Hacked FTP passwords?

Can anyone verify this?


I haven’t received any e-mail, but changed my password to be safe…


Yes. All customers who may have been affected received an email about it last night. I posted about this issue a couple of weeks ago, when the problem first emerged: All my sites hacked - check yours too!

si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]

Ahh, I saw that post and read through it but wasn’t sure if it was related since I didn’t see anyone else verify.

Shouldn’t this be up at Dreamhoststatus.com?


DreamHost know exactly which FTP accounts were compromised, so they were able to notify these individuals directly. There is no need for them to blog about it on the status blog - the blogosphere will take care of that anyway :open_mouth:

si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]

I don’t see any advantage or purpose for posting it there - they already directly notified by email all those even potentially affected.

Per the DH letter: “less than 0.15% of the total accounts that we host” were affected - hardly a “system wide” issue at this point. That number is far less than even a single server’s users.

Plus, given the clueless and generally dim-witted nature of the typical Status Blog Commenter, can you imagine the “panic” they could work themselves into (OMFG! All my sitez are Hax0red! OMG! I’m losing MONEY! OMG!) :wink:


The blogosphere certainly will :slight_smile: And rightfully so, IMHO. When a security hole is found in IE or Firefox that affects a trifling number of users it’s still huge news and fixes are very public. It seems Dreamhost trying to keep this quiet goes against their unofficial policy of being very open, a policy that I generally appreciate.

No I don’t think they’re doing it subversively hoping nobody will find out (obviously they will) but some sort of official statement would go a long way.


I don’t think DH is “trying to keep this quiet” as much as they are just not publicizing the incident. There have been several threads on these forums (which have not been censored in any way) as well as considerable discussion on IRC. Additionally, they had to realize that once they sent the letter, it would be “big news”. :wink:

I agree with you there! :wink: I suspect as the blogs and forums traffic cranks up they will respond more formally, as that generally seems to be their pattern.


Regardless, I’m glad you were able to get your issue resolved!


Two things here… “There have been several threads on these forums” and the claim “DreamHost know exactly which FTP accounts were compromised”.

I happen to have read scjessey’s post a couple of weeks ago and remember my concern level being upped when he added that much of his web work was custom(i.e., not a lot of known software exploit vectors). So I tried to pay attention to that thread for further info, but any signal was quickly drowned out by the noise of irrelevant topics.

Now, rlparker, you tell us there have been “several” threads on these forums around this topic? I don’t doubt you here, but could you be so kind as to point them out? You see, I thought there was something amiss here and started randomly checking my unimportant sites for file modifications every couple of days and checking the forums a bit more frequently on the lookout for additional threads of info on this topic. And now you tell me there were several. I missed them and want to know how I can better filter for such info the next time I’m on the lookout for a particular topic. Notice, I didn’t miss this thread because it’s title instantly made sense to me and I was already guessing the connection to scjessey’s earlier problem.

Speaking of which, scjessey, you’re confident that “DreamHost know exactly which FTP accounts were compromised”? Well after reading the letter they’re sending out via the URL cited above, I just don’t have that confidence. Why are you so confident? It looks to me like DH took some time to get a clue and still don’t know/haven’t said how the accounts were compromised. I suppose folks would suggest that I just change my passwords if I’m concerned about it… but I’m lazy.

If your confidence is rooted in hard information and I have nothing to worry about(having not received such a letter), please throw me a bone of reassurance and I’ll rest easy. I don’t want any sneaky hackers getting even one extra hit from my admittedly untrafficked sites.



This should ABSOLUTELY be up at DreamhostStatus.com. Dreamhost simply cannot rely on the emails they have sent to customers. For starters, we know email is not 100% reliable and that spam filters can catch valid email. Second, we’re dealing with possibly compromised accounts here! Of the 3,500 usernames and passwords stolen, how many do you think were also valid for the users primary email account?

While there may be no evidence that email accounts have been hijacked, Dreamhost has repeatedly said that DreamhostStatus.com is where to find official infomration about dreamhost issues.

Anyone who uses the same username/password combination for their accounts as they do for FTP (passed insecurely in plain text) is really, really stupid. Accounts have not been compromised! It is an FTP issue.

DreamHost has (to my knowledge) been investigating this problem since May 24th at the latest, and they have been able to trace activity by looking at their FTP traffic logs. Presumably, this is how they have been able to determine which FTP username/password combos were compromised.

No harm has been done, except to DreamHost’s reputation. The exploitation, whatever it was, resulted in some very minor spamming. If nothing else, it has highlighted the importance of regularly changing passwords. Personally, I have begun using SFTP as part of my own efforts to improve security.

si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]

That may be the case - but are you going to tell me none of those 3,500 accounts used the same passwords or that Dreamhost has no responsibility to anyone stupid or lazy enough to use the same password?

