Seems my account is caught in the DreamHost security breach. Checked my pages (via “View Source” in the browser) after the first announcement from DreamHost, did not see any junk, and let things alone. Since DreamHost claimed to be notifying customers whose accounts were compromised, and I had seen nothing from DreamHost (and still have not), I assumed (for the moment) that I was not affected.

Wrong. Last night noticed some junk in one of my pages - hidden via “display:none” - similar to this report.

On 2007-06-13 between 15:31 and 15:35 someone ran a script and altered the index.html and index.php files on my site. Last night I backed up the entire site, then edited out the junk. Filed a support request reporting the breach. I did not change my FTP password (intentionally!) to see if the breach would be repeated.

It was. Checked again early this morning. On 2007-06-15 at 04:42 someone again altered index.html and index.php files (a smaller number this time). Changed my FTP password, backed up the changed files, and removed the junk.

Digging a little deeper, ran “last -ad myusername | grep -v myhomeip”, and got:

xxxxxxxx ftpd24994    Fri Jun 15 04:42 - 04:43  (00:00)     venus.websiteactive.com
xxxxxxxx ftpd28128    Fri Jun 15 01:28 - 01:28  (00:00)     venus.websiteactive.com
xxxxxxxx ftpd4197     Wed Jun 13 15:25 - 15:35  (00:09)     neptune.pronameservice.net
xxxxxxxx ftpd30356    Tue Jun 12 15:32 - 15:32  (00:00)     hv111.steephost.com
xxxxxxxx ftpd555      Sun Jun 10 09:41 - 09:41  (00:00)     gator188.hostgator.com
xxxxxxxx ftpd5386     Sat Jun  9 10:45 - 10:45  (00:00)     85.222.183.212
xxxxxxxx ftpd2599     Sat Jun  9 10:45 - 10:45  (00:00)     85.222.183.212
xxxxxxxx ftpd8498     Sat Jun  9 10:45 - 10:45  (00:00)     85.222.183.212
xxxxxxxx ftpd20735    Sat Jun  9 10:45 - 10:45  (00:00)     85.222.183.212
xxxxxxxx ftpd24834    Sat Jun  9 10:45 - 10:45  (00:00)     85.222.183.212
xxxxxxxx ftpd19653    Sat Jun  9 10:44 - 10:44  (00:00)     85.222.183.212
xxxxxxxx ftpd15132    Sat Jun  9 10:44 - 10:44  (00:00)     85.222.183.212
xxxxxxxx ftpd10851    Sat Jun  9 10:44 - 10:44  (00:00)     85.222.183.212
xxxxxxxx ftpd10095    Sat Jun  9 10:44 - 10:44  (00:00)     85.222.183.212
xxxxxxxx ftpd14762    Sat Jun  9 10:44 - 10:44  (00:00)     85.222.183.212
xxxxxxxx ftpd32292    Fri Jun  8 15:20 - 15:20  (00:00)     gator188.hostgator.com
xxxxxxxx ftpd25266    Fri Jun  8 05:59 - 06:00  (00:00)     219.83.97.23
xxxxxxxx ftpd26076    Fri Jun  8 05:59 - 05:59  (00:00)     219.83.97.23
xxxxxxxx ftpd2712     Fri Jun  8 05:59 - 05:59  (00:00)     219.83.97.23
xxxxxxxx ftpd10378    Fri Jun  8 05:59 - 05:59  (00:00)     219.83.97.23
xxxxxxxx ftpd8738     Fri Jun  8 05:59 - 05:59  (00:00)     219.83.97.23
xxxxxxxx ftpd15500    Fri Jun  8 05:59 - 05:59  (00:00)     219.83.97.23
xxxxxxxx ftpd741      Fri Jun  8 05:58 - 05:58  (00:00)     219.83.97.23
xxxxxxxx ftpd9567     Fri Jun  8 05:58 - 05:58  (00:00)     219.83.97.23
xxxxxxxx ftpd31931    Fri Jun  8 05:58 - 05:58  (00:00)     219.83.97.23
xxxxxxxx ftpd17539    Fri Jun  8 05:58 - 05:58  (00:00)     219.83.97.23
xxxxxxxx ftpd17       Fri Jun  8 05:58 - 05:58  (00:00)     219.83.97.23
xxxxxxxx ftpd20698    Fri Jun  8 05:57 - 05:58  (00:00)     219.83.97.23
xxxxxxxx ftpd4417     Fri Jun  8 05:57 - 05:57  (00:00)     219.83.97.23
xxxxxxxx ftpd32161    Fri Jun  8 05:57 - 05:57  (00:00)     219.83.97.23
xxxxxxxx ftpd24593    Fri Jun  8 05:57 - 05:57  (00:00)     219.83.97.23
xxxxxxxx ftpd3318     Fri Jun  8 05:57 - 05:57  (00:00)     219.83.97.23
xxxxxxxx ftpd2887     Fri Jun  8 05:57 - 05:57  (00:00)     219.83.97.23
xxxxxxxx ftpd10251    Fri Jun  8 05:56 - 05:57  (00:00)     219.83.97.23
xxxxxxxx ftpd28277    Fri Jun  8 05:56 - 05:56  (00:00)     219.83.97.23
xxxxxxxx ftpd6156     Fri Jun  8 05:56 - 05:56  (00:00)     219.83.97.23
xxxxxxxx ftpd4639     Fri Jun  8 05:56 - 05:56  (00:00)     219.83.97.23
xxxxxxxx ftpd14610    Fri Jun  8 05:56 - 05:56  (00:00)     219.83.97.23
xxxxxxxx ftpd7016     Fri Jun  8 05:56 - 05:56  (00:00)     219.83.97.23
xxxxxxxx ftpd31218    Fri Jun  8 05:55 - 05:56  (00:00)     219.83.97.23
