eruna — 2012-02-25T17:42:58-05:00 — #1
Multiple Dreamhost sites were attacked simultaneously by the same bot that inserts code into php files.
They claim it has nothing to do with them and its fault of each customer's website. I guess they are saying its a coincidence?
They just announced they had a security breach last week and asked everyone to change their ftp passwords.
Does their lack of accountability sound fishy or is it just me?
lawrence_wright — 2012-02-27T03:49:32-05:00 — #2
In most cases, it is the user's fault for not keeping scripts up to date, however if it's several customers simultaneously, there's need for investigation and blame cannot be placed directly on any party. This is why security is important. Sorry to hear about those security issues, the culprits deserve a mud slinging session. Always keep backups and keep your passwords rotated every month or two.
starlion — 2012-02-27T09:18:45-05:00 — #3
Pretty interesting little hack. Once inside a page, that page becomes essentially an open terminal into the system, allowing someone to upload a file, execute mySQL, and run system commands.
eruna — 2012-02-27T14:45:25-05:00 — #4
I haven't figured out the exactly where it got in, but I removed a number of legacy applications that weren't being used.
My site was down for three days for causes not specifically related to the hack. It seems like Dreamhost was having some issues.
Once the hack was in, it added a line of code to every php page it could find. Pretty annoying, but I cleaned it all up in an hour.
jdog — 2012-02-27T17:21:44-05:00 — #5
No, not fishy at all. These attacks are all automated and part of a criminal value chain. Its like a town where all the security guards have gone out to their company function. Why rob one bank only. Criminals will just rob them all.
cheesedude — 2012-03-01T11:10:24-05:00 — #6
Looking at that Dreamhost thread, it does sound more like the host was hacked and not individual clients.
Almost all of my sites on Dreamhost have been attacked. Not just my own personal sites, but also client sites I have set up on separate accounts. This has never really happened before, which is why I've been a customer for so long. It's curious that this coincides with their massive security breach. I contacted them and 7 days later I was told it was my fault and they are not responsible for my files. In any case I trusted them to safe guard my passwords and in that regard they obviously failed.
This kind of thing happens, unfortunately. What is most bothersome is that Dreamhost seems to be blaming the clients. If Dreamhost is to blame, and it appears that they are, they should "man up" and admit it and formulate a plan to prevent anything like that from happening again in the future.
When I submitted my trouble ticket to DreamHost, I got back the form letter some of you also got, basically blaming the trouble on me, saying security was solely my responsibility, but that I could try, with no guarantees, restoring from DreamHost backups (if they have them).
It's too bad there is no real ability to blanket ban all traffic from countries like Russia and its former satellites and China. That's where most of the hacking comes from.