DH security is not good!?

I have problem with dreamhost security. I do web for serveral customers, and each of customer have their own DH acct from my referal. each account have few domains name. all those account and domain file index.html and index.php infected virus code. at the end of index.html. I contact DH serveral time regarding this issue, they just only do backup file index for me and week after, those files infected that code again even those all my ftp access pass changed serveral time. are any one have same issue like this? not for one acct, but this is serveral account and serveral domain in each account.

////

This is not a DreamHost problem. If you do a Google search for that IP address, you will find many examples of this happening with different hosts. For added security, I recommend using SFTP and turning off the ability to use FTP on your accounts.

– si-blog –
Max discount on any plan with promocode SCJESSEYTOTAL

It’s a virus,
when i go to http://81.95.145.240/go.php?sid=1 (DO NOT GO THERE !)

my antivirus alert me for trojan horse generic_c.EQ

Get [color=#CC0000]$97[/color] Off with promo code :[color=#CC0000]97USA[/color] -->choose your plan (promo code included)

I did a search in google too.

Somebody said it may be caused by unauthorized access in a shared server. Try to change your password to a complicated one.

Save $97 (MAX Discount) with code: [color=#CC0000]97YES[/color] Sign Up NOW or More Codes here

Have you tried "last " from the command line? It will tell you the last few logins for your username. You can check this to see if someone has gained unauthorized access to your account.

BTW, a simple debugging rule: if you’re the only one having a problem, then it’s likely a problem unique to you. If it’s a large enough number of people, then you should look for a more systemic problem.

Free unique IP and $67 off with code [color=#CC0000]LMIP67[/color] or use [color=#CC0000]LM97[/color] for $97 off. Click for more promo code discounts

It is not the only my problem, my friends have DH too, that how I know DH. they have same problem, the code just like auto infected in index file in each folder directory. DH check for IP login FTP only 1 is my IP. they say because share host, that spread out all acct in one system…and It’s not secure for using share hosting acct. they suggest me to buy dedicate server. that sound weird…

I don’t understand what you’re saying…

Free unique IP and $67 off with code [color=#CC0000]LMIP67[/color] or use [color=#CC0000]LM97[/color] for $97 off. Click for more promo code discounts

Some hackers are only interested in index.html files.

Try to rename your index.html file to index.php.

If the index.php file is still hacked, try to rename index.html to something else like “yourdomain.html”. And create a .htaccess file as follows

DirectoryIndex yourdomain.html

Hope it works.

Save $97 (MAX Discount) with code: [color=#CC0000]97YES[/color] Sign Up NOW or More Codes here

Or better yet, patch/upgrade/remove the vulnerable script that’s letting them in.

Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.

Actually, DreamHost did have a problem recently with FTP security, which they have partially addressed.

Remember how you used to be able to obtain FTP and Email passwords directly from the Control Panel if you forgot them? While convenient, it also meant that the passwords were stored as plain text. This is a security foo, and should never be done. To this day, though, some passwords (ironically enough including those for .HTACCESS-protected directories!) are still stored as plain text, and still retrievable as such from the Control Panel!

Passwords should only be stored as salted one-way hashes, using algorithms such as SHA-1 or SHA-256 or MD5.

At any rate, though, no matter what security DH or any other host has, if you use weak passwords, you’re going to be hacked. Maybe not today, maybe not tomorrow, but it’s only a matter of time.

Never, ever use a stupid password such as “password” or “12345” or “letmein.”

Never, ever use a password that is in any way related to you or your clients, such as your mother’s maiden name, your SSN, phone number, address, dog’s name, alma mater, or any other information that anyone could possibly know or find out about you. Merely adding a digit or two to such a password isn’t much better.

Never, ever use any single word found in any dictionary of any human language as your password. Also, the old tactic of using two unrelated words connected by a single punctuation character (e.g. default AOL passwords for new accounts) is no good anymore. Hackers use dictionary searches. Also, they know all the tricks such as changing S to $, E to & or 3, l to 1, O to zero, “for” to 4, etc. Those tricks only slow them down a bit these days.

Never, ever use the same password for multiple purposes. Once a hacker has found that you use an easy password for, say, an online game, they may also try it on your banking account, DreamHost control panel and FTPs, etc.

