The Unofficial Dreamhost Blog reports that the hacker may have been a spam artist, and that Dreamhost’s note to hacked users said only 20% of the affected accounts had files altered:
Evidence suggests that the attack has been targeted websites with a high Google PageRank and that the attacker has used his access to add a number of hidden spam links to the bottom of the affected pages in order to increase search engine rankings.
The comment boards at Dreamhost are already thick with fear and loathing. Excerpts from that and Dreamhost’s official warning come after the jump:
# Gavin Says:
June 6th, 2007 at 4:13 pm
Why the hell are you storing FTP passwords in plain text in the first place?
# Victor A. Wagner Jr. Says:
June 6th, 2007 at 4:16 pm
Nobody said they were.
they said “access individual user password information”
# free iCal hosting Says:
June 6th, 2007 at 4:19 pm
Because most users don’t, and they tend to forget their passwords…..
# klanka Says:
June 6th, 2007 at 4:20 pm
I’ve always ignored mass downtimes, slowness of download speeds, general low perfomance and high page generation speeds, but now with this, I think it’s enough. Already moved onto another host which I paid a lot more for and I’m satisfied.
Thanks for the cheap service I enjoyed, but there have been too many problems and I really can’t complain considering I got it for a really low price (coupon), but at the end it came to what’s been proven million times – you get what you pay.
# number-six Says:
June 6th, 2007 at 4:20 pm
So if they had access to the panel, mail passwords are compromised as well.
Nice – that’ll be fun to change all of those.
Here’s how the bad news came out to the affected account-holders:
From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…
This email is regarding a potential security concern related to your
‘XXXX’ FTP account.
We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.
We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
Our records indicate that only roughly 20% of the accounts accessed –
less than 0.15% of the total accounts that we host – actually had
any changes made to them. Most accounts were untouched.
We ask that you do the following as soon as possible:
Immediately change your FTP password, as well as that of any other accounts that may share the same password. We recommend the use of passwords containing 8 or more random letters and numbers. You may change your FTP password from the web panel (“Users” section, “Manage Users” sub-section).
Review your hosted accounts/sites and ensure that nothing has been uploaded or changed that you did not do yourself. Many of the unauthorized logins did not result in changes at all (the intruder logged in, obtained a directory listing and quickly logged back out) but to be sure you should carefully review the full contents of your account.
Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc – though we
recommend looking for other changes as well).
It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.
In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.
We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:
Thank you for your patience. If you have any questions or concerns,
please let us know.
All I know is that I found an entire phishing operation – mocked-up Wells Fargo web pages and all – neatly tucked into one of my LAVoice folders last year and quickly killed it all and changed the PW back then – but didn’t get the warning note this time.
Maybe it’s time to scour through all my directories again.
Is this an ongoing risk with DH?