You could be hacked too
Sometimes I forget about personal security. From a design perspective this is a relatively easy task with acceptable solutions, whether it be hashing passwords or doing some crazy salt implementation to keep your clients passwords secure. Unfortunately I was a little lazy with my own passwords. My main Dreamhost FTP account was compromised in the past week sometime (I expect it was in the last week at least) and I found some rather interesting results from this invasion. So what’s in a dreamhost FTP account? When you log in you see a list of domains that user has access to (for my username it’s everything of course), with full access to everything. There’s also ssh access with the same credentials, but that seems to have been left untouched. Instead the perpetrator grabbed every single index.* file and added their own text to the bottom of it — about 70k of links that were hidden. The dangerous part was that I didn’t even notice this, so I’m not completely sure when it happend!
Dreamhost has a great backup plan luckily. You can login and CD over to /.snapshot and it contains folders with a full snapshot of your files at various times (1 hour ago, 2 hours ago, 1 day ago, 2 days ago, 1 week ago). The files from a week ago were last edited on 5/27 with this malicious code, although that could have been done directly in the snapshot directory. On the bright side for the most part it’s just a matter of removing the offending code and reuploading the files; with the exception of one or two files which actually broke due to this editing. Lucky they did too because that’s how I noticed something was wrong.
Moral of the story is don’t take your hosting passwords lightly! They need to be changed and checked on just like anything else important. I’m lucky that the worst something like this could’ve done is hurt my pagerank (or possibly offend someone if they actually read the links). I’m slowly removing them and cleaning up the rest of my hosting now which is why there has been no ColdFusion 8 headline today, aside from the one Digg was nice enough to do for me. Wait for it tomorrow.
Also remember that FTP is *insecure* by nature, so even with a cryptic password, it’s still sent in clear text and could have been seen with a network sniffer.
I wish SFTP and FTP/S were widely used and implemented by hosting providers.
I had this happen a couple of months ago with TWO of my client’s accounts. Someone hacked in and replaced the index.* files with their own files, which interestingly were forms that went nowhere. Not sure what good that did anyone, but I had to re-upload all the index.* files and change the passwords.
I’ve had the exact same problem, as have other DreamHost accounts of people I know – it appears to me that this is a bigger problem than just your individual accounts being compromised.
I’m had a very strong password but yet still was able to be compromised.
[...] http://www.adamfortuna.com/2007/05/31/you-could-be-hacked-too/ [...]
[...] http://www.adamfortuna.com/2007/05/31/you-could-be-hacked-too/ [...]
Turns out this is a bigger problem than just me. 3500 dreamhost accounts were compromised. Dreamhost does have sftp support (which I’ll be using from now on of course) which is a plus. I’m not sure if it’s better or not that the problem was on Dreamhost’s side and not mine. On the bright side that means I don’t have to worry about keyloggers at the moment.