I've noticed over the past several days, that Dreamhost has been having a problem with crap links being injected into the index.php file. It affected a few of my directories I have over there as well. They are also installing backdoor .php files (1.php in the attatchment) on the hosting, so I would advise anyone else who has a couple of websites hosted by Dreamhost to check on them ASAP.
I had a couple of wordpress sites on DH injected. The header.php was targeted. I posted some details on my site's blog: http://blog.song-list.net/2008/06/26/wordpress-hack/
I think it's DreamHost not the script that seems to be vulnerable. I remember last time all my sites' index files were changed, including a static php site, a directory (front end is static html generated by a cgi script), and a wordpress site. Added: For your information, I found this post http://www.dreamhoststatus.com/2007/06/06/security-breach/ describing the same problem I encountered last time. It's suggested to disable FTP and use only SFTP/SSH.
It could be that a vulnerability in one of your scripts allowed a hacker to upload a backdoor to your web server. In that case it would be your own fault (and the script developer's) and not Dreamhost's fault.
There is of course such a possibility. But when this happens on more than one users at the same time, I don't think we should focus on this possibility. And you'd better check the link I posted above, it had affected many users that time.
I had this problem with one of my blog back in April, I though it could be WP vulnerability, who knows.
I work for a popular webhost and I have seen first hand the giant influx of compromised websites. These have all been traced to clients using scripts and modules that are poorly coded and scripts that are out of date. Most of these scripts need mod_security off or register_globals turned on. Therefore, how can you blame the host? This is your fault for using scripts that are so easily vulnerable. If most people took the time to understand some of the coding in their scripts, they would have a clue. The injection can easily be removed by writing a simple script. We have been able to restore most files this way. The second thing is you should be making back up's via cPanel or other in case anything ever happens. The hosts make back up's for complete server hardware failure only. These should NEVER EVER be relied on regardless how good the back up system is, or the host claims is. A good webmaster will always understand this and keep a daily or week archive of their back ups. If anyone has been injected with a redirect, or malicious coding, you can contact me and I can see if I have a script I can dig up for you. If your on shared hosting you can have your host run it on your account to remove the code. If your on a VPS or dedicated, you can run this your self via SSH. I don't know or work with Dreamhost so I cannot confirm what's going on there. It all sounds to common from what we see on our end. This has happened all at once for one of the following reasons possibly: 1.) The hacker just recently found the exploit and targeted by script or host. This often happens with clients using crappy passwords using words from the English dictionary. 2.) Why wouldn't the hack do the damage all at once? If their hi jacking people to a affiliate program of some sorts.. they will hack their cattle and wait for a opportunity to come around. Why hack people and do the damage one by one without a plan? 3.) Dreamhost is big from my previous research. I'm sure they will find out what is common and take actions or send out notifications why this has happened. Most hosts are on top of security and kernel patches like white on rice. They don't like doing extra work restoring clients data when a simple kernel update or patch could of been applied. I highly doubt it's global security that was compromised. 4.) If the compromises were designed for dos attacks, of course you wouldn't notice anything until the hacker was ready to deploy his attacks. This would effect multiple shared users at once time. This doesn't seem to be the motive with the information given above. I would think twice before blaming the host. It's a very stupid thing to do when you use scripts that are outside your "sand box" so to say in regards to security. The best thing you can do is learn from the experience and find the exploit.
Dude im not saying your right or wrong but i can tell ya that back a few months they charged peoples credit cards ahead of time then had to send apology notices for there mistake which i over looked then a few weeks later the same issue we are chatting about happened & now it has happened again. Why doesnt this happen with Hostgator? why doesnt it happen to SEOhosting? I pulled my sites out because the time was near for another yearly payment and had no use for the hosting as we have a reseller account now and no need to pay 2 places when they can all be regulated from one panel so... Regardless i wish them success in future and appreciate the hosting when they provided it PS.... i will give them a A+ for up time as sites where never down in the 2 years with them thx malcolm
Oh I'm sure it has happened or it will in due time. We were hit about 2-3 weeks ago. About 5% of the accounts were effected and through our research we were able to find that the hacker used 2 major exploits. 1.) Brute force on clients who used weak passwords. 2.) Coppermine Gallery (mostly) and other common scripts were exploited due to how out of date their versions were. Most of these clients assumed because they installed through Fantastico years ago that they were safe. Needless to say, we put a warning on the Fantastico page in cPanel to prevent this kind of mis-information in the future. We also caught this event exactly when it happened. We immediately changed all cPanel passwords and chmoded their old scripts 000 using the some of the server logs FTP, Apache, and others. We then sent out emails with the new passwords and reverted most of the damage with scripts. Some damage wasn't reversed until those clients submitted tickets. Took us about a week to get everything back to normal. It looks like the same thing happened to Dreamhost but they didn't catch it before most of the clients who were effected did. It happens but it looks like they are doing their best to get things back to normal. I see too many times of hosts being blamed for something that is not inadvertently their fault. This compelled me to tell the entire story how it is in the most cases. There is always the exception and I cannot say 100% what happened because I am not affiliated with them in no way, nor do I have any contacts with Dreamhost, Hostgator, 1and1, or others.
Also, the hackers IP and details were forwarded to the FBI. This was the first time the FBI has made first contact to us regarding an issue like this. I forgot to mention that this is a very BIG deal if what happened to Dreamhost and (us) were related in anyway.
Shady.. An0n - long time no speak heh, are they using styles to hide the links? I wouldn't say your been targeted personally, just looks like the usual BH crap.. this is on your PHPLD sites yeah? Or is it on all DH accounts..
perhaps dreamhost is more vulnerable as they have their own customized control panel which may have more security bugs than other well known cpanel, etc.
I am a Dreamhost user and i have experienced some problems lately myself... It all started with my CPU Usage Limit being exceeded on my PHP heavy wordpress sites...It happened about 10-15 times not even a week ago....Due to that Dreamhost suspended my account until i got in contact with them... Once i had a Dreamhost Rep on the phone we went over some things..First i changed the folder name for my plugins...Thinking maybe it was something being caused by one of the plugins i had installed....So after i did that they turned the site back on and with the first few loads the site was taking up all the resources and using all the CPU Usage i was allowed...So they turned it back off... I then went and changed the name of my theme, so wordpress would resort to using the default theme...Thinking maybe it was something in my theme files that was causing the problem....They turned the site back on and once again within the first few loads it was taking up all the resources and going over the CPU limit.... After that i was sort of stumped....And BlueHost couldnt tell me what the problem was, besides for the fact it was something on the index.php page causing the problem... So i went and reinstalled all the default wordpress folders and files...After doing that i had them turn the site back on and ever since then i havent had a problem...
We had that issue with hostgator before and it was due to sitemaps being indexed or bots sucking up the juice. laterz malcolm