[totung]

I just received an email from DreamHost stating the following:

--------
We were forced to disable your '####' FTP/shell user due to indications
of spam originating from the user. Most likely, one or more of the
scripts under your user was compromised and will need to be secured.

Before we are able to re-enable this user, we will need to make sure
those scripts have been secured.

Please reply back with any questions or concerns so we can assist you
further.
--------

First of all, I have no clue what "scripts" they are talking about.

Second, I am unable to FTP in to "secure" them because my user is disabled.

I now have 30+ websites that are down because of someone most likely jumping the gun.

[Gene Steinberg]

You were notified that your account is sending spam. Spam is obviously illegal. Paragraph three of the message you received explains that you should contact DreamHost's support people for guidance on how to address the problem. Do you really believe they simply plucked your account at random out of 300,000 to knock you offline?

[totung]

you received the same email too!?!?!?!?

---

(02-20-2012 08:30 AM)Gene Steinberg Wrote:  You were notified that your account is sending spam. Spam is obviously illegal. Paragraph three of the message you received explains that you should contact DreamHost's support people for guidance on how to address the problem. Do you really believe they simply plucked your account at random out of 300,000 to knock you offline?

I contacted them 6 times in the past hour.

Would also be cool if they told me what script(s) are sending the spam.

I only have one script that sends email. The email that it sends out is to specific email addresses on a mailing list that people signed up for.

[Gene Steinberg]

No, I've never received any email of that sort. Never said I did, but I do know enough about this business to tell you that they didn't just pick your account out of a hat. You need to check the script that sends email, obviously.

[totung]

(02-20-2012 09:05 AM)Gene Steinberg Wrote:  No, I've never received any email of that sort. Never said I did, but I do know enough about this business to tell you that they didn't just pick your account out of a hat. You need to check the script that sends email, obviously.

I would, if they told me what script they were referring to, and if I could FTP in.

I am unable to though, because my account is disabled.

[Gene Steinberg]

(02-20-2012 09:10 AM)totung Wrote:  I would, if they told me what script they were referring to, and if I could FTP in.

I am unable to though, because my account is disabled.

You said the only script you used was one that sent email. You are being accused of sending spam. Can you not put two and two together?

I suggest you wait for someone to answer you, since you claim to have sent several inquiries.

[ottodv]

They disable one user and 30+ sites go down... are all your sites under the same user?

If it's not just your own e-mail script that is somehow being abused, but instead one or more of your scripts have been compromised as DH suggests could be the case, you're going to have a hell of time figuring out which scripts they are and where your security leak was. You should also assume that all the sites under that user may now have been compromised and will need checking.

DH can't tell you which scripts are sending the spam, they only see what server and user the spam comes from. When everything is under one user that doesn't really help to narrow it down.

[totung]

(02-20-2012 04:27 PM)ottodv Wrote:  DH can't tell you which scripts are sending the spam, they only see what server and user the spam comes from. When everything is under one user that doesn't really help to narrow it down.

If they can't tell me what script(s) are sending the spam, how will they be able to go in to make sure they have been secured?

"Before we are able to re-enable this user, we will need to make sure
those scripts have been secured."

[ottodv]

(02-21-2012 06:05 AM)totung Wrote:  If they can't tell me what script(s) are sending the spam, how will they be able to go in to make sure they have been secured?

"Before we are able to re-enable this user, we will need to make sure
those scripts have been secured."

To me that looks like a polite use of the word "we", what it probably means is that *you* have to make sure they have been secured and then swear that you did clean then up by maybe showing them which ones you've cleaned up so that they can verify it. It's of course clear they can't be 100% sure that you've cleaned them all up, but when they reactivate your user, they'll see if the spam starts flowing from it again or not.

[totung]

(02-21-2012 06:25 AM)ottodv Wrote:  To me that looks like a polite use of the word "we", what it probably means is that *you* have to make sure they have been secured and then swear that you did clean then up by maybe showing them which ones you've cleaned up so that they can verify it. It's of course clear they can't be 100% sure that you've cleaned them all up, but when they reactivate your user, they'll see if the spam starts flowing from it again or not.

Without FTP access, how am I supposed to do that again?