It appears I wasn’t effected by this attack, but I still felt it necessary to change my passwords. I think all other dreamhost customers would be wise to do the same. If Dreamhost doesn’t know how the accounts were compromised, how can they say they know exactly WHICH accounts were? Perhaps the attacker is sitting on another batch of 3,500 accounts.

As a side note, can anyone think of any reason why Dreamhost wouldn’t offer me the ability to shutoff FTP and Telnet access to my account? I always use SFTP/SSH to connect and do not want these insecure methods available. I would further appreciate the option of locking down access to my SSH account via an RSA key.

Really? So, is the one host that actually has a public status blog, the only host that should announce these things?

I have never seen a single host as open about things as Dreamhost. But I have seen hosts that announce nothing, hide everything and when they’re not doing that, they can be found policing & censoring their forums.

Personally, I’m happy to see they sent the info straight to the affected customers, rather than tell the rest of the world first and possibly cause more problems for those that host here.

You just can’t win. If they posted it there, then people would have been complaining that they didn’t keep it private to protect their customers and just contact them directly.

And if they did post it there, there would probably be geniuses in the comments section claiming they were hiding stuff by not posting the complete list of user names & passwords that were affected, so customers could conveniently stop by and check the list.

:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.

Checking back in and I see that scjessey has written again on this thread and started another(or two) but no explicit answer for me?

So, for those of you monitoring this thread and seeking advice, let me suggest that the implied answer here is to indeed change your passwords. Whether you got an email notice from DH or not. And as someone/somewheres pointed out, there’s a very good argument for changing your mysql passwords too. In other words, your account may have been compromised WITHOUT file modification but any clear text password info may have been harvested(like in many config files with DB connect info).

As so many are taking the time to point out(and contributing nothing in my opinion since this shows up in every DH oops thread), cheap hosting has consequences.

Unless DH or someone with solid info comes forward, it seems changing all passwords(again, including mysql, svn, etc…) would be wise… if a little painful.


I think it is up on the status board now.

Not explicitly stated as being related, but an upgrade without prior notice?

I can’t blame DH for not putting out a lot of info.

Should they have put out on the panel:

Severity: Low
Our site is not secure…

Update: We now know it is related to WebFTP. We are evaluating the exact problem and will post more info as it becomes available.

Update2: We have identified a fix and are scheduling an upgrade for 2 AM Saturday night.

On a serious note, as soon as the fix is in, I am changing all of my passwords. All should consider doing the same, even if they are already changed.

And if it is related, I would appreciate DH letting us all know when the vulnerability is (believed) closed.


Good Points, jt! As for your request:

Well, “several” may have been the wrong word to use; it certainly seemed like several to me, with as many posts as there were in the following two threads:

All my sites are hacked
Files Appended

There was another , but I dont think it was related to this. I’m probably also guilty of thinking it was discussed more here as a result of me seeing so much of it on the IRC channel :wink:

I apologize if “several” was misleading; my point was that DH had not made an effort to keep anything secret about it.


This is something that’s supposed to be done on a regular basis anyway–even when there aren’t problems.

:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.

It’s always humorous to me to see responses to people who criticize Dreamhost. Me pointing out that DH should post a notice on the Status blog because it’s wise for ALL users to change their passwords was not a direct attack on Dreamhost. I was not telling everyone to go get a new host. I was simply pointing out what I believed to be in error in their handling of this incident.

Yet all I get is “only stupid people do x.” “You should be doing that on a regular basis anyway”, etc. I wasn’t aware this was a fan forum…

It’s always humorous to me to see responses to people who disagree with people who criticize Dreamhost.

Does that sentence sound as stupid when the other side uses it? Big shocker that someone might disagree with you on a forum full of people that pay to be here.

And if you paid attention, you’d probably notice that if someone posted that Dreamhost is 100% perfect, they’d get called out for it as well.

The best thing they could have done is directly notify the people that were affected before announcing anything.

What part of that is so hard to understand?

Yeah, it’s a fan site. Any site that promotes common sense is clearly a fan site.

You SHOULD be changing your passwords on a regular basis anyway, regardless of whether or not there’s a problem. You SHOULDN’T use the same PW for everything. These very simple facts existed long before Dreamhost.

I guess if you haven’t had a car stolen yet, you don’t know that it’s a bad idea to leave the doors open and the key in the ignition when you park it, right?

:stuck_out_tongue: Save up to $96 at Dreamhost with ALMOST97 promo code (I get $1).
Or save $97 with THEFULL97.

Moving on…

As I and other suspected, Dreamhost has failed to notify at least 1 customer that their account was compromised. So maybe you guys can now conceed that a status message/email to all customers asking them to change their passwords is in order?