Current time: 04-24-2014, 03:09 PM Hello There, Guest! (LoginRegister)

Post Reply 
Sites hacked
03-04-2012, 07:18 AM
Post: #191
RE: Sites hacked
(03-04-2012 06:40 AM)bobocat Wrote:  There are legitimate reasons to turn it off. It's not enabled by default.

You think your logs are going to have a message saying 'here's the hack'? No, it takes a bit of work:
http://discussion.dreamhost.com/thread-134256.html

Ok, you're on your own. Have fun.

I don't mind doing things for myself, the whole idea of forums is for the community can learn, so why not post how to get at the log, then post example of a log, explain the kind of activity that can tell you.

DH already sent me a security log showing IP' addresses and countries.

It seems from that discussion that many people feel that sites are being hacked as a result of the recent screw up where DH allowed access to a list of usernames. They changed all the username and yet like others on here only my Dreamhost sites were hacked. Considering how many I have I would have expected more.

I would have hoped that DH would recognise hacks across its platform and advise users what they suspect was the issue.

For example Hostmonster recently emailed me about a Wordpress theme that was installed on a site (not as active) that still had the old TimThumb.

Instead I hot thousands of lines of suggestions about old dev sites that were out of date. Any decent information within that report is lost.
Find all posts by this user
Quote this message in a reply
03-04-2012, 07:25 AM
Post: #192
RE: Sites hacked
(03-04-2012 06:57 AM)lluisgerard Wrote:  I'm sorry dreamhost but you have a problem.

I have a very large list of friends and relationships that use web servers around the globe (mainly spanish and US servers). In the last two weeks I've seen some websites were hacked and the only ones are those that are hosted in dreamhost. I even went to a website and found it was hacked, I did a whois to find out it's listed in dreamhost DNS (dreamhost is aware of this one)...

So I'm sorry, something is happening here, maybe a php server configuration, maybe it's only happening to old users that have something different in their configs, I don't know but what I do know is that the only ones hacked are the ones hosted in dreamhost. Maybe they are simply just attacking dreamhost servers. Again, over hundreds of sites only DH.
lluisgerard,

You may be right for this hack, since it was well published that dream host had allowed uninstalled themes with old timthumb plugging to be downloaded by an easy installation process. The issue is really about whether dreamhost is doing something different than your other servers you know about. I'm convinced the answer is NO. In fact, this points out issues with web software distribution and web site management. Before this happened did you think that uninstalled Wordpress themes could hack your site? I didn't. Or how about that old copy of wordpress you left on your site as a backup so if the new install went bad, you could go back, who knew that that could be a target. Or how about directories with world write permissions become loaded guns where php files can be downloaded and run?

While dreamhost may have a problem today, this is the new cutting edge of how we all have to be web masters and pay attention, the same vulnerabilities are present in everyone else's sites, they just haven't been exploited like DH has in the last few weeks. The timthumb hack was published last summer; it bites us more than six months later.

Two issues for Dreamhost, they have been around a LONG time in hosting which means that they have used 'options' like new people have enhanced security on by default, but us old timers had to turn it on because DH didn't want to break our websites. The second issue is whether DH has responsibility for policing what WE put on our websites and how we run them. In the past, DH was like a utility, they gave you the space to do what ever you wanted. Now many are asking that they inventory our websites and tell us when we are being unsafe or out of date. This would be a new role; for some maybe a little too big authoritarian?

For Wordpress users, I've written blogs on hardening your dream host account and wordpress installation on http://www.repairitblog.org.

-Bill
Find all posts by this user
Quote this message in a reply
03-04-2012, 07:25 AM
Post: #193
RE: Sites hacked
(03-04-2012 06:57 AM)lluisgerard Wrote:  I'm sorry dreamhost but you have a problem.

I have a very large list of friends and relationships that use web servers around the globe (mainly spanish and US servers). In the last two weeks I've seen some websites were hacked and the only ones are those that are hosted in dreamhost. I even went to a website and found it was hacked, I did a whois to find out it's listed in dreamhost DNS (dreamhost is aware of this one)...

So I'm sorry, something is happening here, maybe a php server configuration, maybe it's only happening to old users that have something different in their configs, I don't know but what I do know is that the only ones hacked are the ones hosted in dreamhost. Maybe they are simply just attacking dreamhost servers. Again, over hundreds of sites only DH.