xxxxxxxx ftpd15428    Fri Jun  8 05:55 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd23894    Fri Jun  8 05:55 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd12686    Fri Jun  8 05:55 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd26025    Fri Jun  8 05:55 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd32523    Fri Jun  8 05:55 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd22799    Fri Jun  8 05:55 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd17447    Fri Jun  8 05:54 - 05:55  (00:00)     219.83.97.23
xxxxxxxx ftpd20174    Thu Jun  7 14:37 - 14:37  (00:00)     hv111.steephost.com
xxxxxxxx ftpd29543    Mon Jun  4 04:33 - 04:33  (00:00)     sv25.xserverzero.net
xxxxxxxx ftpd19850    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19848    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19843    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19840    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19836    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19833    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19830    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19829    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19827    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19825    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19821    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19819    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19812    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19809    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19805    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19804    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19798    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19797    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19792    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19790    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19788    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19787    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19785    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19782    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19781    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19779    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19775    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19774    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19772    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info
xxxxxxxx ftpd19770    Sun Jun  3 22:20 - 22:20  (00:00)     server.site60.info

So it does look like the access is via FTP, using subverted sites, and has been ongoing for at least a couple weeks (the last log only goes back that far). This also tells us that the DreamHost folk are at somewhat less than guru status, as if in their shoes I’d have written scripts to look for this sort of pattern, notified customers, and (possibly) blocked access from known subverted sites. For someone of strong ability, this is not hard.

In fact I am more amused than bothered by this. All my stuff is backed up, and I never assumed a webhosting account would be secure (at least in any strong sense). I expect most webhost outfits are similar (or worse). I am slightly bothered that they don’t seem to have access to at least one really sharp guy … but not surprised.

So … with proof on ongoing access, and after changing my FTP password, by tomorrow we should know whether this was a one-time breach of the FTP password list, or something deeper.

BTW - a hint for fixing the changed files (tedious but not difficult) from the shell.

vi `find sitedirectory -type f -newer fileslightlyolderthanhack`

Of course, if you have a really large number of changed files, you want to restore from backup, or write a Perl script.

Update 2007.06.16: Changing the password on the one account with FTP access to the website files (on Friday morning) seems to be all that was needed. Did get a reasonable response (and another response to my reply) from DreamHost well within 24 hours on filing a support request. I am satisfied with their response, though I stand by what I said above.