This also goes most especially for your Email accounts. People tend to think that these are unimportant, and so need not be as well-protected as, say, your banking account or DH panel password. But think about it: if you forget your banking account password, what will the bank website do when you click on “Forgot Password”? What will DH do? They’ll Email you a new password confirmation link to the Email account you have stored with them! So, if a hacker finds out your Email password, all s/he has to do is request a new password from the other services (the bank may require some ID such as SSN, mother’s maiden name, etc., but this info isn’t so hard to find out), then read your Email!

Sadly, all too few Email servers properly support Secure Password Authentication (SPA), and thus send the password, however good you might have made it, “in the clear” and thus sniffable by any TCP/IP packet sniffer placed anywhere along the route from you to the Email server! Email passwords is thus one of the lesser known but most serious weak links in computer security today.

Frankly, I think that the whole idea of allowing a forgotten password to be retrieved or even reset or click-validated via Email is one that needs to go away, at least until Email itself is replaced with a more secure means of Internet messaging (Email is fundamentally broken, as the spam crisis shows — it cannot be fixed, and the Internet community is just going to have to accept that SMTP, POP3, and IMAP4 are going to have to be totally scrapped and replaced with whole new protocols written from the ground up for maximum security even at the expense of convenience and performance, and that that means that all existing Email client programs such as Outlook Express, Thunderbird, Eudora, etc. are going to have to be rewritten — merely patching them with SPF, SPA, etc. is no longer going to suffice).

At any rate, don’t blame DH or other services if you use lame or re-used passwords to them. You might as well hang a sign on your site that says “Hackers Welcome Here.”

I find a good way to make a secure password is to think of a phrase/song/sentence and use the first letter of each word. For example, rrrybgdtsmmmmlibad is the rowrowrow your boat song. Of course, you can always add a ! or ? somewhere. Yes, it makes the password long, but doesnt take -too- long to type nor is it easy to forget. Or something like W,Irrrlsass! (Wow, I really really really like sweet and sour sauce!). Anyway, you get the idea. Impossible to crack… even brute force would take 10,000 computer years to tackle a long password.

Fully agree and thanks for the post.

Setting a secure password would be the basic skill we need to learn.

Few of my clients just have their websites hacked. All the index.html files are replaced by the hackers. The bad thing is that they just updated the website and sent invitations to their customers to visit the new site. They felt so shame to let the customers to see a hacked site instead.

I also like to share some tips on how to create a good password.

1. use capital and small letters for sure
2. mix with number
3. mix with symbols
4. at least 8-character long

tips: how to use and remember symbols?
People like to use numbers for passwords. For example 1980 is my born year. When you create password, press SHIFT and key in 1980, it becomes !(*). You know what I mean. Cool eh!

Save $97 (MAX Discount) with code: [color=#CC0000]97YES[/color] Sign Up NOW or More Codes here

I don’t have much more to add except to reference Wikipedia on Password Strength.

Free unique IP and $67 off with code [color=#CC0000]LMIP67[/color] or use [color=#CC0000]LM97[/color] for $97 off. Click for more promo code discounts

[quote]Try to rename your index.html file to index.php.

If the index.php file is still hacked, try to rename index.html to something else like “yourdomain.html”. And create a .htaccess file as follows

DirectoryIndex yourdomain.html[/quote]

Let’s say this is happening on all subdomains as well as the main, how would one go about re-naming all the index files, yet still having them show up AS the index files? Would that one line cover it or is there something else that one needs to do?

It should be all you need to do because index.php is listed as one of the directory pages that gets looked up.

It’s not entirely clear that this method will work because it all depends on how sophisticated the automated breakin and modification script is. Since they’ve broken into your account, they can change any file at will - all the script needs to do is look to see what file is being processed as the default file for the directory and go and hack that one with the fraudulent links.

Extra lifetime domain and $82 off with code [color=#CC0000]1DOM82[/color] or use [color=#CC0000]LM97[/color] for $97 off. Other Dreamhost coupon codes

Has anyone tried to contact the host of 81.95.145.240; Panama Rbusiness Network? I’m not sure if it would work, but you could try reporting the abuse to the hosting company.

http://whois.domaintools.com/81.95.145.240

That isn’t going to help. See Russian Business Network.

Check your software and security measures. These criminals are most likely exploiting vulnerabilities in code or practices, or have compromised other computers with keyloggers and the like.

openvein.org -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7

@Joel : You are going on a loooong rant there

First off, plaintext password storage is not necessarily bad. In some cases, it’s even necessary (try to do cram-md5 without that, for instance). The security of the password database must be guaranteed (guess why we have /etc/shadow …).

