All my sites hacked - check yours too!

I've been hosted by DreamHost for 3 years. I've never had any problems with my account, and I consider myself to be reasonably web savvy. I discovered today that all the sites on my account were hacked today. Specifically, the home pages were all edited to add dozens of spam links. I checked the domain listed in the spam, and it turns out to be another DreamHost site, which has also been hacked.

I strongly suggest that you view the source code of your home pages to check for hidden spam.

Are these PHP generated pages, or static? This certainly is a bizarre occurrence.

I'm on garth and a random sampling of my static and dynamic site page source show no vandalism.

Are your sites and that other Dreamhost site on the same server?

-Scott

It's much more likely that your account was compromised than that your server was; given the number of sites hosted by DreamHost, that the links were to another DH site is probably a coincidence.

Is your WordPress installation at 2.2? Is your PHP at 5.2.2? You may as well look through all your scripts for likely holes.

emufarmers.com
Very little to do with either emus or farmers!

In reply to:
I strongly suggest that you view the source code of your home pages to check for hidden spam.

I just checked my sites, no tampering that I can see, but I re-uploaded things, just to be sure.

Like Scott, I would be interested if that other DreamHost site was indeed on the same server as you.

Mark

I'll have to check my sites once DH solves the DNS problems, all of my sites are currently AWOL.

is this because of what I said?

hello,

that sucks ... I chk my site ... all is good

HEY ANYONE KNOW WHAT their avg. bandwidth per user is ... I esp. intrested in adult sites ??

I HAVE MORE THAN 40 GIGS WORTH OF STUFF ON MY SITE ??

thks m

I do not use WordPress. In fact, I do not use any third-party software on any of my sites. Everything is hand-built. Every single domain and subdomain I have was affected, and most of them are simply static HTML.

In reply to:
is this because of what I said?

You were the first person to spot the error. The home page on my Keystone Websites site wasn't working at all because the hacked code was not well-formed. You'd think these hacker scum could at least write valid, well-formed code, eh?

As of right now, most of my websites are down (including email), but I suspect that is more to do with the current DNS issues than anything else.

after my post here, I went to check your site, and everything looked just fine

I noticed yesterday that one of my sites was hacked, and today DreamHost sent me email "permanently banning" me "without refund." They won't respond to any of my emails begging to know why they've chosen to ban me or how to get all my data back.

As soon as we noticed the hacking, we changed the password on the user that was hacked and deleted the affected files.

This is crazy that DreamHost would cancel my account entirely without warning. I'm extremely frustrated by the lack of response over the last several hours as I try to reach them to find out why they've done this to me.

> I'm extremely frustrated by the lack of response over the last several hours as I try to reach them to find out why they've done this to me.

Even with "ordinary" problems, it can take up to 24 hours (plus), as advertised, to get a response. I'd expect problems causing them to unilaterally ban without refund to take longer; see this recent post by Jeff-the-abuse-guy:

http://discussion.dreamhost.com/showthreaded.pl?Cat=&Board=curious&Number=81682

In reply to:
They won't respond to any of my emails begging to know why they've chosen to ban me or how to get all my data back.

I suspect their review of the circumstance (logs inspections, etc.) have given them reason to believe your account was used in some way that was a violation of the TOS. As for your "data" - that's what backups are for (and the TOS clearly warns you of this).

In reply to:
This is crazy that DreamHost would cancel my account entirely without warning. I'm extremely frustrated by the lack of response over the last several hours as I try to reach them to find out why they've done this to me.

From looking at other threads here, I suggest you communicate with DH regarding this issue via abuse@dreamhost.com rather then tech support.

Ultimately, it is the Abuse Team you will have to deal with, so I would just start with them.

--rlparker

Well, I have backups of most stuff, but do not have current backups of the ZenCart database for my online store, so I have a number of orders that I don't have access to.

And I frankly don't care what their logs say. I didn't do anything wrong, so shutting me down without warning was a mistake on their part.

I also don't think it appropriate that they take this long to reply to my emails. The fact that my ticket with support keeps getting deleted means they don't want to hear my side of the story at all.

This is patently unfair and a terrible way to run a business.

In reply to:
I have backups of most stuff, but do not have current backups of the ZenCart database for my online store, so I have a number of orders that I don't have access to.

Ouch! That's unfortunate indeed; *many* of us are guilty of being insufficiently diligent when i comes to backing up our databases (I wonder why that is the case?) frown

In reply to:
And I frankly don't care what their logs say. I didn't do anything wrong, so shutting me down without warning was a mistake on their part.

It might be a mistake, but if you are not interested in "what their logs say" and just insist you did nothing wrong, well, that's fair enough, I suppose. That probably indicates there is little point in discussing it with them. Obviously, *something* happened; DH is not in the business of hosting websites to terminate customers accounts - they would rather continue to provide service and get paid for it. There are several things that I would not classify as "wrong" that are violations of TOS nonetheless - I suggest it might be more productive to try to discuss the situation with them and understand what caused them to suspend your account, but YMMV.

In reply to:
The fact that my ticket with support keeps getting deleted means they don't want to hear my side of the story at all.

As I, and others, have already pointed out, tech support is not likely to discuss this with you - rather the Abuse team will be handling it, and they are generally not as quick to respond as tech support (see an earlier post in this thread for a link to Jeff@dreamhost.com's comments on that).

Hey, you are in a rough situation and must be very frustrated. You can handle that frustration any way you choose; I just think you will be more productive and get better results if you take it up with the Abuse Team.

Complaining about it here may make you feel better, but is probably not as effective as handling it privately with DH.

--rlparker

You're probably not going to change their minds or gain access to any files...

In reply to:

And I frankly don't care what their logs say. I didn't do anything wrong, so shutting me down without warning was a mistake on their part.

... but if you approach them like that, I'd change "probably" to "definitely."

I just wanted to thank Javier in Support and Jeff in Abuse for working through this problem with me and getting to the bottom of it. It's still not clear exactly how this happened, but everything seems to have been resolved.

I'd also like to thank the folks who hang out in the DreamHost IRC channel (requires IRC client) for giving me diagnostic advice and ideas. The potent combination of DreamHost staff and customers forms a community I'm proud to be a part of.

Yeah, I'd recommend the concerned, apologetic approach.

Think of it in these terrible, unsympathetic terms: Due to mistakes I made in securing my site, it was hacked and used to kill baby seals. My host has shut me down and canceled my account as per policy and request from the Association for the Protection of Cute Animals. Upon request, the status of my account can be reviewed and my account reinstated.

We are each responsible for the security of our sites. We should accept that responsibility and also understand that DreamHost is responsible for making sure that no site hosted by them is used for illegal activities. If Dreamhost doesn't do this, we are all at risk of being blocked.

It's like the problem with runaway scripts. If DreamHost didn't shut down scripts that were eating too many resources, we'd all suffer.

Ditto - hosted for 3 years, then noticed that a number of my sites had junk links inserted into index pages (set to display:none in CSS). There were a number of FTP logins not by myself, but I have never publicly posted my FTP password (indeed, it's not used for any other service) and am security conscious.

Reported/raised it with abuse.

Note that this has happened to me a second time, at roughly 1:00pm PDT. The damage was extensive. Files were moved around (from one domain to another), altered, spammed, or just blanked.

I don't know whaether this is a hack or what but one of my sites has been completely wiped. It is/was plain old HTML.

What could have caused this? This site has been hosted here for 3+ years with no incidents. It looks like someone just deleted everything!!

In reply to:
It looks like someone just deleted everything!

It is possible that you are a victim of the same exploit. Do you have SSH enabled for that user account?

Yes. I was having trouble getting into the Dreamhost Web panel too! I got in with a different user I set up.

Should I just change all my FTP log-ins and reload the site?

In reply to:
Should I just change all my FTP log-ins and reload the site?

If you have SSH access. login to the shell and run the following:

last <yourusername>

You should see a list of accesses, and if you see any IPs other than your own then you've probably been hacked like everyone else. In which case, report the problem to the Abuse Department (abuse.dreamhost.com). Definitely change any passwords you have.

Thanks. It defintely seems like I got nailed by this.

I didn't get any emails from Dreamhost warning me about the FTP exploit, however. I couldn't get into the panel today, and then decided to check my sites. Sure enough my oldest and highest ranked site under that user was blammo.

I'd be more upset but I really needed to redesign that site anyway... ;-)

This is a good tip, jessey. I see a lot of logins, but I happen to be one of the lucky ones where nothing got changed. Still very worrisome...

Maybe your password is just too weak. You should post it here so we can analyze it. tongue

Or instead of using "password" as your password, you could change it to something uncrackable, like asdf, qwerty, or 1234. laugh

I thought "p@ssword" was supposed to be the best one to go for?

Has anybody checked their stats to see if they are getting an unusual amount of adult website referers. In the past 1 to 2 months the number is gradually increasing on my site. So far I haven't been hacked (fingers crossed)
Silk

My website

I mentioned referrer log spam in the other thread you replied in. Unless they're actually linking to you, that's all that would be.

Some people use .htaccess and block any %{HTTP_REFERER} that contains certain words.

Ex: (porn|cialis|Dreamhost Promo Codes|xanax|etc...) wink

In reply to:
I thought "p@ssword" was supposed to be the best one to go for?

It is... but I'm using that one. If only I use it, then it should be a very rare password that no one would ever guess. tongue

Yep, thats what I started doing.
Silk

My website

All my sites hacked - check yours too!