Dreamhost leaks 3,500 FTP passwords
**** Update: After all this Dreamhost mess, I’ve decided to abandon ship and go to Lighthouse Technologies for hosting, since I know the owner, and can vouch that he is solid. His best plan is $16 / mo, but bound to be more reliable and secure. If you want to get hosting with Lighthouse, please consider using my affiliate link! ****
I just recieved this email from Dreamhost. It seems that they’ve leaked 3500 FTP account passwords somehow.
That explains a lot - about 2 weeks ago, someone used my password to upload tons of spam links to my sites. At the time, I contacted Dreamhost indicating the problem, and they assured me that their servers were secure, and it *must* be my problem. Looks like it wan’t me.
From: DreamHost Security Team
Subject: URGENT: FTP Account Security Concerns…Hello -
This email is regarding a potential security concern related to your
‘XXXX’ FTP account.We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.We’re still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).Our records indicate that only roughly 20% of the accounts accessed -
less than 0.15% of the total accounts that we host - actually had
any changes made to them. Most accounts were untouched.We ask that you do the following as soon as possible:
1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel (”Users” section, “Manage
Users” sub-section).2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. ‘index.php’, ‘index.html’, etc - though we
recommend looking for other changes as well).It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:http://www.dreamhoststatus.com/
Thank you for your patience. If you have any questions or concerns,
please let us know.
This portion of the email set me off; up until this point I was on DreamHost’s side, even though my account was among the ill-fated 0.15% mentioned earlier.
I took this statement to mean that they failed to install patches that might’ve helped avoid this incident. Or, just as bad, DreamHost hadn’t updated their systems with patches for other known vulnerabilities.
The title of your post is inaccurate. Exactly how these FTP accounts were compromised has yet to be determined. It is possible that all 3,500 of us were just careless!
Nice… Is there a day that dreamhoststatus.com doesn’t have something crazy? The forums are starting to refer to dreamhost as dreamhose…
Yeah, this is the final straw for dreamhost. It’s not just the sites going down anymore - now they’re incompetence is actually causing security issues. Fuck that.
I’ve heard some things about dreamhost, but this is beyond rediculous.
My guess is that it’s going to turn out to be an issue with one of their optional plug-in apps (Wordpress is my best bet at this point).
We should know more soon. It’s public now, so they’ve gotta rev up their PR machine…
Suggest an alternative with as much space for a good price……
I’ve been with DreamHost for over 3 years, and this is the first time I’ve experienced any kind of problem beyond what one from normally expect from a shared hosting environment. Although this is obviously a serious incident, it is highly unusual for what is normally an extremely competent hosting company.
DreamHost is a very transparent company, and the status blog they operate is an example of this. Most web hosting companies experience the same daily issues that DreamHost does, but keep their customers completely in the dark about it. DreamHost should be applauded for their willingness to keep their customers informed, rather than flamed.
I understand that having your site compromised is a very bad thing for any reason.
And as a long time Dreamhost customer I can attest that they are far from perfect, but people’s reactions often seem a bit exagerrated.
The biggest difference between Dreamhost and most hosting companies isn’t that security vulnerabilities exist; its that Dreamhost actually tell their customers that something like this happened.
Trust me, their are quite a few hosting companies which would simply pretend something like this never happened.
If Dreamhost really did not apply patches or some such then yeah I agree that is shoddy, but its still better than a place that doesn’t apply the patch, lets you get exploited, and then pretends nothing happened. Or worse, tells you that you must have made the changes yourself(yes that actually happened to me).
So people have every right to be upset, but I’ll take Dreamhost, their human mistakes, and their honesty over the alternatives.
@ Simon Jessey
No, most companies do NOT allow thousands of customer accounts to be stolen at once.
as a DreamHost customer for 2 years i have yet had any of these so called problems hit me, apart from there building losing power in the power outage. So the few occasions that my site has actually gone down for more than an hour its because of outside infulences.
They just send a mail to all users who had the password “1234″.
This seems pretty irresponsible and seemed to have caused huge amounts of damage.
Lets get real people, maybe its time to start using a new host that actually knows what they are doing. Dreamhost should change their name to NightmareHost, cause it sure is no dream to be apart of their hosting. I mean just look at their homepage, why the hell would I want to host my business at a site that looks like 5th graders are running.
@ f’in lol
The reason for the problem has yet to be discovered. As I said before, it could’ve been something specific that users were doing for all we know. And I dunno what planet you are on, but I hear about stolen data all the time. How about the personal details for millions of servicemen and women lost on a stolen laptop last year? How about massive security failures with banks and e-commerce sites? How about the PayPal credit card scandal? This is trivial in comparison.
