Hacked again - time to leave dreamhost?


#1

Curious if anyone else has had their site hacked lately with the following spam script injection. If so, please post your site info here so I can report it as a group of totally unrelated users.

The spam script is injected immediately following the tag on any file that contains the body tag. It is an image tag with id=frmchkldver and the src points to a russian domain firewallmakeover [dot] ru that has some variables referring to the respective domain that was hacked.

I already do pretty much everything that Dreamhost refers to in their how to prevent hacking wiki and the canned response one gets when you report an instance of hacking. I have had sites hacked before and usually due to a vulnerability in an open source script that allowed the user to upload some sort of shell script. This time is different.

In the past few days I have had two sites hacked in exactly the same way that were on two different Dreamhost accounts (I work for various clients that I have referred to use Dreamhost). Here’s the conodrum: I am 110% sure that my local machine is secure (it has been scanned and re-scanned) and I generally do not use it other than to maintain these sites, I use SFTP, I am not using open source scripts on these sites, I could on but lets just say I am security aware and as such every security hole I can think of has been plugged. Further, I can not find any sort of shell script that would have given them access to upload stuff.

I think there must be some sort of server vulnerability. Dreamhost has told me they have not had any other reports of sites hacked like this that would suggest a server vulnerability. I just get the standard reply that there is nothing we can do because there a zillion ways a site can be hacked and it is usually due to some vulnerability you left open, oh and have a nice day. I get it but I am at a loss for plugging the hole these hackers crawled through.

I have probably 15-20 clients using dreamhost because of my recommendation and now two have been hacked in the same way within 3 days. Is it time to move them all to another hosting company that answers a phone?


#2

FYI, you may have been hacked but not know it because the injected script is an invisible image. Check your site for the following type of code immediately following the body tag:

If you find this, please report it here.


#3

don’t your logs, either .bash_history or access.log show anything? There must be some record of how your site was compromised.


#4

Yup,

Found your topic after googling “frmchkldver”.
“Fortunately” for my case, the hack appeared quickly as it caused a parsing error on our self-hosted forum (so we’re not related with dreamhost in any way)

I suspect the cause of this to be a phpBB exploit, we were using 3.0.7-pl1.
See changelog: http://www.phpbb.com/support/documents.php?mode=changelog&version=3#v307-PL1

I’m still working on it to clean the flaw.

Have fun :p[hr]
Okay,

I was wrong for the cause.
The problem is more likely due to some stolen Filezilla password which granted access on the server, result of a Windows©® worm.

Good luck again :wink:


#5

Thanks for your post. A couple questions:

Why do you think it was the result of a Windows©® worm that stole your Filezilla password granting access on the server? Did you run a scan of some sort that revealed the worm?

Also, is your site hosted with Dreamhost? When did your site first get hacked?


#6

Don’t think it’s Dreamhost, My sites are clean (Joomla / Wordpress / PHPbb / Custom sites)


#7

I have had to remove nearly half of my content from Dreamhost domains because Chinese hackers have better access to my accounts than I do.


#8

I have now discovered that I have had three websites hacked in the last week all at the same times/dates and by the same IPs. These three websites were each under a different FTP account and each under a different dreamhost account. Each was for a different client so it’s been a fun week to say the least. The IPs of the hacker trace back to various countries including Russia, Mexico, Turkey, United Kingdom and US. The hacks are all the same person likely using an automated script through proxy servers.

I have worked through every possible attack vector and have determined that the FTP accounts user/passwords were either stolen via a worm on my local machine or FTP access was compromised on the server. The question is which one and how. I have two most likely scenarios:

  1. I possibly have a local machine that has been infected somehow and its password file was stolen from an FTP program (i.e. Filezilla, CuteFTP, etc.). While possible, I have not been able to confirm. First, I have scanned my local computer and it reveals nothing no viruses, worms or the like. Second, in the file that contained the user/passwords there were about 30-40 other account logins with other hosting companies. None of the site with other hosting companies have been hacked.

