Dreamhost security/abuse AFK?


#1

uinternacional.com.br is a dreamhost customer, hosted on 75.119.204.223. They’ve been hacked. In fact, they’ve been hacked multiple times… a different iTunes phishing site was shut down last week.

Now they’re hosting a fake Canada Revenue Agency site. To make it even better, the guys who hacked the site have put in network restrictions so that if you’re not coming from a Canadian IP address you get a 404. If you come from a Canadian IP you’ll see the fake CRA website in all its glory. For those not so lucky, you can see a screenshot at http://i.imgur.com/fqTPqAO.png

Now, the fact that the page is geo-restricted tends to make things “interesting” when you’re dealing with your average helpdesk monkey. So, I’m looking to get some kind of response from the DH abuse desk… particularly since this phishing site is up nearly a week after I reported it. I explained the issue in detail, and said I was available if they needed more information.

Silence.

I tried calling their abuse desk. I got voicemail. I left my name and a contact number, again explaining the problem.

More silence.

Does DH not have an abuse desk? Are they on vacation? Do they think they have the problem solved (the continued existence of the site seems to indicate otherwise)?

Are there other customers forced to share a server with this hacked customer? What about the safety of THEIR data?

As an aside, for amusement’s sake I started pumping faked information into the phishing site. Whoever controls the hacked site didn’t like that… my workstation immediately came under attack with a low-level DDoS, about sixty IPs flooding 80/udp (yes, UDP, not TCP). Interestingly enough, about half of the attacking IP addresses belonged to Dreamhost. So it’s more than just the above customer who have been compromised.

Last time I saw something like this - many hacked sites, geo-specific protection of the criminal sites - was at Media Temple hosting. And Media Temple, after months, found out that their MANAGEMENT interfaces had been hacked. Is this what has happened at Dreamhost? Perhaps the reason the abuse desk is so silent is because they’re panicking because the compromise might be more than just their customers?


#2

Interesting. I’m very concerned how this plays out.


#3

Also want to know !


#4

Very concerned as well. I’ve had a lot of issues w/DH lately so I’m watching this closely.


#5

Due to privacy reasons, we’re obviously not going to tell everyone all the details about a hack or any abuse related topics on a public fourm. I mean, you’d be pretty horked off if we showed everyone YOUR dirty laundry!

We don’t have an abuse desk phone number… actually we don’t have a phone number, so I have no idea what you called. The account who owns that domain has been contacted, however, and uinternacional.com.br is currently down. The owner can reply to the support tickets, or contact us via their panel, for more information.


#6

[quote=“Ipstenu-DH, post:5, topic:61257”]
Due to privacy reasons, we’re obviously not going to tell everyone all the details about a hack or any abuse related topics on a public fourm.[/quote]

True. Let’s keep expectations realistic. Let’s shoot for “we’ll acknowledge that we’re doing anything at all, instead of providing the impression that our abuse contact is just a black hole”.

You need to update ARIN, then.


#7

Hah, and the mystery of what number people are using is solved.

Apparently that goes to a VM box that someone (I didn’t ask who, just if it was) checks.

Abuse is not a black hole. They’re real people who I alerted about this thread, but also saw they HAVE been talking to that site-owner, so … we’re working on them.