random memes }

Caught in the DreamHost(?) security breach

Seems my account is caught in the DreamHost security breach. Checked my pages (via "View Source" in the browser) after the first announcement from DreamHost, did not see any junk, and let things alone. Since DreamHost claimed to be notifying customers whose accounts were compromised, and I had seen nothing from DreamHost (and still have not), I assumed (for the moment) that I was not affected.

Wrong. Last night noticed some junk in one of my pages - hidden via "display:none" - similar to this report.

On 2007-06-13 between 15:31 and 15:35 someone ran a script and altered the index.html and index.php files on my site. Last night I backed up the entire site, then edited out the junk. Filed a support request reporting the breach. I did not change my FTP password (intentionally!) to see if the breach would be repeated.

It was. Checked again early this morning. On 2007-06-15 at 04:42 someone again altered index.html and index.php files (a smaller number this time). Changed my FTP password, backed up the changed files, and removed the junk.

Digging a little deeper, ran "last -ad myusername | grep -v myhomeip", and got:

xxxxxxxx ftpd24994 Fri Jun 15 04:42 - 04:43 (00:00) venus.websiteactive.com xxxxxxxx ftpd28128 Fri Jun 15 01:28 - 01:28 (00:00) venus.websiteactive.com xxxxxxxx ftpd4197 Wed Jun 13 15:25 - 15:35 (00:09) neptune.pronameservice.net xxxxxxxx ftpd30356 Tue Jun 12 15:32 - 15:32 (00:00) hv111.steephost.com xxxxxxxx ftpd555 Sun Jun 10 09:41 - 09:41 (00:00) gator188.hostgator.com xxxxxxxx ftpd5386 Sat Jun 9 10:45 - 10:45 (00:00) 85.222.183.212 xxxxxxxx ftpd2599 Sat Jun 9 10:45 - 10:45 (00:00) 85.222.183.212 xxxxxxxx ftpd8498 Sat Jun 9 10:45 - 10:45 (00:00) 85.222.183.212 xxxxxxxx ftpd20735 Sat Jun 9 10:45 - 10:45 (00:00) 85.222.183.212 xxxxxxxx ftpd24834 Sat Jun 9 10:45 - 10:45 (00:00) 85.222.183.212 xxxxxxxx ftpd19653 Sat Jun 9 10:44 - 10:44 (00:00) 85.222.183.212 xxxxxxxx ftpd15132 Sat Jun 9 10:44 - 10:44 (00:00) 85.222.183.212 xxxxxxxx ftpd10851 Sat Jun 9 10:44 - 10:44 (00:00) 85.222.183.212 xxxxxxxx ftpd10095 Sat Jun 9 10:44 - 10:44 (00:00) 85.222.183.212 xxxxxxxx ftpd14762 Sat Jun 9 10:44 - 10:44 (00:00) 85.222.183.212 xxxxxxxx ftpd32292 Fri Jun 8 15:20 - 15:20 (00:00) gator188.hostgator.com xxxxxxxx ftpd25266 Fri Jun 8 05:59 - 06:00 (00:00) 219.83.97.23 xxxxxxxx ftpd26076 Fri Jun 8 05:59 - 05:59 (00:00) 219.83.97.23 xxxxxxxx ftpd2712 Fri Jun 8 05:59 - 05:59 (00:00) 219.83.97.23 xxxxxxxx ftpd10378 Fri Jun 8 05:59 - 05:59 (00:00) 219.83.97.23 xxxxxxxx ftpd8738 Fri Jun 8 05:59 - 05:59 (00:00) 219.83.97.23 xxxxxxxx ftpd15500 Fri Jun 8 05:59 - 05:59 (00:00) 219.83.97.23 xxxxxxxx ftpd741 Fri Jun 8 05:58 - 05:58 (00:00) 219.83.97.23 xxxxxxxx ftpd9567 Fri Jun 8 05:58 - 05:58 (00:00) 219.83.97.23 xxxxxxxx ftpd31931 Fri Jun 8 05:58 - 05:58 (00:00) 219.83.97.23 xxxxxxxx ftpd17539 Fri Jun 8 05:58 - 05:58 (00:00) 219.83.97.23 xxxxxxxx ftpd17 Fri Jun 8 05:58 - 05:58 (00:00) 219.83.97.23 xxxxxxxx ftpd20698 Fri Jun 8 05:57 - 05:58 (00:00) 219.83.97.23 xxxxxxxx ftpd4417 Fri Jun 8 05:57 - 05:57 (00:00) 219.83.97.23 xxxxxxxx ftpd32161 Fri Jun 8 05:57 - 05:57 (00:00) 219.83.97.23 xxxxxxxx ftpd24593 Fri Jun 8 05:57 - 05:57 (00:00) 219.83.97.23 xxxxxxxx ftpd3318 Fri Jun 8 05:57 - 05:57 (00:00) 219.83.97.23 xxxxxxxx ftpd2887 Fri Jun 8 05:57 - 05:57 (00:00) 219.83.97.23 xxxxxxxx ftpd10251 Fri Jun 8 05:56 - 05:57 (00:00) 219.83.97.23 xxxxxxxx ftpd28277 Fri Jun 8 05:56 - 05:56 (00:00) 219.83.97.23 xxxxxxxx ftpd6156 Fri Jun 8 05:56 - 05:56 (00:00) 219.83.97.23 xxxxxxxx ftpd4639 Fri Jun 8 05:56 - 05:56 (00:00) 219.83.97.23 xxxxxxxx ftpd14610 Fri Jun 8 05:56 - 05:56 (00:00) 219.83.97.23 xxxxxxxx ftpd7016 Fri Jun 8 05:56 - 05:56 (00:00) 219.83.97.23 xxxxxxxx ftpd31218 Fri Jun 8 05:55 - 05:56 (00:00) 219.83.97.23 xxxxxxxx ftpd15428 Fri Jun 8 05:55 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd23894 Fri Jun 8 05:55 