  2. Some sort of compromise of Dreamhost’s security where the attacker was able to access the user/pass of various FTP accounts within Dreamhost’s system. It appears that passwords for FTP accounts are not encrypted within Dreamhost’s system. This means if someone were able to gain access to the FTP account file/database, they would be able to download various usernames/passwords with no problems of encryption.

To help determine where the breach of security is, I am asking that if anyone else has been hacked this month, please post here. The hacker(s) will have first injected code into your files to let them know the site was hacked. This would have been placed using an invisible image tag immediately following the body tag on files that contain body tags. Based on my logs, this was done by some sort of automated script. Second, they would return to either inject more code in your files or in the htacess to redirect to other websites.

If you have been hacked, please run a “last” scan on your logs to see what IP’s other than your own have accessed your account? If so, post the log here. This will help determine if we were hacked because of a security compromise on Dreamhost’s server or not. I asked Dreamhost security department for help in figuring this out but was told they have well over a million accounts and manage thousands of servers and as such the system administrators may not be able to readily answer this.

Following are instructions on running a “last” scan to see what IP address have logged in using your FTP account:

  1. In the dreamhost panel, click on “manage user” and edit your ftp account changing it to a “shell account”.

  2. download a shell program such as “PuTTy” which can be downloaded for free at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

  3. Login via PuTTY. You will put your web server for the host name. You can get this from the “Account Status” dropdown under “Your Web Server”. So, it is says “XYZ” is your webserver, then under “Host Name” in PuTTY you would put “xyz.dreamhost.com”. Click “Open” and it will prompt you for a user name and pass.

  4. After you have logged in, type the following two lines replacing USERNAME with the username of your Shell/FTP account and hit return after each line. The first line will show who has logged in your FTP account within the last 30 days. The second line will show the previous 30 days.

last -i | grep USERNAME
last -if /var/log/wtmp.1 | grep USERNAME

If it comes back with no info and just another prompt, try taking off a letter at the end of your username and try again (ie. “USERNAME”, 2nd try “USERNAM”). Keep doing this until it returns the log.


#9

Thanks for these tips. My account hasn’t been hacked (as far as I can tell), but I’m always keen on checking security. I looked through the IPs and found that the only suspicious access was from: 208.97.187.133 which, strangely enough, was an ftp connection, which I never, ever use (I disabled ftp access some time ago) and resolves to Dreamhost!

[font=Courier]user ftpd19499 208.97.187.133 Fri Jul 15 19:37 - 19:37 (00:00)[/font]

Suspicious?


#10

I think 208.97.187.133 is our WebFTP client. Perhaps you used that?


#11

That’s very, very likely… and comforting to know! I had the support team turn off access to that, probably some time after that record.


#12

Has anyone found the source, of this hack? I had one of my sites hacked.


#13

Have had several accounts hacked lately. Looking at log files - it seems that hackers are getting more aggressive. One issue we had to address is SQL insertion - solved that and now cross site scripting seems to be prevalent - hacker from Turkey. Also looking at log files - had attempts from Saudi and Pakistan. DH support is little help. I did disable FTP in the panel and check off the extra security box. Am looking into FileZilla FTP Server – would be interested in any feedback on banning IP or use of FileZilla server


#14

As you have discovered site security is your responsibility not dreamhosts. There are free sites available that will test analyze your sites for security holes. I won’t recommend or mention any in particular but you can find references in this forum and perhaps even in this thread.

Denying certain IPs is a personal preference. Some sites may not have worldwide interest. If your site only has local or national interest or you want to ban certain IP’s go for it. To be more effective it should be done at the apache level in your .htaccess file. If someone really wants to specifically attack your site they are also the same type that will have hacked access thru many IPs. Perhaps even from another dreamhost IP. Dreamhost is a worldwide organization and they certainly can’t ban IPs just because they are in ___ country.

Another thing you can do (with additional cost however) to enhance your sites security is to pay for a unique IP. Hackers can use tools such as http://www.yougetsignal.com/tools/web-sites-on-web-server/ to find other domains on the same server.