I have the same experience, I have over 450 domains, around 70 are hosted on Dreamhost, ONLY sites on Dreamhost were hacked. Each site is installed under a different username with a 12 character complex passwords. One site was only installed a week ago so it is not a case of old passwords or configs, the site was a dev site and not even connected to search engines.

It is as if they are sucking all the traffic from Dh and looking for credentials, I am moving to Sftp now but I can't use that foer all sites as some of them need FTP.

DH need to figure this out and it is only by analysing the sites hacked by different clients that they are going to figure this out.
Find all posts by this user
Quote this message in a reply
03-04-2012, 07:27 AM
Post: #194
RE: Sites hacked
(03-04-2012 07:18 AM)Zappos Wrote:  I don't mind doing things for myself, the whole idea of forums is for the community can learn, so why not post how to get at the log, then post example of a log, explain the kind of activity that can tell you.

Send me your logs and let me see what I can find!
Find all posts by this user
Quote this message in a reply
03-04-2012, 07:31 AM
Post: #195
RE: Sites hacked
(03-04-2012 07:25 AM)kelly7552 Wrote:  lluisgerard,

You may be right for this hack, since it was well published that dream host had allowed uninstalled themes with old timthumb plugging to be downloaded by an easy installation process. The issue is really about whether dreamhost is doing something different than your other servers you know about. I'm convinced the answer is NO. In fact, this points out issues with web software distribution and web site management. Before this happened did you think that uninstalled Wordpress themes could hack your site? I didn't. Or how about that old copy of wordpress you left on your site as a backup so if the new install went bad, you could go back, who knew that that could be a target. Or how about directories with world write permissions become loaded guns where php files can be downloaded and run?

While dreamhost may have a problem today, this is the new cutting edge of how we all have to be web masters and pay attention, the same vulnerabilities are present in everyone else's sites, they just haven't been exploited like DH has in the last few weeks. The timthumb hack was published last summer; it bites us more than six months later.

Two issues for Dreamhost, they have been around a LONG time in hosting which means that they have used 'options' like new people have enhanced security on by default, but us old timers had to turn it on because DH didn't want to break our websites. The second issue is whether DH has responsibility for policing what WE put on our websites and how we run them. In the past, DH was like a utility, they gave you the space to do what ever you wanted. Now many are asking that they inventory our websites and tell us when we are being unsafe or out of date. This would be a new role; for some maybe a little too big authoritarian?

For Wordpress users, I've written blogs on hardening your dream host account and wordpress installation on http://www.repairitblog.org.

-Bill

If Dreamhost has permissions set that allow uninstalled themes to be accessible then Dreamhost is at fault.

If Dreamhost does not scan its servers and send out emails saying we disabled this timthumb file because it makes you vulnerable, then they are are fault (Hostmonster and Hostgator do).

Dreamhost has a "duty of care" to protect us from ourselves because any user may inadvertently install a theme. It is bad enough that Dh installs 50 by default if you do not untick things on one click.
Find all posts by this user
Quote this message in a reply
03-04-2012, 07:39 AM
Post: #196
RE: Sites hacked
(03-04-2012 07:31 AM)Zappos Wrote:  If Dreamhost has permissions set that allow uninstalled themes to be accessible then Dreamhost is at fault.

If Dreamhost does not scan its servers and send out emails saying we disabled this timthumb file because it makes you vulnerable, then they are are fault (Hostmonster and Hostgator do).

Dreamhost has a "duty of care" to protect us from ourselves because any user may inadvertently install a theme. It is bad enough that Dh installs 50 by default if you do not untick things on one click.

Zappos,

Dreamhost probably assumed that when you download 200 wordpress themes, you'd select one and clean up. They thought they were doing a service. DH didn't create Wordpress software, your issue is with Wordpress. I've already sent in my suggestion that they clean this up. Go to wordpress.org's forum and voice your complaint. There is a disconnect between wordpress Mod's and the people who actually use Wordpress; one of the mod's replied to me that "getting hacked is like having the common cold, an irritation you need to deal with". I'm pretty sure that when I started to use WP I didn't expect that I'd have to be nimble enough to know the details of how to clean up a messed website.