Let’s just say that this isn’t exactly all that rare.
At least DH is actually letting us know, which I am not so sure they’re obligated to.
I once knew of a host, and I won’t say any names, but they got hacked, and somehow the hacker got access to almost everyones credit card data.
They talked to their lawyer, and their lawyer said they didn’t have to notify the customers, and that they didn’t have to tell them the extent of what happened.
So, let’s just say that the customers were pretty much kept in the dark.
And this was quite a large host, and this was about a year and a half ago, and they had 80k sites hosted with them.
So, in this case, I consider myself fortunate that DH actually informed us, and I consider myself fortunate that they’ll be way more paranoid in the future as well.
@ Marcus
Yeah. Much better to go with GoDaddy, because they’ve got a nice picture of Danica Patrick on their 21st-century site!
Dreamhost Leaks 3500 Passwords…
A number of sites hosted by Dreamhost have been hacked lately. Now we know why: about 3,500 FTP passwords were obtained by “a 3rd party”. [via Digg]……
@Andrew:
“Suggest an alternative with as much space for a good price……”
Try 1and1.com. Excellent service for me over the past 5 years (12 domains), and VERY reasonable.
Their “Business” @ $9.99 is very similar to DH “Crazy Domain Insane” @ $9.95.
At least worth a look. I killed my Dreamhost account. It was turning into more of a Nightmarehost.
@Doc
That’s funny. I moved one of my customers from 1and1 to DreamHost after they attempted Domain Slamming.
Hmmm… Guess all webhosts have some faults. I’ll have to keep an eye on that.
Thanks, Simon.
I use dream host and no hacking on my site. sounds like we have some retards with password = “abc123″.
I highly recommend dreamhost, goDaddy sucks horse balls. dont use them.
http://www.wallpaperdojo.com
Who seriously uses FTP these days anyway? It is inherently insecure - I mean, you might be able to do things to shore it up, but with scp available on your dreamhost account, why bother?
I am a dreamhost user, and while their downtime pisses me off sometimes, we have no idea if this is due to their problems or a bunch of idiots thinking is a secure password. Even so, just don’t use is a secure password. Even so, just don’t use ftp.
Hmmm.
Dreamhost –> Madhost, or Madhouse if you prefer.
I was one of the people who received this e-mail. My account’s password was 13 characters, mix upper/lower-case, numbers, and punctuation. I always connect to my server via SSH or SFTP, *never* over insecure protocols such as FTP or Telnet.
None of my sites had content changed, so I guess I was lucky, but it really ticks me off that people are implying that those whose accounts were compromised were lazy or negligent. Myself and at least one other developer I know of both are doing everything right, and still were compromised.
DreamHost needs to be (publicly!) forthcoming about *exactly* how this has happened and *exactly* what they did to “fix” it. “numerous significant behind-the-
scenes changes to improve internal security” just isn’t cutting it with me.
So… Just for everybody’s info ftp is inherently insecure. Anytime you use it your password goes over the internet in plain text…
@ Marcus
Marcus, I hope the business website that you alluded to is not in the field of spelling or grammar. Your sentence structure is poor and your spelling is on par with the 5th graders you mentioned. Kudos to you for elevating the discussion to elementary school status. :/
All I can say is that I’m feeling damn lucky that I didn’t receive “the letter” and are thus, presumably, unaffected.
Hopefully my sites will outgrow Dreamhost and I’ll be able to buy dedicated hosting with the ad proceeds.
I am hosted on DreamHost and fortunately I did not recieve the same email about the security issues. I am actively looking to move my blog off of DH’s servers because of the frequent downtime, inability to handle traffic surges, and slow support. This is just one more reason for me to not use them.
Thanks for letting everyone know.
Dreamhost: 3500 Contas de FTP Hackeadas…
O Dreamhost, serviço de hospedagem de sites que eu utilizo aqui no blog, enviou um e-mail a seus clientes comunicando que aproximadamente 3500 contas de FTP tiveram suas senhas comprometidas por um invasor.
O e-mail foi enviado aos clientes que tivera…
I’ve used DataFlame for some time and always been very pleased with the service and the price. I’ve never found a cheaper php/asp enabled host.
I have sites on Dreamhost and all files index.php, index.html, login.php is hijacked with this code:
and that lead to some .cn site and instal troyan
try too look on your files and find radiodeejay.hr forum lang inexed.htm
I certainly wasn’t implying DH is god’s gift to web development, but I’ve used a bunch of different hosts and I have never found a better one.
Would I like a host which never had downtime, never had security issues, and I trusted completely?
