Terminated after 5 loyal years


#1

So last Friday I woke up to find an alarming email from support:

----------snip------------
Hello,

Your Dreamhost account has been terminated for illegal activity.

Thanks!
Robert R
----------snip------------

So I inquire and get a reply:

----------snip------------
Hello,

[quote]Please tell me exactly what is going on; I am not aware of any illegal
activity. It’s an irresponsible company policy to abruptly terminate
accounts without warning or informing the customer of what the problem is. I
have been a customer for several years and have recommended your service to
several friends in the past but this kind of experience completely and
immediately negates all positive sentiment for your service.

[/quote]

Your shell account was identified running attack processes against remote
servers, as well as running an sending a large number of spam emails
through the server. The severity of the attack did not allow us time to
discuss this matter with you, as you were actively attacking and spamming
remote system.

Reviewing the authentication logs identified the only person to log into
the shell account plh to have came from the same IP you have routinely
accessed your panel from."
----------snip------------

I’m by no means a security expert but I know there are ways to use someone else’s account and make it look as if it were the owner. For example, a man-in-the-middle attack where a third party intercepts your communications with the server, to each pretending to be the other side.

Whatever the case, I think any evidence should be taken in context, the most relevant context being that since 2005 I’ve used this account to host my personal blog on a very personally identifiable domain (phil.harton.org). I have no history of violations (I’ve basically used it for Wordpress all these years), and they think one day I suddenly decided to use my own account with my full name written all over it to attack machines and send spam?

I brought this to the support technician’s attention only to receive the following:

----------snip------------
I’m sorry, but your account will remain disabled. We are not interested
in the major risks involved with providing you (or the person who may
have compromised your account) access on our servers.
----------snip------------

Now I need to find a new host, transfer the domains that I registered through DH, and I’m out 9 remaining months of hosting money that I had prepaid. Thanks Dreamhost.

So there are 2 lessons here:

  1. If you get hacked, no matter how good a customer you’ve been, DH does not have your back.
  2. Assuming you use SSH and SFTP, verify that the host key you’re shown the first time you connect matches the server’s host key. I’m pretty sure like nobody does this, and I think this is what got me pwned.

#2
  1. Certainly it’s a business decision they made after weighing the risks. They don’t feel it’s worth having a high-risk customer. In your case, the hack was very severe. Lower-damage hacks don’t get terminated.

  2. Many customers post after getting a key change warning because it’s disconcerting. If you get one of these warnings, it’s cause for concern.

This is certainly unfortunate for them to lose a loyal customer, but that’s their decision.

-Scott


#3

Thanks for your thoughts, Scott. I do take notice when I see key change warnings and actually wrote to support about one a year ago. This time I didn’t see a key change, but it may have coincided with an OS reinstall on my machine and thus a first-time key transfer.

I just found this in my inbox in reply to my request for a refund:

----------snip----------
We do not give refunds for accounts who are disabled for ToS violations.

The evidence that the “attacker” had both access to your panel and your
shell accounts unfortunately points out it’s likely the attacks where
commenced by yourself, or someone you gave access to your entire account.
----------snip----------

It seems they still think I was the one who did this :expressionless:


#4

Probably not you, but what’s stopping it from happening again? Again, business decision that you’re not worth the risk. It’d sure be interesting to find out how the account was compromised, though.

-Scott


#5

I’d think that MITM or whatever was used here to hack a personal hosting account and make it look like the owner is script kiddie caliber and not uncommon.

The issue now is not about risk; it is that DH still thinks I knowingly violated ToS and thus won’t refund my money.


#6

In over ten years of hosting, we have never seen a confirmed MitM attack on any of our users. Moreover, as the malicious activity we observed all originated from the same IP you had previously used several times to log in to the panel, it would have had to been from a person who was sharing your network connection.


#7

Man in the Middle is more often just used for sniffing/eavesdropping the connection. If I were to guess, I’d say that your home machine was compromised, giving the attacker the keys to your kingdom.

