3500 FTP account passwords stolen from DreamHost database
DreamHost Status Blog Archive Security Breach
It seems that somebody has managed to hack into the customer database for FTP login passwords, at the DreamHost website hosting company. According to an email sent out to the affected Dreamhost customers, 3500 accounts seem to have been breached by a hacker, or hackers, using as yet unknown attack vectors.
According to the update posted by DreamHost, on June 7, this may be a combination of security breaches, including keyloggers that may have been installed onto the affected users' computers. That means that the same thing could affect users of other web hosting companies. So far the hack appears to be the addition of various iframe codes or links to porn sites, to all files containing the word "index" of the compromised accounts. The file extension does not matter; if you have a file containing the word "index" it will be a target of this hacker. This includes index files in sub-directories, or add-on domains hosted under the same master account. Therefore, all website owners are urged to download their index files and inspect them for unauthorized modifications. If you find any remove them and notify your hosting provider, and scan your own computers for spyware, keyloggers, or backdoor trojans.
In one blog post about this I read that at least one DreamHost customer had all of his "index" files overwritten completely with a page containing an iframe exploit, leading to a website that installs a Trojan Horse program.
There is a statement about this incident, from the DreamHost blog, in my extended comments...
If you are a DreamHost customer, and you have scanned your computer for security breaches and found none, and you were notified that your account was among those compromised, and you are looking for another web host, I use and recommend BlueHost Web Hosting. They offer huge amounts of disk space and data transfer, plus unlimited add-on domains, for those who need to host multiple domains at a low monthly rate. I have all of the details on my BlueHost page. I have been with them for over 6 months and have had very little downtime - well less than I used to experience with my previous web host. My server has not been hacked, altho I see people trying to do so every day or two (by reading my raw access and error logs).
I am available to assist people whose websites and/or computers have been compromised by hackers, spyware, keyloggers, or other security threats. Please visit my home page for more information and links to my webmaster services and contact pages.
From DreamHost
UPDATE: 2007/06/07 6:49PM PDT - We are in the middle a more thorough investigation and some new information has turned up. While we did detect some unauthorized access to our user web control panel, in at least some cases it looks like that may not be to blame for the compromised ftp accounts. In some isolated cases it appears that there may be security problems on end-user computers as well. If you have been affected by this, please do whatever checks on your own computer you can as a precaution. Our investigation is covering all possible attack points and this is one of the possibilities.
Also note that we now have confirmed information that these ftp account hijackings are happening on other web hosts as well and it looks very likely like there’s more to this situation than just the security problem we detected within our own system.
We are now forcing all of the affected users who have not yet changed their passwords to do so before they will be able to upload anything again. This is necessary so we can continue to monitor the situation and see clearly what’s going on.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.