Yeah, I would also like a pound of twenties, but I’ll settle for the best thing I can actually get.
Everytime a big host has an announcement like this people go nuts and say they are done for, yet somehow DH seems to remain in business.
So I sort of wonder how many of these end of the world posts are by people tryin to make a dollar on their fly by night host start up.
“No, most companies do NOT allow thousands of customer accounts to be stolen at once.”
Most companies don’t have thousands of customer accounts to steal.
I’ve read/heard lots of negative things about Dreamhost. For 2.5 years I’ve never had any problems. Only recently a Wordpress plugin stopped working for a lot of people on Dreamhost. But I found out a few other hosting companies had this problem - it’s most likely something in the plugin that’s incompatible with a newer version of Apache or PHP.
Dreamhost aint perfect, but it’s a deal for this price.
I have been with Kattare Hosting for quite sometime and I’ve been very satisfied with their service and response.
I would recommend them always!!!
V
Damn that sucks. Any alternative hosting plans?
About two weeks ago, DreamHost closed my account and banned me, claiming I had hacked several accounts. Their “proof” was that the hacker had embedded links to one of my web sites into some of the pages.
Now, I’m pretty sure that I’m not a hacker, so I managed (after several days) to convince DH to reluctantly reenable my account.
So now I’m pulling my stuff off their servers and moving somewhere else. I don’t like being called a criminal.
The increasingly large nature of this problem amuses me immensely due to how they treated me.
I’d go with Site5.com…I’ve been with them for years and I recommend them to all of my friends, clients, etc.
Suggest an alternative with as much space for a good price……
http://www.site5.com/ has a $5 package: 110GB/5TB/110 sites. That’s pretty close to DreamHost’s $7.95 140GB/1.4TB/unlimited package. Slightly better or worse depending on exactly what you’re doing with it. They’ve had some growing pains along the way, but I’ve never had any major issues with them and they have excellent customer service.
http://www.site5.com/in.php?id=5342 is my affiliate link if you found this helpful.
I dont know much about hacking but when you visit the dreamhost panel, it tells you your darn password plain as day, shouldnt that crap be encrypted?
What do you expect from a company that uses an animated gif for a signup button.
I ditched DreamHost long, long ago. They grossly oversell, moreso than some other hosts. They have more features than most people actually need. I use NearlyFreeSheech now.
A client of mine got comprimised. We had an alpha-numeric password..
This means it was internal
There is not other explanation.
chris
DREAMHOST SUCK, MORE LIKE NIGHT MARE HUST!
bUY SUPER awesome never hack hosting at www.247superinternetneverhackhosting.com
it best, awesome price, never get hack, always up, even during rainstorm
my friend uz nightmarehost and it make his hip break and all his monies got stolenz
nightmarehost contrul panel have too many options and will make your eyes hurts
…Seriously
Every company is going to piss off it’s fair share of customers and find a way to please 95% of their other customers. This is why it is wonderful to have choices. If you don’t like how a company treats you or acts or if the f**k up, guess what you could do to show how much you dislike/disagree with them or how they do things?? Choose a different company!
I use dreamhost for all of my domains but previous to dreamhost, I used hostexcellence. I made the switch to dreamhost over 2 years ago because they offered a some options I would take advantage of, as a web developer.
IMO, both are great hosting companies but because of the lack of what I wanted from a hosting company and an unwillingness to provide new services, I made a choice to go with a different company based on what was important to me.
On a side note, to the commenter (David Bock, above) who mentioned SCP as an alternative to FTP, I whole-heartedly agree with you! Check out WinSCP3 (http://winscp.net/eng/index.php).
Sure, 3500 accounts were obtained… thats like one or two server’s worth of users.
And how many of these accounts had passwords like pass123 or password?
I thought of switching to dreamhost but now, I have to think twice.
Atleast, based on their popularity, they came out clean.
Thanks for sharing.
I’ve had very good results with HostHD. http://www.hosthd.com
I like how everyone speaks of their security and site importance while they host it on a 10/mo shared server account or possibly the 9.24 a year deal. If you care that much about your data and security, you wouldn’t be using a cheap shared hosting plan.
Dreamhost חשפו כ-3,500 סיסמאות FTP…
חברת האיכסון, , חשפה בטעות כ-3,500 סיסמאות לחשבונות FTP שמאוכסנים אצלה. אז אם יש לכם שרת אינטרנט שמאוכסן אצל Dreamhost כדאי שתחליפו סיסמאות…
This is a serious issue, but as many pointed out, at least they notified people. They are good about being open and honest which, at times, makes them look bad. But overall, in the almost 3 years I have used their services, I am happier with them than any other company out there.