-Scott


#8

Thanks Andrew, I appreciate your paying attention to my post and taking the time to respond :]

So yeah, most of what I know about security is from taking CS451 years ago, so I’m clearly no expert, but I doubt it would be difficult to make it look like I used my account to do bad things.

Access logs aside, let’s look at this from the common sense perspective and examine the motives of the parties involved:

Me: “I’ve hosted my blog on DH under a domain that is in fact my real name since 2005. This website is a major part of my online and professional identity (first hit when you Google my name). Clearly it is in my best interest to protect it, thus I’d never use it nefariously or give anyone else access to it.”

Attacker: “When I launch attacks, I always use other people’s accounts and do what I can to make it hard to trace the activity back to me. If I can make it look like the account owner’s actions, all the better because the investigation will likely stop there. But whatever; I just downloaded an ran a script and I don’t even know how exactly it works.”

Support technician: “After briefly scanning this access log, the IPs clearly point to the customer. And it’s a lot easier for me to click a button terminating his account than to investigate further or to start the process of giving him a refund.”


#9

Good call, though I’m running the latest OSX and have never had a machine compromised in my life having run Windows, Mac, and Linux at different points.

My machine seems normal but it absolutely makes sense to research this and I appreciate the tip. If you have any pointers on Mac security pitfalls, good products to use, or anything else, I’d love to hear them! Thanks!


#10

Someone had access to your username and password. And your home IP address. You could start combing the logs on your own system. If you got some timestamps from DreamHost on when the activities occurred, see if anything coincides.

How tight is your firewall? Does your router let anything in? Do you have any firewall openings for services such as SSH on your Mac? Do you have a wireless network at home?

-Scott


#11

Thanks for the starting points, Scott. It seems more plausible that they got onto my DH account first and simply pulled my home (or otherwise most prominent) IP from access logs than to get onto my laptop first and somehow get my DH login, but I’ll take this as an opportunity to do a security audit nonetheless.

So there’s a happy ending here: I said that unless I saw a refund in 3 days, I would contact my credit card company and the BBB of LA (see DH’s profile here: http://www.la.bbb.org/Business-Report/New-Dream-Network-LLC-13131294). This morning I received a reply saying they went ahead and processed the refund for my remaining 9 months :]


#12

That’s a more decent way to sever a business relationship.

As far as I know, one can’t initiate an SSH session while faking an IP address.

-Scott


#13

[quote]As far as I know, one can’t initiate an SSH session while faking an IP address.

[/quote]

Indeed, you can’t. Holding a TCP session open at all with a spoofed IP is difficult enough; doing anything as interactive as SSH is completely impossible.


#14

Who knew they delete civil posts, quietly without even marking them? Now I know that too.

Terminations without notice, because of dreamhost’s mistakes, happen more than you know.


#15

hi last 2 days back one of my site out of 9 had problem they disabled my entire account instead of blocking that problematic domain. even they are not answering for the support messages. how to over come this.

kamal


#16

Hi Kamal, sorry to hear about your situation. When DH terminated my account they responded to my messages within 2 days at most.

You have rights as a customer and your credit card company will help you. You can also contact the Better Business Bureau of Los Angeles (where DH is headquartered) which will contact DH on your behalf. DH almost always replies to them (see profile here: http://www.la.bbb.org/Business-Report/New-Dream-Network-LLC-13131294).

If I were you, I would send one more support request and mention that you will contact these organizations if you don’t hear back. This got immediate action from DH when I did it. Good luck!


#17

Did you get your files back? Did you manage to get your sites up and running again?

No matter what is really sad to see a relationship ending like this after so much time :S


#18

Good question. I guess it wouldn’t hurt to ask if they can give me a DB dump of my 5 years of blogging. I’ll post when they reply.

I’ve since signed up with another VPS host that I’m quite happy with but it’s probably not appropriate to name competitors on DH’s own forum ;]


#19

Here’s the unsurprising reply:

“Sorry, we will not be providing you backups of your data or any further access to our severs. You will need to rely on any local backups which you should be kept.”