Sometime last night (07/06/2007) the DreamHost Servers suffered a security breach. Apparently the exact problem relates to a fairly large number (about 3500) of FTP accounts on the DreamHost servers. I discovered one of my accounts was involved. As a result some pages within my site are now unreachable and others may have nefarious links in them. While I have done my best to remove the spam links if you do find anything untoward please let me know.
I would be lying if I said this has not concerned me, for the following reasons.
- I only every use/used SFTP or SSH to connect to my domains and for file transfers
- I only ever use SSL/https for connecting to my email
- I use very secure passwords 20 character mixed case, special character, alpha numerics, I figure they are about 160+ bit
- Every user account has a different password of this strength
- I change them pretty regularly
- As I mentioned to my friend Macca, I dont even know the passwords. They are generated randomly and stored encrypted by KeePass (or KeePassxX on the mac). So how did someone else manage to get them?
As a result of the breach all account passwords and some key user names within the domain have now been altered. I can only hope this single account has been compromised. Fortunately the account involved only had SFTP access, but that still makes it very worrying.
If you use DreamHost I would recommend a full user account and or password update, just in case, and check, double check your sites and client sites if they are hosted with DreamHost for spam links.
Files that seemed to be affected on my domains were index.php and index.html files.
This is the first serious problem I have had with my hosting at DreamHost so am waiting for the dust to settle on this before making any switching plans.
The “full details” of the breach from DreamHost are in the email below.
This email is regarding a potential security concern related to your
‘XXXXXXX’ FTP account.
We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.
We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
Our records indicate that only roughly 20% of the accounts accessed –
less than 0.15% of the total accounts that we host – actually had
any changes made to them. Most accounts were untouched.
We ask that you do the following as soon as possible:
1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel (“Users” section, “Manage
2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc – though we
recommend looking for other changes as well).
It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.
In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.
We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:
Thank you for your patience. If you have any questions or concerns,
please let us know.