Extra Pepperoni

This sucks, Beavis!

I had to change the school’s panel password (which will only be changed again in 24 days when I hand over the reins to my successor, who will change it again), plus my personal panel password, 3 shell passwords, 12 list passwords, this blog’s password, and possibly the Analog passswords, and what will I forget?

Crud. Crud. Crud.

DreamHost’s next failure is not telling us what the spam links look like. I can’t read the source of every page on the site, but if they would tell us what to look for, I could grep for the suspect sites quite easily. I actually found them elsewhere (see the Andy Hagan link below) — no thanks to DH, whose screw-up I’m now attempting to fix.

Adding injury to injury, I just got the cheery/goofy montly DreamHost email, with no mention of the hack, even though they must have been dealing with the break-in when the message was sent.

To make things worse, the status page where they promise to post updates on this incident doesn’t even mention it! This is 2 1/2 hours after they sent me email, and they still haven’t come clean in public. On the other hand, oscandy.com had a posting about it a couple days earlier http://www.oscandy.com/hacking/454-dreamhost-hosting-platform-hacked.

From a couple other blogs, this may have shown up a week ago:

• http://www.adamfortuna.com/2007/05/31/you-could-be-hacked-too/
• http://tropicalseo.com/2007/andyhaganscom-hacked-can-you-help-me-out/

To: "Chris Pepper"
From: DreamHost Security Team
Subject: [reppep 11988754] URGENT: FTP Account Security Concerns...
Date: Tue,  5 Jun 2007 18:52:42 -0700 (PDT)

Hello -

This email is regarding a potential security concern related to your  
'reppep' FTP account.

We have detected what appears to be the exploit of a number of  
accounts belonging to DreamHost customers, and it appears that your  
account was one of those affected.

We're still working to determine how this occurred, but it appears  
that a 3rd party found a way to obtain the password information  
associated with approximately 3,500 separate FTP accounts and has  
used that information to append data to the index files of customer  
sites using automated scripts (primarily for search engine  
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -  
less than 0.15% of the total accounts that we host - actually had  
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other  
accounts that may share the same password. We recommend the use of  
passwords containing 8 or more random letters and numbers. You may  
change your FTP password from the web panel ("Users" section, "Manage  
Users" sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been  
uploaded or changed that you did not do yourself. Many of the  
unauthorized logins did not result in changes at all (the intruder  
logged in, obtained a directory listing and quickly logged back out)  
but to be sure you should carefully review the full contents of your  
account.

Again, only about 20% of the exploited accounts showed any  
modifications, and of those the only known changes have been to site  
index documents (ie. 'index.php', 'index.html', etc - though we  
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct  
access to our internal customer information database, but this was  
thwarted by protections we have in place to prevent such access.  
Similarly, we have seen no indication that the intruder accessed  
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the- 
scenes changes to improve internal security, including the discovery  
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this  
particular security breach and keep customers apprised of what we  
find. Once we learn more, we will be sure to post updates as they  
become available to our status weblog:

      http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns,  
please let us know.

- DreamHost Security Team