A few months back, I wrote about a WordPress attack that affected a friend of mine. The hack was aimed at WordPress installs, and planted very subtle modifications to core WordPress files that redirected users to spam pharmacy sites.
At first, I thought the attack was aimed at unpatched WordPress sites, though my friend’s site was fully patched and updated. As I pursued the patch, I started noticing that a highly disproportionate number of the hacked sites were hosted on the same Web hosting provider my friend’s site lived on: namely, Dreamhost.
Dreamhost, as I observed later, seemed to be hosting quite a number of these hacked sites. And more worrying, the sites were generally fully patched, suggesting somesort of zero-day exploit against Dreamhost’s Web hosting servers.
I made note of it, fired off some emails to Dreamhost’s abuse team, and forgot about it.
Fast forward to today.
Today, I received a number of spam emails that used redirectors planted on hacked sites to redirect to a spam pharmacy page selling fake Viagra. More concerning, the site appeared to be attempting an exploit to download malware. It’s an exploit I’ve seen before, often used to distribute the W32/ZeuS banking Trojan.
In the spam messages I received, the redirect file had the same name: “jbggle.html”, So, curious, I did a Google search for sites with this filename in the URL and discovered quite a large number of hacked sites that redirect to the same spam pharmacy page:
*** WARNING *** WARNING *** WARNING ***
All these URLs are live as of the time of this writing. All of them will redirect you to a spam pharmacy Web site which may also attempt to download malware on your server.
And interestingly, ALL of these Web sites is hosted by Dreamhost. Every. Single. One.
I strongly recommend that people steer well clear of Dreamhost. I have not seen this level of compromised Web sites on a single server since the zero-day exploit against iPower Web several years ago.
Dreamhost’s security team seems unwilling or unable to deal with this problem, which is quite disappointing for a large, mainstream Web hosting company.
Edited to add: Within minutes of this blog post going live, I received an email from Dreamhost’s security team that they had started examining the sites on their servers to remove these redirectors. It is not clear from the email whether or not they have identified the exploit being used to plant them, or indeed intend to do so.
I’ve been with dreamhost for years now, but I really have to find somewhere else I think. They’re nice folks, but their servers seem to be ridiculously vulnerable these past two years or so. Blech. I used to just host stuff out of my home servers but I have so many business sites I host for other people I couldn’t rely on my comcast business internet to stay up fully and had to find an outside host.
I’ve been with dreamhost for years now, but I really have to find somewhere else I think. They’re nice folks, but their servers seem to be ridiculously vulnerable these past two years or so. Blech. I used to just host stuff out of my home servers but I have so many business sites I host for other people I couldn’t rely on my comcast business internet to stay up fully and had to find an outside host.
Do you have a suggestion for a hosting company that is diligent? I’m about to start a charity auction site and I’d rather not have to deal with that kind of difficulty. :/
Do you have a suggestion for a hosting company that is diligent? I’m about to start a charity auction site and I’d rather not have to deal with that kind of difficulty. :/
DreamHost abuse team responds.
The full story here is that you sent us 5 email notifications this morning between 10 and 11am Pacific time. at 11:02 PST (just before your post here) I sent you this response:
“As always the notifications are appreciated, and these pages are being taken down. We have a sufficient number of filenames to go off of so I will start on digging out all of these spam pages by hand now so hopefully this will mitigate the issue before you receive these spam emails.”
I am not sure how this qualifies that our abuse team was being unwilling to address these issues. We promptly addressed your issues, thanked you for the assistance and used the information you provided to performing further scans against on our entire network to continue tracking down and removing these files based on the information you provided.
The central cause of these compromises has been identified and has been confirmed as a basic security consideration these customers overlooked in regards to managing their files. Each reported affected customer has been notified about the matter and the attack vector secured.
If you are a Dreamhost customer and concerned your sites may be affected by this or any other compromise please write our support team and we will be glad to perform a security scan against your site(s).
Re: DreamHost abuse team responds.
If this had been the only situation, I would not be nearly so frustrated.
However, it seems to me that there is some kind of ongoing, endemic security issue at Dreamhost which you are simply writing off as one-off attacks against vulnerable software without investigating closely. I have observed–and notified you about–a number of attacks against WordPress and Joomla hosted sites on your servers which can’t easily be blamed on your customers’f failure to patch correctly, as they seem to be affecting fully patched and updated copies of these software.
Worse, your automated software updating system seems cunningly designed to introduce numerous security vulnerabilities in your customers’ sites. When a customer uses your tools to, for example, update WordPress, your updater copies the outdated files into a .old directory, where it remains live and accessible to the Internet…so your customers who are security savvy and who attempt to do the right thing to secure their sites still have these old vulnerabilities present and exploitable.
