All my sites hacked - check yours too!

wordpress

#1

I’ve been hosted by DreamHost for 3 years. I’ve never had any problems with my account, and I consider myself to be reasonably web savvy. I discovered today that all the sites on my account were hacked today. Specifically, the home pages were all edited to add dozens of spam links. I checked the domain listed in the spam, and it turns out to be another DreamHost site, which has also been hacked.

I strongly suggest that you view the source code of your home pages to check for hidden spam.


si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#2

Are these PHP generated pages, or static? This certainly is a bizarre occurrence.

I’m on garth and a random sampling of my static and dynamic site page source show no vandalism.

Are your sites and that other Dreamhost site on the same server?

-Scott


#3

It’s much more likely that your account was compromised than that your server was; given the number of sites hosted by DreamHost, that the links were to another DH site is probably a coincidence.

Is your WordPress installation at 2.2? Is your PHP at 5.2.2? You may as well look through all your scripts for likely holes.

emufarmers.com
Very little to do with either emus or farmers!


#4

I just checked my sites, no tampering that I can see, but I re-uploaded things, just to be sure.

Like Scott, I would be interested if that other DreamHost site was indeed on the same server as you.

Mark


Save [color=#CC0000]$50[/color] on all DreamHost plans using [color=#CC0000]PRICESLASH[/color] promo code (Click for DreamHost Review)


#5

I’ll have to check my sites once DH solves the DNS problems, all of my sites are currently AWOL.


Web Hosting Reviews | Get Around The Net Directory


#6

is this because of what I said?


BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code


#7

hello,

that sucks … I chk my site … all is good

HEY ANYONE KNOW WHAT their avg. bandwidth per user is … I esp. intrested in adult sites ??

I HAVE MORE THAN 40 GIGS WORTH OF STUFF ON MY SITE ??

thks m


#8

I do not use WordPress. In fact, I do not use any third-party software on any of my sites. Everything is hand-built. Every single domain and subdomain I have was affected, and most of them are simply static HTML.


si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#9

You were the first person to spot the error. The home page on my Keystone Websites site wasn’t working at all because the hacked code was not well-formed. You’d think these hacker scum could at least write valid, well-formed code, eh?

As of right now, most of my websites are down (including email), but I suspect that is more to do with the current DNS issues than anything else.


si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#10

after my post here, I went to check your site, and everything looked just fine


BUGabundo :o)
promo here
50$ discount with promo code “BUG50” on ALL plans
Free lifetime Domain with “BUGDOMAIN” promo code


#11

I noticed yesterday that one of my sites was hacked, and today DreamHost sent me email “permanently banning” me “without refund.” They won’t respond to any of my emails begging to know why they’ve chosen to ban me or how to get all my data back.

As soon as we noticed the hacking, we changed the password on the user that was hacked and deleted the affected files.

This is crazy that DreamHost would cancel my account entirely without warning. I’m extremely frustrated by the lack of response over the last several hours as I try to reach them to find out why they’ve done this to me.


#12

[quote]I’m extremely frustrated by the lack of response over the last several hours as I try to reach them to find out why they’ve done this to me.

[/quote]

Even with “ordinary” problems, it can take up to 24 hours (plus), as advertised, to get a response. I’d expect problems causing them to unilaterally ban without refund to take longer; see this recent post by Jeff-the-abuse-guy:

http://discussion.dreamhost.com/showthreaded.pl?Cat=&Board=curious&Number=81682

----------
[color=#00CC00]ANONYMOUS0 => Max Discount[/color], [color=#6600CC]ANONYMOUS2 => Max Discount less $1[/color] or Cut the code, [color=#CC0000]it’s their birthday:[/color] [color=#00CC00]9999 => $99.99 Off[/color]


#13

I suspect their review of the circumstance (logs inspections, etc.) have given them reason to believe your account was used in some way that was a violation of the TOS. As for your “data” - that’s what backups are for (and the TOS clearly warns you of this).

From looking at other threads here, I suggest you communicate with DH regarding this issue via abuse@dreamhost.com rather then tech support.

Ultimately, it is the Abuse Team you will have to deal with, so I would just start with them.

–rlparker


#14

Well, I have backups of most stuff, but do not have current backups of the ZenCart database for my online store, so I have a number of orders that I don’t have access to.

And I frankly don’t care what their logs say. I didn’t do anything wrong, so shutting me down without warning was a mistake on their part.

I also don’t think it appropriate that they take this long to reply to my emails. The fact that my ticket with support keeps getting deleted means they don’t want to hear my side of the story at all.

This is patently unfair and a terrible way to run a business.


#15

Ouch! That’s unfortunate indeed; many of us are guilty of being insufficiently diligent when i comes to backing up our databases (I wonder why that is the case?) :frowning:

It might be a mistake, but if you are not interested in “what their logs say” and just insist you did nothing wrong, well, that’s fair enough, I suppose. That probably indicates there is little point in discussing it with them. Obviously, something happened; DH is not in the business of hosting websites to terminate customers accounts - they would rather continue to provide service and get paid for it. There are several things that I would not classify as “wrong” that are violations of TOS nonetheless - I suggest it might be more productive to try to discuss the situation with them and understand what caused them to suspend your account, but YMMV.

As I, and others, have already pointed out, tech support is not likely to discuss this with you - rather the Abuse team will be handling it, and they are generally not as quick to respond as tech support (see an earlier post in this thread for a link to Jeff@dreamhost.com’s comments on that).

Hey, you are in a rough situation and must be very frustrated. You can handle that frustration any way you choose; I just think you will be more productive and get better results if you take it up with the Abuse Team.

Complaining about it here may make you feel better, but is probably not as effective as handling it privately with DH.

–rlparker


#16

You’re probably not going to change their minds or gain access to any files…

[quote]
And I frankly don’t care what their logs say. I didn’t do anything wrong, so shutting me down without warning was a mistake on their part.[/quote]

… but if you approach them like that, I’d change “probably” to “definitely.”


:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.


#17

I just wanted to thank Javier in Support and Jeff in Abuse for working through this problem with me and getting to the bottom of it. It’s still not clear exactly how this happened, but everything seems to have been resolved.

I’d also like to thank the folks who hang out in the DreamHost IRC channel (requires IRC client) for giving me diagnostic advice and ideas. The potent combination of DreamHost staff and customers forms a community I’m proud to be a part of.


si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#18

Yeah, I’d recommend the concerned, apologetic approach.

Think of it in these terrible, unsympathetic terms: Due to mistakes I made in securing my site, it was hacked and used to kill baby seals. My host has shut me down and canceled my account as per policy and request from the Association for the Protection of Cute Animals. Upon request, the status of my account can be reviewed and my account reinstated.

We are each responsible for the security of our sites. We should accept that responsibility and also understand that DreamHost is responsible for making sure that no site hosted by them is used for illegal activities. If Dreamhost doesn’t do this, we are all at risk of being blocked.

It’s like the problem with runaway scripts. If DreamHost didn’t shut down scripts that were eating too many resources, we’d all suffer.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#19

Ditto - hosted for 3 years, then noticed that a number of my sites had junk links inserted into index pages (set to display:none in CSS). There were a number of FTP logins not by myself, but I have never publicly posted my FTP password (indeed, it’s not used for any other service) and am security conscious.

Reported/raised it with abuse.


#20

Note that this has happened to me a second time, at roughly 1:00pm PDT. The damage was extensive. Files were moved around (from one domain to another), altered, spammed, or just blanked.


si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]