Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Massive Dreamhost hack, WordPress not to blame

On mezzoblue, Dave Shea reports that someone had modified every index.php and index.html file on his site to include spam links at the bottom of the page, hidden inside a <u style="display: none;">. Dozens of other people in his comments reported the same thing happening to their sites.

At first, it looked like the common thread was WordPress hosted on Dreamhost. Initial commenters were all running WordPress (Dave has it installed for other domains on his hosting account even though he doesn’t use it for mezzoblue itself) and there was a vulnerability in WordPress 2.0.7 which was fixed back in January but would still affect people who hadn’t yet upgraded. I posted a link suggesting that WordPress users in particular should check their sites.

I apologise to the WordPress team for even suggesting that their product had something to do with this. Here’s an e-mail Dreamhost sent out to some of their customers last night:

We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.

We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed - less than 0.15% of the total accounts that we host—actually had any changes made to them. Most accounts were untouched.

Scary stuff.

Posted 6th June 2007 at 9:38 am

This is Massive Dreamhost hack, WordPress not to blame by Simon Willison, posted on 6th June 2007.

Tagged , , ,

View blog reactions

Next: Doing Local Right

Previous: oxfordgeeks.net

13 comments

  1. I'm glad to hear that Andy Hagans (who also hosts with dreamhost) was not alone. I'm shocked that something like this happened this day and age.

    Frederick Townes - 6th June 2007 14:01 - #

  2. Makes me glad I dumped Dreamhost last year. The straw can only break the camel's back so many times...

    Jeff J. Snider - 6th June 2007 14:38 - #

  4. Not to sound like I'm defending Dreamhost, but what was the cause of a few people on Media Temple experiencing similar spammy intrustions?

    I'm genuinely curious, because I'm wondering if that means MT's accounts were also compromised, albeit on a smaller scale.

    Nathan Smith - 6th June 2007 17:44 - #

  5. I don't think you should feel too bad about suggestion WP users look at their installs -- anyone running something older than WP2.2 has a blog app with a number of serious vulnerabilities.

    WP has an increasingly depressing security track record, and the WP team should expect this kind of suspicion until they start addressing some fundamental issues with their architecture.

    Ed Finkler - 6th June 2007 20:04 - #

  6. Thanks for clearing that up.

    Matt - 6th June 2007 22:01 - #

  7. "Not to sound like I'm defending Dreamhost, but what was the cause of a few people on Media Temple experiencing similar spammy intrustions?"

    This is definitely not the case. If you are referring to this issue (http://tinyurl.com/yt5uls) the problem experienced may have had similar symptoms but it was due to a script that he found later that somehow ended up on his server. It is unclear from the forum thread if the guy ever found out how the PHPProxy script got up there, but I'm willing to bet it was some part of one of his scripts that caused this. The other sites that had these "hidden divs" probably had a similar script that had free reign over website files to some extent.

    Additionally, every hosting company's internal systems and hosting platforms are really unique to their respective proprietors. Web Host A and Web Host B may even both use the same software in some respects, but the needs of web hosting management varies from one company to another, which really ends up making each configuration quite unique.

    My point is that the chances of an exploit coming in at the level of a hosting company's management software are lower than scripts that have been placed onto the server by the user which may or may not be secure. Furthermore on that, if there is in fact an exploit in one company's management software, the chances of the same exact exploit being applicable to another company's management software is quite low, if not impossible altogether.

    sev - 7th June 2007 01:55 - #

  8. I fu*king hate dreamhost. I hope the company goes down the gutter. Sure you get lots of space and traffic and van host unlimited domains, BUT every motherfu*king month there is a problem and scorchingly slow speeds! Dreamhost always makes me look like an idiot to my customers! AND For your information, I did NOT get any email from dreamhost about the hackers, yet every one of my domains was hacked and was showing porn to my customers, many of my domains had a lethal trojan that is a keylogger! Kaspersky antivirus picked it up! Dreamhost REALLY knows this is a massive screw up and now they are covering it up like cowards. I switched over to Upscaled/StartLogic today. And thank god because they also provide FREE SSL and real secure web interface, unlike dreamhost. Whoever is reading this, Let me tell you, when Dreamhost says only a few accounts were affected it is a LIE. I emailed dreamhost about the problem on June 1, when my anti-virus picked up the keylogger on my system. Dremahost did not give a sh*t! I still have not received any response from them!!! The keylogger is impossible to take off the system, i had to use Spybot, Adaware, Kaspersky and TrendMicro Housecall and finally succeeded!! I AM SURE many of you have the keylogger on your system also without you knowing!!!!!!! So to all of you that are saying that even after you change your ftp password your are still being hacked that is why! But let me tell you, whoever made this keylogger has skills because it is almost impossible to detect. And if you used your credit card anytime after having the keylogger on your system, kiss your credit card goodbye, they use it to buy foreign exchange funds from this site easy-forex .com, mine was charged $1900! And to add to the pain, I had to call this piece of shit company in Cyprus to even find out who the hell they were. A suspicious Russian picked up and told me they are easy-forex .com. I am so screwed because my bank told me it takes 30 days to investigate fraud, now I have $1900 tied up in a piece of shit foreign country that I didn't even know existed! I used to like going to the dreamhost homepage and seeing those goofy fu*ks partying, used to make me think that the dreamhost guys were fun light-hearted guys, but now every time I see that page it makes me want to kill those greedy stupid monkey crack babies!!!!! All of you should swith over from dreamhost! and don't use the excuse that you don't know where to host your account. Use Upscaled/StartLogic like I did. It's only $6 and you can host mutiple accounts with free SSL!!! Cheaper than dreamhost and more features with less misery!

    Nick - 8th June 2007 17:41 - #

  9. What is the actual relationship of "FTP accounts" to "Hosting accounts" or "domain names"?

    Is one FTP account one of many for a client, or does it mean that 3500 clients were comprimised?

    Ray - 8th June 2007 18:50 - #

  10. I wonder how long this evil 3rd party has been doing this, and how many places it has done it to.

    Devon - 9th June 2007 20:52 - #

  11. It is unclear from the forum thread if the guy ever found out how the PHPProxy
    script got up there, but I'm willing to bet it was some part of one of his scripts
    that caused this. http://www.erdogduemlak.com

    tercüme - 28th June 2007 20:49 - #

  12. Scary stuff. Good job clearing up the smoke though.

    Douglas Jarquin - 9th August 2007 21:15 - #

  13. It appears to have happened again. All the index.* on multiple domains I host with Dreamhost were modified on Oct 10, 2007 at 00:57 BST. A snippet of javascript was added to the bottom of all of them, which included a url-encoded chunk of HTML, which itself was an IFRAME linked to a counter.php file hosted on a server in Russia... Lovely

    anon - 25th October 2007 17:13 - #

Comments are closed.
A django site