By way of one real-world example, this securily vulnerability affected a customer you were hosting at
and it took some time for you to fix the problem after you were notified of it.
The attack I notified you of last night, and which prompted this blog post, began last month; I first notified you that redirectors named “jbggle.html” were appearing on many sites on your servers on January 29, but it was only after I blogged about it on February 23 that you began searching for sites compromised in this way. One of those sites,
remained active on your servers for some days even after I had repeatedly notified you that it was being used in spam emails.
DreamHost abuse team responds.
The full story here is that you sent us 5 email notifications this morning between 10 and 11am Pacific time. at 11:02 PST (just before your post here) I sent you this response:
“As always the notifications are appreciated, and these pages are being taken down. We have a sufficient number of filenames to go off of so I will start on digging out all of these spam pages by hand now so hopefully this will mitigate the issue before you receive these spam emails.”
I am not sure how this qualifies that our abuse team was being unwilling to address these issues. We promptly addressed your issues, thanked you for the assistance and used the information you provided to performing further scans against on our entire network to continue tracking down and removing these files based on the information you provided.
The central cause of these compromises has been identified and has been confirmed as a basic security consideration these customers overlooked in regards to managing their files. Each reported affected customer has been notified about the matter and the attack vector secured.
If you are a Dreamhost customer and concerned your sites may be affected by this or any other compromise please write our support team and we will be glad to perform a security scan against your site(s).
I frequent a couple of forums that I now know are hosted on dreamhost. That are now suffering total and widespread outages.
Dreamhost is saying “its a hardware problem”.
So do you have a list of virus, and bot destroyers that are cheap or better yet free, for those of us who are concerned about having picked up anything?
I like Kaspersky’s antivirus software for Windows machines, but it’s not free. Trend Micro’s free version appears to work quite well. For malware and spyware, Ad-Aware and Malwarebytes seem to work well.
Thanks!
I used to have a list, given to me by a friends code geek hubby, but In a few computer shifts I cant find it now.
I will be looking into the free ones today and possibly the not free ones in the near seeable future.
Thanks again for the heads up.
I frequent a couple of forums that I now know are hosted on dreamhost. That are now suffering total and widespread outages.
Dreamhost is saying “its a hardware problem”.
So do you have a list of virus, and bot destroyers that are cheap or better yet free, for those of us who are concerned about having picked up anything?
As others have pointed out, Dreamhost seems to have a real problem. And they seem really incapable of figuring it out. I don’t know who they pissed off, or if it is just their size now makes them a target.. but they are one.
I’ve seen a modest uptick in bogus traffic over the past few months. Fortunately, I’m pretty good at keeping my WordPress installs secure.. but I’m not 100% certain I’m doing everything right. And, given the nature of shared hosting, even IF I do everything right all it may take is some butthead on my shared server to screw up and I’m potentially compromised.
I’ve been slowly moving to a dedicated virtual server hosted by another company (Linode), and just hosting static content on Dreamhost.. and that’s only because my Dreamhost account is essentially free. It is getting increasingly hard to recommend Dreamhost.
I’ve long suspected that some of Dreamhost’s security issues may be related to a shared hosting vulnerability that gives an attacker who can access one site on a shared hosting server access to other sites on the same server, though of course I can’t prove it.
As others have pointed out, Dreamhost seems to have a real problem. And they seem really incapable of figuring it out. I don’t know who they pissed off, or if it is just their size now makes them a target.. but they are one.
I’ve seen a modest uptick in bogus traffic over the past few months. Fortunately, I’m pretty good at keeping my WordPress installs secure.. but I’m not 100% certain I’m doing everything right. And, given the nature of shared hosting, even IF I do everything right all it may take is some butthead on my shared server to screw up and I’m potentially compromised.
I’ve been slowly moving to a dedicated virtual server hosted by another company (Linode), and just hosting static content on Dreamhost.. and that’s only because my Dreamhost account is essentially free. It is getting increasingly hard to recommend Dreamhost.
Re: DreamHost abuse team responds.
If this had been the only situation, I would not be nearly so frustrated.
However, it seems to me that there is some kind of ongoing, endemic security issue at Dreamhost which you are simply writing off as one-off attacks against vulnerable software without investigating closely. I have observed–and notified you about–a number of attacks against WordPress and Joomla hosted sites on your servers which can’t easily be blamed on your customers’f failure to patch correctly, as they seem to be affecting fully patched and updated copies of these software.