The only one I know of that compares in size and price is gatorhost who has overseas customer service that is not at all helpful. Comparing the two side by side reveals a lot. I signed up for them both at the same time and dropped gatorhost within a month.
In the overall scheme of things, nobody tops dreamhost for shared hosting… nobody.
Another good alternative is geekempirehosting.com, which I’ve had a site there for 2 years, and it’s never gone down once…plus 10 bucks a year is nice.
It’s run by a couple geeks who work at large data centers and they’re always on top of the patches..
You can tell because they always post in their announcement section on the forums when they do kernel and plesk updates and do reboots in the wee hours of the morning
This incident is not good, but it has nothing to do with the quality of service of DreamHost.. I have many happy customers with them.
Dreamhost => Screamhost!
I didn’t get that email is that mean I am the “lucky” ones? Still doubting if I just change passwords for safety.
I have been with dreamhost for more than a year, they have been great for bandwidth hogging files and as a back up host.
If you really need an alternative I recommend giving BlueHost a try. Just $6.95/mo 300 GB space, 3000GB bandwidth. php, mysql, ssh all included. Also I like their control panel, sorta like cpanel hehe.
Here is my rep link http://www.bluehost.com/src/js/blueblue/ if you want to sign up.
Umm, you’re certainly not going to avoid this problem at iPower, and probably not at MOST of the shared host providers.
iPower has had a ton of similar problems where someone’s site will have iframes or javascript embedded to link to exploited content.
I gave the dreamhost guy a lot of crap before, but people need to realize that shared hosting is a bad idea. If it’s cheap, it’s because it isn’t being run properly. Period.
If you’re taking a credit card, or just want to maintain a good public standing, you should be paying someone you actually trust to host your site.
My personal guess is that there’s an encrypted password file that someone got access to (shadow, proftpd’s conf, etc) and was able to find easy passwords. People are dumb for having easy password, and hosts are dumb for not keeping software up to date and not keeping staff around with the ability to keep things secure.
For what it’s worth, I also received notice that one of my DH accounts was compromised.
I only use SSH but, in opting for an SSH account through DH, the FTP access is left enabled. It says this in the Panel.
I hardly think it’s worth countering the comments implying this is a result of poor passwords but, in attempt to stop that nonsense… My account used a password which was 11 characters long, not based on a dictionary word and comprising a mixture of alpha characters and digits.
Hi from Brazil!!!
My blog was be hacked by this hacker: HACKED BY SHIT EATER 007 (a.k.a. cc), and I see your post about Dreamhost e-mail received, and that explain over all my problem….
Sorry about my bad english
Good luck for us!!!
Um how could you expect all of dreamhosts ridiculous promises to come true?
DreamHost FTP Accounts Hacked…
Within the last 2 weeks approximately 3,500 DreamHost users have had their FTP account passwords stolen and about 20% of the affected users have had some of their files altered.
The users were notified of this security breach by DreamHost staff today:…
http://www.surpasshosting.com
Great cheap hosting and they own the datacenter
Oh man. I’ve been hosted by these guys for about a year now and have had nothing but trouble with them - they are horrible. The bandwidth given to your site is extremely slow and the administrators seem to not know what they are doing. They accidentally deleted an entire site of mine a few weeks back. I guess you pay for what you get.
I had a url hacked by some German people the other day. I’m on Godaddy shared linux hosting.
I recently moved over to Dreamhost, and even with everything I have seen today, I am not considering switching. All hosts have issues. Any host with as many clients as Dreamhost has would be a pretty juicy target for a hacker. I would say that based on the information on their status blog, and seeing the affected application is their own creation, ‘they should have applied patches sooner’ isn’t a viable excuse. If they made it themselves, there likely wasn’t a patch until this came up today. Should they have better coders? Yeah, but even Microsoft and IBM’s apps have problems.
Someone mentioned, in fact many did, that unintentional releases of info are not uncommon, but unlike some, DreamHost told everyone affected right away, not a year down the road, or months even. Breaches happen, but it is the quality and speed of the response that makes the biggest impact on me, and from what I am seeing, Dreamhost has been nothing other than awesome in this. My only desire is that they would tell all customers, not only those affected, about the issue.
One should leave dream host immediately, if this is happening.
I left DreamHost last year because the service was pathetic. Uptime was — on good days — 85%. Bandwidth was never able to hit more than 30 KB/sec. Customer service was not responsive. I had some coupon where I got 1 year of service for the price of 1 month and wow, I got what I paid for. I didn’t even bother asking for a refund.
I’m using HostMySite now and I can’t say enough praise for them.
