So last Friday I woke up to find an alarming email from support:
Your Dreamhost account has been terminated for illegal activity.
So I inquire and get a reply:
Your shell account was identified running attack processes against remote
servers, as well as running an sending a large number of spam emails
through the server. The severity of the attack did not allow us time to
discuss this matter with you, as you were actively attacking and spamming
Reviewing the authentication logs identified the only person to log into
the shell account plh to have came from the same IP you have routinely
accessed your panel from."
I'm by no means a security expert but I know there are ways to use someone else's account and make it look as if it were the owner. For example, a man-in-the-middle attack where a third party intercepts your communications with the server, to each pretending to be the other side.
Whatever the case, I think any evidence should be taken in context, the most relevant context being that since 2005 I've used this account to host my personal blog on a very personally identifiable domain (phil.harton.org). I have no history of violations (I've basically used it for Wordpress all these years), and they think one day I suddenly decided to use my own account with my full name written all over it to attack machines and send spam?
I brought this to the support technician's attention only to receive the following:
I'm sorry, but your account will remain disabled. We are not interested
in the major risks involved with providing you (or the person who may
have compromised your account) access on our servers.
Now I need to find a new host, transfer the domains that I registered through DH, and I'm out 9 remaining months of hosting money that I had prepaid. Thanks Dreamhost.
So there are 2 lessons here:
1) If you get hacked, no matter how good a customer you've been, DH does not have your back.
2) Assuming you use SSH and SFTP, verify that the host key you're shown the first time you connect matches the server's host key. I'm pretty sure like nobody does this, and I think this is what got me pwned.