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd12686 Fri Jun 8 05:55 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd26025 Fri Jun 8 05:55 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd32523 Fri Jun 8 05:55 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd22799 Fri Jun 8 05:55 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd17447 Fri Jun 8 05:54 - 05:55 (00:00) 219.83.97.23 xxxxxxxx ftpd20174 Thu Jun 7 14:37 - 14:37 (00:00) hv111.steephost.com xxxxxxxx ftpd29543 Mon Jun 4 04:33 - 04:33 (00:00) sv25.xserverzero.net xxxxxxxx ftpd19850 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19848 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19843 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19840 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19836 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19833 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19830 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19829 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19827 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19825 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19821 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19819 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19812 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19809 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19805 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19804 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19798 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19797 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19792 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19790 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19788 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19787 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19785 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19782 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19781 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19779 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19775 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19774 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19772 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info xxxxxxxx ftpd19770 Sun Jun 3 22:20 - 22:20 (00:00) server.site60.info

So it does look like the access is via FTP, using subverted sites, and has been ongoing for at least a couple weeks (the last log only goes back that far). This also tells us that the DreamHost folk are at somewhat less than guru status, as if in their shoes I'd have written scripts to look for this sort of pattern, notified customers, and (possibly) blocked access from known subverted sites. For someone of strong ability, this is not hard.

In fact I am more amused than bothered by this. All my stuff is backed up, and I never assumed a webhosting account would be secure (at least in any strong sense). I expect most webhost outfits are similar (or worse). I am slightly bothered that they don't seem to have access to at least one really sharp guy ... but not surprised.

So ... with proof on ongoing access, and after changing my FTP password, by tomorrow we should know whether this was a one-time breach of the FTP password list, or something deeper.

BTW - a hint for fixing the changed files (tedious but not difficult) from the shell.

vi find sitedirectory -type f -newer fileslightlyolderthanhack

Of course, if you have a really large number of changed files, you want to restore from backup, or write a Perl script.

Update 2007.06.16: Changing the password on the one account with FTP access to the website files (on Friday morning) seems to be all that was needed. Did get a reasonable response (and another response to my reply) from DreamHost well within 24 hours on filing a support request. I am satisfied with their response, though I stand by what I said above.