If somebody gets your password database, it really does not matter much whether the passwords are in plaintext, in CRYPT hashes, or even in MD5 hashes. Sure, they can be salted – but let’s face it, most passwords (even those deemed “good” by some people) can be cracked via dictionary attack, brute force (John The Ripper), rainbow table lookups, or distributed brute force. If the security of your system depends on salted passwords and assumes the ability of an attacker to read your username/password database, it’s broken and you are SOL anyway. Plaintext passwords are quite ok, if you can control access to them (and salted hashes provide an additional layer of security, but can’t really be a defense against a determined attacker and the kinds of passwords you are likely to find at a shared webhost.

Weak passwords are guessable, correct. If you are worried about this possibility, switch to smartcard-based public key authentication (or even just plain public key auth) and never look back; too bad that DH does not offer you the possibility of restricting accounts to login via keypair only. (If you want to see why this is a good idea in general, have a look at sshd server logs of servers some time … people are bruteforcing entire ip ranges

Don’t fearmonger too much. Depending on how good your scheme is, dictionary words concatenated by other tokens can be quite secure (assuming the attacker has to bruteforce through login attempts and does not have the hash database already, in which case you are SOL in any case). Assuming a 1000 word dictionary, 100 ways to concatenate them, you end up with 100.000.000 combinations to try. Easy if you have the hash, kinda hard to do on a watched server – and English has more than 1000 words, and more than 100 ways to combine two of em

Choose your passwords according to what they are protecting and what a would-be attacker will have access to. Another thing to consider is that your username should be just as secure as your password, if possible. If people know your password but not your username, it’s not gonna do them a hell of a lot of good (though on DH servers you can circumvent this security by simply reading a very prominent sytem file on the server); still, a username of “joe” is probably bad, a username of “g42sSfß_3d” will probably not be guessed that easily.

Never using the same password twice is good advice. Most people don’t follow it. If you are one that does not follow this advice, consider how much the stuff the password is protecting is worth to you, and consider using different passwords for the more important stuff.

For email, “SPA” is not necessary. It’s a proprietary Microsoft crock of **** (basically NTLM over SMTP), which would explain why most servers do not support it. There are alternatives. If you absolutely have to use plaintext smtp, consider cram-md5 authentication (which requires serverside plaintext passwords, whoops), but the far better alternative is to not do POP3 or SMTP in the clear – use POP3/SSL, POP3/TLS, sSMTP, SMTP/TLS, etc. to make sure your stream is encrypted just as HTTP SSL would be; even if your password is transmitted using an algorithm that does not guarantee secrecy from eavesdroppers, it will be inside the encrypted stream (which just isn’t decipherable by the eavesdropper).

If you use unencrypted POP3/SMTP, you are doing the same thing you would be doing using telnet. People don’t use telnet anymore. There is a reason for that.

(and if your host does not offer secure SMTP or POP3 but does offer SSH, you could tunnel your POP/SMTP connections over that SSH connection, thereby encrypting it).

Webmail should similarly be encrypted.

(and just to make sure, all this is to avoid eavesdropping on your line or any line in between you and the server. There are cases when that is not of concern. But it really doesn’t hurt to encrypt.)

Your rant about email protocols is just that, a wild rant. “Reimplementing everything” does not work. There is no master switch, you can’t force people to “upgrade”, and even then, it’s hard to sell an “upgrade”. People inventing these schemes usually have something to gain when proposing them, often as the gatekeeper. Gatekeepers make money.

You are correct that there is a spam crisis. However, properly configured mailservers and recipients can avoid a lot of it – and no “new” protocol will not have issues when it reaches critical mass.

You can enjoy private email easily (encryption based on PGP/GPG or OpenSSL, plugins readily available). “Retrieve password” pages are the easiest way to accomplish a certain task – what else should one do ? Use plain old snail mail ? (some services do this) Convenience is king !

(of course it would help if there were a commonly accepted setting on most sites that such reset password links should be sent GPG-encrypted for you. That’s what some systems already do !)

That’s a great post once again, eike; thanks for taking the time to write that.

It provides a very good overview of several of the issues involved and I very much enjoyed reading it.

–rlparker