uinternacional.com.br is a dreamhost customer, hosted on 18.104.22.168. They’ve been hacked. In fact, they’ve been hacked multiple times… a different iTunes phishing site was shut down last week.
Now they’re hosting a fake Canada Revenue Agency site. To make it even better, the guys who hacked the site have put in network restrictions so that if you’re not coming from a Canadian IP address you get a 404. If you come from a Canadian IP you’ll see the fake CRA website in all its glory. For those not so lucky, you can see a screenshot at http://i.imgur.com/fqTPqAO.png
Now, the fact that the page is geo-restricted tends to make things “interesting” when you’re dealing with your average helpdesk monkey. So, I’m looking to get some kind of response from the DH abuse desk… particularly since this phishing site is up nearly a week after I reported it. I explained the issue in detail, and said I was available if they needed more information.
I tried calling their abuse desk. I got voicemail. I left my name and a contact number, again explaining the problem.
Does DH not have an abuse desk? Are they on vacation? Do they think they have the problem solved (the continued existence of the site seems to indicate otherwise)?
Are there other customers forced to share a server with this hacked customer? What about the safety of THEIR data?
As an aside, for amusement’s sake I started pumping faked information into the phishing site. Whoever controls the hacked site didn’t like that… my workstation immediately came under attack with a low-level DDoS, about sixty IPs flooding 80/udp (yes, UDP, not TCP). Interestingly enough, about half of the attacking IP addresses belonged to Dreamhost. So it’s more than just the above customer who have been compromised.
Last time I saw something like this - many hacked sites, geo-specific protection of the criminal sites - was at Media Temple hosting. And Media Temple, after months, found out that their MANAGEMENT interfaces had been hacked. Is this what has happened at Dreamhost? Perhaps the reason the abuse desk is so silent is because they’re panicking because the compromise might be more than just their customers?