Goodbye Dreamhost

This site has always been hosted on pair Networks, where I host my email and other personal things which I don’t ever want to go down. In 2005 I also signed up for a Dreamhost account to host a couple of less important things. I knew Dreamhost to be less reliable than pair, but I figured that for what I was paying ($9.99/mo), I could tolerate a little bit of downtime.

Enter 2007. Dreamhost’s service seems to be getting more and more flaky. This year the following happened:

1) Mass power outages, with both primary and backup power failure
2) Complete DNS breakdown affecting all their customers, which Dreamhost classified as a “medium” severity problem

Enter May 2007. People’s sites start getting hacked into (by hackers compromising Dreamhost’s servers, not through client side hacks). Dreamhost doesn’t notify people until 6 June 2007 (!!!). I was one of the people notified of the breach, as my account had also been hacked into (and my files tampered with):

Hello –

This email is regarding a potential security concern related to your
‘XXXXXXX’ FTP account.

We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.

We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed –
less than 0.15% of the total accounts that we host – actually had
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel (“Users” section, “Manage
Users” sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.

Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc – though we
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:

http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns,
please let us know.

– DreamHost Security Team

I dutifully changed all my passwords and fixed all the damage. Next day my account was compromised again and my files tampered with again. At this point I decided to jump ship and move all my sites to pair. I’ve totally lost confidence in Dreamhost.

A couple of other things to note:

1) Dreamhost was storing all user passwords in plaintext.
2) They had the audacity to blame users for the compromise.
3) Rather than fixing the broken FTP daemon through which accounts were compromised they have just added an option to disable plaintext FTP for user accounts.
4) They still haven’t notified me that my site was compromised a second time.
5) A lot of people I know have had their sites compromised and files changed. I’m rather sceptical of their claim that only 0.15% of their sites had files changed. Here is but a small sample.

I’m willing to tolerate some inconvenience to save a few bucks but seriously no savings is worth this kind of hassle.

So that’s it. Goodbye Dreamhost.

Leave a Reply