Worse, your automated software updating system seems cunningly designed to introduce numerous security vulnerabilities in your customers’ sites. When a customer uses your tools to, for example, update WordPress, your updater copies the outdated files into a .old directory, where it remains live and accessible to the Internet…so your customers who are security savvy and who attempt to do the right thing to secure their sites still have these old vulnerabilities present and exploitable.
By way of one real-world example, this securily vulnerability affected a customer you were hosting at
and it took some time for you to fix the problem after you were notified of it.
The attack I notified you of last night, and which prompted this blog post, began last month; I first notified you that redirectors named “jbggle.html” were appearing on many sites on your servers on January 29, but it was only after I blogged about it on February 23 that you began searching for sites compromised in this way. One of those sites,
remained active on your servers for some days even after I had repeatedly notified you that it was being used in spam emails.
I like Kaspersky’s antivirus software for Windows machines, but it’s not free. Trend Micro’s free version appears to work quite well. For malware and spyware, Ad-Aware and Malwarebytes seem to work well.
I’ve long suspected that some of Dreamhost’s security issues may be related to a shared hosting vulnerability that gives an attacker who can access one site on a shared hosting server access to other sites on the same server, though of course I can’t prove it.
Thanks!
I used to have a list, given to me by a friends code geek hubby, but In a few computer shifts I cant find it now.
I will be looking into the free ones today and possibly the not free ones in the near seeable future.
Thanks again for the heads up.
I just wanted to say that “acocunt” may be the most amusing typo I’ve ever seen anyone make 🙂 I should try adding it to the Urban Dictionary. – ZM
EDIT: Well, I’ll be: it’s already there!
I just wanted to say that “acocunt” may be the most amusing typo I’ve ever seen anyone make 🙂 I should try adding it to the Urban Dictionary. – ZM
EDIT: Well, I’ll be: it’s already there!
I was looking for more
I was searching for anyone else who has one of these:
http://www.violetwands.com/main-virtuemart/sale/the-199-violet-wand-kit.html and found your link.
I got mine for Valentine’s day. Really happy with it. It says its a solid state but it sounds like the neon wand you have is not as powerful? This Nova is as powerful as a regular violet wand and it comes with all the attachments to do all the techniques. Does anyone else have one? Im loving mine and looking for other owners!
I was looking for more
I was searching for anyone else who has one of these:
http://www.violetwands.com/main-virtuemart/sale/the-199-violet-wand-kit.html and found your link.
I got mine for Valentine’s day. Really happy with it. It says its a solid state but it sounds like the neon wand you have is not as powerful? This Nova is as powerful as a regular violet wand and it comes with all the attachments to do all the techniques. Does anyone else have one? Im loving mine and looking for other owners!
Re: Dreamhost again!
The large attack I documented several years ago was against iPower Web rather than Dreamhost. Dreamhost isn’t quite as insecure as iPower was, though there does seem to be a similarity in that, like iPower, they seem unwilling to acknowledge that they may have an ongoing security issue.
Re: Dreamhost again!
The large attack I documented several years ago was against iPower Web rather than Dreamhost. Dreamhost isn’t quite as insecure as iPower was, though there does seem to be a similarity in that, like iPower, they seem unwilling to acknowledge that they may have an ongoing security issue.
I quite like zero-day-focused Threatfire, which plays well with other security ware. Amd Avast is painless and had passed the “Mom’s computer” test of hardiness and self-maintenance.
I quite like zero-day-focused Threatfire, which plays well with other security ware. Amd Avast is painless and had passed the “Mom’s computer” test of hardiness and self-maintenance.
I can understand how a lot of people come to this conclusion – our capitalist society tells us that the more we value the things we give in exchange, the more we value the things we receive in return (so things that have cost more financially generally represent higher status and people often value it higher and take better care of it). I dislike the idea of love or sex as a transactional token, but most people don’t really acknowledge to themselves what that really means, if you take this ‘I value your fidelity because of the loss it represents to you’ idea to its logical extension.
Mind you, I don’t really understand why happiness in a relationship could ever be considered a zero sum game anyway, with it being transferred between partners like currency.
I can understand how a lot of people come to this conclusion – our capitalist society tells us that the more we value the things we give in exchange, the more we value the things we receive in return (so things that have cost more financially generally represent higher status and people often value it higher and take better care of it). I dislike the idea of love or sex as a transactional token, but most people don’t really acknowledge to themselves what that really means, if you take this ‘I value your fidelity because of the loss it represents to you’ idea to its logical extension.
Mind you, I don’t really understand why happiness in a relationship could ever be considered a zero sum game anyway, with it being transferred between partners like currency.