I have now discovered that I have had three websites hacked in the last week all at the same times/dates and by the same IPs. These three websites were each under a different FTP account and each under a different dreamhost account. Each was for a different client so it’s been a fun week to say the least. The IPs of the hacker trace back to various countries including Russia, Mexico, Turkey, United Kingdom and US. The hacks are all the same person likely using an automated script through proxy servers.
I have worked through every possible attack vector and have determined that the FTP accounts user/passwords were either stolen via a worm on my local machine or FTP access was compromised on the server. The question is which one and how. I have two most likely scenarios:
I possibly have a local machine that has been infected somehow and its password file was stolen from an FTP program (i.e. Filezilla, CuteFTP, etc.). While possible, I have not been able to confirm. First, I have scanned my local computer and it reveals nothing no viruses, worms or the like. Second, in the file that contained the user/passwords there were about 30-40 other account logins with other hosting companies. None of the site with other hosting companies have been hacked.
Some sort of compromise of Dreamhost’s security where the attacker was able to access the user/pass of various FTP accounts within Dreamhost’s system. It appears that passwords for FTP accounts are not encrypted within Dreamhost’s system. This means if someone were able to gain access to the FTP account file/database, they would be able to download various usernames/passwords with no problems of encryption.
To help determine where the breach of security is, I am asking that if anyone else has been hacked this month, please post here. The hacker(s) will have first injected code into your files to let them know the site was hacked. This would have been placed using an invisible image tag immediately following the body tag on files that contain body tags. Based on my logs, this was done by some sort of automated script. Second, they would return to either inject more code in your files or in the htacess to redirect to other websites.
If you have been hacked, please run a “last” scan on your logs to see what IP’s other than your own have accessed your account? If so, post the log here. This will help determine if we were hacked because of a security compromise on Dreamhost’s server or not. I asked Dreamhost security department for help in figuring this out but was told they have well over a million accounts and manage thousands of servers and as such the system administrators may not be able to readily answer this.
Following are instructions on running a “last” scan to see what IP address have logged in using your FTP account:
In the dreamhost panel, click on “manage user” and edit your ftp account changing it to a “shell account”.
download a shell program such as “PuTTy” which can be downloaded for free at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Login via PuTTY. You will put your web server for the host name. You can get this from the “Account Status” dropdown under “Your Web Server”. So, it is says “XYZ” is your webserver, then under “Host Name” in PuTTY you would put “xyz.dreamhost.com”. Click “Open” and it will prompt you for a user name and pass.
After you have logged in, type the following two lines replacing USERNAME with the username of your Shell/FTP account and hit return after each line. The first line will show who has logged in your FTP account within the last 30 days. The second line will show the previous 30 days.
last -i | grep USERNAME
last -if /var/log/wtmp.1 | grep USERNAME
If it comes back with no info and just another prompt, try taking off a letter at the end of your username and try again (ie. “USERNAME”, 2nd try “USERNAM”). Keep doing this until it returns the log.