regarding dedicated machines yet, as we
were performing additional research. Those emails will be going out very
shortly. I do apologize for the delay, and discovering this on another
blog. To secure your account you will need to change your FTP password. The
logins that we were noticing tended to be automated, and frequently would
overwrite the same files repeatedly. While perhaps not comforting, this
does mean that they generally weren’t looking for personally identifiable
information or uploading other hacking scripts that could serve nefarious
purposes. … Again we are very sorry for the trouble this may
have caused; the email will be going out shortly.

So if they were aware that users with dedicated as well as shared servers were affected, maybe they’re weren’t undercounting the number of people hit by this. But if so then it wasn’t really true when they said all affected customers had been notified.

{ 2 trackbacks }

Unofficial DreamHost Blog » Blog Archive » DreamHost FTP Accounts Hacked
06.06.07 at 10:31 pm
1, 2, 3 (catch up) at found_drama
06.07.07 at 12:08 am

{ 12 comments }

1

joel hanes 06.06.07 at 4:10 pm

Time to get a new hosting company.
If they’ve compromised your site password, and haven’t the integrity to notify you, they don’t deserve your business, regardless of any other merits they may have.

2

Aaron Swartz 06.06.07 at 4:32 pm

Yes, please switch hosts. I mean, I’ll personally fund the hosting of the site someplace decent, like a rimuhosting or joyent VPS.

3

abb1 06.06.07 at 5:40 pm

How does one find “a way to obtain the password information associated with approximately 3,500 separate FTP accounts”? Weird.

4

Nick Caldwell 06.06.07 at 8:56 pm

Aaron, the Joyent containers are pretty awesome but the CTers would need a fair amount of technical know-how to administer an unmanaged Solaris box.

5

Nick Caldwell 06.06.07 at 10:05 pm

Ah, I hadn’t realised Crooked Timber was already on a dedicated server. Never mind me then.

6

Myrna the Minx 06.07.07 at 1:59 am

Yikes, I didn’t know about this until now and have a wp blog. I GUESS I wasn’t affected. Time to investigate.

7

Aaron Swartz 06.07.07 at 4:28 pm

Caldwell: I’m happy to administer the box as well, if needed.

8

todd. 06.07.07 at 4:35 pm

I’m with Sean Carroll (here): “I conclude that it is impossible for the internet to work.”

9

tom brandt 06.07.07 at 4:48 pm

I heard a lot of complaints about Dreamhost when I went looking for a new hosting company and didn’t use them because of the complaints. I use OCS Solutions and am quite happy with them. It is a fairly small operation, which I think is a good thing.

10

Alan Bostick 06.07.07 at 6:36 pm

abb1 @ 3: Password databases (at least on UNIX-type systems) are encrypted and so ought to be useless to hackers, even if they were able to get access to them

But if the hackers compromised the hosting company’s NOC, they could monitor the network and gobble up every password of every customer that was typed in cleartext. FTP was developed in a less distrustful time, and so account passwords are vulnerable to network sniffers.

It is basically irresponsible for a hosting company to encourage use of FTP for password-protected access to file transfer. They should encourage, and you should use, something like SFTP (SSH File Transfer Protocol) so that all traffic, including logins and passwords, are encrypted between the client and the server, and eavesdroppers can’t grab passwords.

(Disclaimer: I am not a real network security guy; I’m just a long-term user with a cryptography obsession.)

11

Fatal Claws 06.09.07 at 12:04 am

Try pair.com

12

oldnumberseven 06.09.07 at 4:52 am

I am wondering what course you are taking in regards to changing hosts? My partner is the director of a non-profit group, and dreamhost gave them free hosting. The non-profit’s site has not been compromised as far as I can tell. It is http://montrails.org/ but I would welcome any other crooked timber eyes looking upon it to give their two cents.

Does anyone know of any other hosting companies that will provide free hosting to a non-profit?

Comments on this entry are closed.