Simon Willison’s Weblog

Massive Dreamhost hack, WordPress not to blame

6th June 2007

On mezzoblue, Dave Shea reports that someone had modified every index.php and index.html file on his site to include spam links at the bottom of the page, hidden inside a <u style="display: none;">. Dozens of other people in his comments reported the same thing happening to their sites.

At first, it looked like the common thread was WordPress hosted on Dreamhost. Initial commenters were all running WordPress (Dave has it installed for other domains on his hosting account even though he doesn’t use it for mezzoblue itself) and there was a vulnerability in WordPress 2.0.7 which was fixed back in January but would still affect people who hadn’t yet upgraded. I posted a link suggesting that WordPress users in particular should check their sites.

I apologise to the WordPress team for even suggesting that their product had something to do with this. Here’s an e-mail Dreamhost sent out to some of their customers last night:

We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.

We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed - less than 0.15% of the total accounts that we host—actually had any changes made to them. Most accounts were untouched.

Scary stuff.