-Bill
Find all posts by this user
Quote this message in a reply
03-04-2012, 07:50 AM
Post: #197
RE: Sites hacked
(03-04-2012 07:25 AM)kelly7552 Wrote:  The issue is really about whether dreamhost is doing something different than your other servers you know about. I'm convinced the answer is NO.

Ok, I don't want to blame DH, I just want to say "heads up dreamhost". Asking my friends about this problem, and finding that the only ones attacked are in DH, make my friends out of it think that they are happy of not being in DH. So it's hurting DH brand.

Maybe I'm missing something, but I don't leave unused themes on my wp installations, I don't know how they hacked my sites or my friends sites, does anybody REALLY knows how they make it? I never had any timthumb plug/theme installed or on my themes directory.
Visit this user's website Find all posts by this user
Quote this message in a reply
03-04-2012, 08:11 AM
Post: #198
RE: Sites hacked
(02-20-2012 02:55 PM)jbnla Wrote:  I'm seeing a lot of these hacks on Dreamhost sites right now, and I'd like someone to look into this being a system wide issue. I used Google Webmaster Tools to look at the sites linking to mine after the hack, and ALL were Dreamhost sites, most look like blogs. My DB is trashed, I have to backup from November as the auto-restore function in the Panels crap. Super frustrated here, this needs to be fixed.

THIS. My sites have been hacked twice now. I've changed passwords, deleted entire sites and started over (which was not fun with my 3+ year old blog, I lost all my media on the posts)... Nothing seems to be working because they get in. First my WordPress site is hacked, and then my other ones, which don't have anything other than HTML/CSS on them.

DreamHost needs to take care of this, or I'm switching hosts.
Find all posts by this user
Quote this message in a reply
03-04-2012, 08:11 AM (This post was last modified: 03-04-2012 08:17 AM by kelly7552.)
Post: #199
RE: Sites hacked
(03-04-2012 07:50 AM)lluisgerard Wrote:  Maybe I'm missing something, but I don't leave unused themes on my wp installations, I don't know how they hacked my sites or my friends sites, does anybody REALLY knows how they make it? I never had any timthumb plug/theme installed or on my themes directory.

I'd love you to send me access and error logs from around and before you suspected the hack.

I don't know exactly how your specific hack happened, but since mid january, I've been writing an access log processor, so i've paid close attention to what's happening on my 8 DH websites, here are things I've seen lately:

* I've had 10-12 instances of login cracking where someone took 1400 attempts at logging in
* every day and night people are probing wp-signup and wp-login?register
* rarely do I have a day where someone doesn't take 5-10 shots at logging in
* in the past three weeks i've seen about 20 instances of a script that looks for timthumb on about 50 themes over a few seconds
* a script called muieblackcat looks for phpmyadmin weaknesses
* trolls are looking for allwebmenus and ip-logger wordpress plugins presumably because they have been compromised
* LOTS and LOTS of HTTP HEAD requests, I can only conclude that these are being used to scout out the website (I've currently banned 72 IP addresses in the last 30 days for issuing HEAD commands)
* people looking for other packages I don't have installed like phpbb
* trolls looking for crossdomain.xml
*trolls looking for xmlprc.php for wordpress and /wp-content/wlwmanifest.xml, I assume to assess your version of wordpress
* someone looking for /cgi-bin/cvename
* I've banned six ip addresses for trying to go up directory '/../' with an http command
* 8 Ip addresses tried to insert =http at the end of a php command, testing it for weakness, including a really obscure plugin I got from a friend
* I've had a few attempts at adding base64_encode to a php command and inserting php

I can't remember anything else but i'm sure that it's happened.

I have an IP log analyzer at repairitblog.org that's downloadable (see dream host tools), it's especially good if your a wordpress site.

My websites are pretty damned obscure, so it's not like I've advertised myself, many are just family blogs, or work I do for non-profits..

-Bill
Find all posts by this user
Quote this message in a reply
03-04-2012, 08:14 AM
Post: #200
RE: Sites hacked
Any thoughts on the MySQL database information_schema which seems to have been affected in one of my accounts?

See here: http://pastebin.com/wKkNk7n6

What is the information_schema DB? Can I just swap it out with another version? Is it modified by themes?
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: