Dreamhost con 3500 cuentas FTP comprometidas

Autor: Armonth | El viernes 08 de junio del 2007 @ 02:17.

Algunos usuarios de Dreamhost están recibiendo un correo electrónico en donde Dreamhost, una de las compañías de hosting más conocidas, advierte de un problema de seguridad en sus cuentas.

Debo decir de antemano que por suerte, tener una contraseña no poco larga o casualidad yo no he recibido ningún correo pero hay mucha gente que sí concretamente se calcula que un 0.15% de todas las cuentas o lo que es lo mismo: aproximadamente 3.500.

El correo no puede ser más esperanzador:

This email is regarding a potential security concern related to your FTP account. We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.

We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed - less than 0.15% of the total accounts that we host - actually had any changes made to them. Most accounts were untouched. We ask that you do the following as soon as possible:

  1. Immediately change your FTP password, as well as that of any other accounts that may share the same password. We recommend the use of passwords containing 8 or more random letters and numbers. You may change your FTP password from the web panel (”Users” section, “Manage Users” sub-section).

  2. Review your hosted accounts/sites and ensure that nothing has been uploaded or changed that you did not do yourself. Many of the unauthorized logins did not result in changes at all (the intruder logged in, obtained a directory listing and quickly logged back out) but to be sure you should carefully review the full contents of your account.

Again, only about 20% of the exploited accounts showed any modifications, and of those the only known changes have been to site index documents (ie. ‘index.php’, ‘index.html’, etc - though we recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct access to our internal customer information database, but this was thwarted by protections we have in place to prevent such access. Similarly, we have seen no indication that the intruder accessed other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-scenes changes to improve internal security, including the discovery and patching to prevent a handful of possible exploits. We will, of course, continue to investigate the source of this particular security breach and keep customers apprised of what we find. Once we learn more, we will be sure to post updates as they become available to our status weblog:


Thank you for your patience. If you have any questions or concerns, please let us know. -- DreamHost Security Team

En resumidas cuentas, los atacantes han "probado" el acceso a varias cuentas y en unas pocas han añadido contenido jugoso para posicionar su(s) página(s). Yo a todo ello añadiría que aunque no seas uno de los afectados deberias forzar una copia de seguridad fuera de las rutinarias y descargarla, que nunca hace daño.