Forget shared hosting. Go with a VPS like Slicehost - $20 bucks a month of your own 256MB server. Full root access to make sure crap like this doesn’t happen.
Medros: YES, they SHOULD have been better developers. Comparing them to IBM or Micrsoft (ok, Microsoft isn’t know for good development anyway…) is a bad analogy because IBM and Microsoft are developing much more complex software.
You’re talking about a control panel or billing _script_ written for a specific platform. They probably could’ve taken a million precautions.
I won’t deny that it’s difficult to develop secure software, but I will stand by my original statement that cheap hosts aren’t paying for top talent and they probably shouldn’t be developing apps that affect hundreds of thousands of accounts — most developers hardly know the fundamentals of security.
Maybe if people want to call themselves “software engineers” they should take a test to prove that they’re competent in the area, but that’s a different tangent
I’ve never been with dreamhost, but would never tolerate something like that happening. I’m currently with http://www.ace-host.net/ and have never had an issue.
Any realistic software developer or engineer will tell you that there is no such thing as 100% secure. If a hacker wants in, no matter how good you are, they will get in. All you can do, as the developer, is make the product as good as possible.
So the owner of this blog is moving to his friend’s company. Does he somehow think his friend will be better? Does he somehow think his friend will be impervious to attacks if he gets big enough to be a target? If so, he’s a fool. Dreamhost has filled every demand I have made, and done everything I would expect of a competent host. They made software to the best of their ability, and it got hacked. They fixed it. Be realistic people, this is an imperfect world, and an even less perfect internet.
As for saying that because Dreamhost’s prices are low, their staff are less than capable, well, I would say that unless you meet them, you have no basis for this. Microsoft has some of the best programmers, engineers, and developers in the world, and their products get hacked and have holes. It’s the reality of software. You cannot, nor should anyone expect that your products will be impervious to attack.
Why is Linux secure? Why is the Mac secure? Because they aren’t targets like Microsoft is. Also, Linux has the open source aspect to help it, but the point is still there. If the hacker community went after Linux or Mac, like they do Windows, then we would be seeing a whole different story. Security through Obscurity will work for anyone as long as the first half remains true, but it is never true security, because there is still the holes, even if no one finds them.
In the end, the baseless FUD spread through this post and others like it around the net are simply hurting the commenters and customers of the company. People need to make their own decision based on FACTS and not rumors, unproven accusations and FUD. I have read several sites, the Dream host site, and their status sits, and knowing what I do about technology, I find they have taken all steps I would want them to, and will remain with them. Will you? And if you do not, are you basing your decision on facts?
Site5 is SO much better than Dreamhost. I used to use Dreamhost, and I’ve been happy with Site5 for about 3 months now. Get it! It’s so cheap!
http://ralree.info/2007/5/16/site5-doubles-5-deal
It is the infamous Iframe attack. Basically the hacker run an automated operation from some remote hosts and insert the iframe . I believe they have ftp into the user accounts through root pass. If not, they couldn’t have access to so many accounts. Worse is if dreamhost used the same password to multiple servers. This will increase the exposure of the accounts.
I canceled my account, I just have lost faith. If anyone is interested, I went with the Geeks over at GeekStorage.com.
Many people do not seem to understand this, but given the amount of access dreamhost offers at the command line level, they are pretty secure operation in relative terms.
They must be confident enough of their processes to allow users that level of access.
The only fault I find with them is allowing passwords to display in the control panel, meaning they must be available in clear text somewhere.
Personally I use http://www.cihost.com I’ve never had a problem on there Windows shared server plan
Yup, I recieved the email for my accounts with them, was already in the process of moving my sites to my new host crystaltech, just an extra push to get me going.
I didn’t get that email so hopefully I have no problems, but I’ll doublecheck nonetheless.
Even so my critical sites aren’t with Dreamhost. It’s because of similar situations that I use 5 webhosters at the same time.
http://www.coupons.fm
Hacking can happen to anyone, not just dreamhost. Its really bad to deal with hacking. The hacked accounts may be using insecure passwords like 123456, password, etc…
We’ve researched a lot of hosting companies, and are currently using mediacatch.com. They’ve never had a general security breach like this to my knowledge, however I do know that they also keep busy with individual users who don’t keep their scripts up-to-date or use insecure passwords that allow an individual account to be cracked. Seems a lot of the injected crap comes in through free shopping carts or forum software. They warn us about keeping this stuff up-to-date and secure, but some folks don’t listen or forget, or… What’s unfortunate in this case is that it appears to be a server breach, not just weak accounts.
>
Sure, but I have a *dedicated* server with DH, and my server was hit just the same as all the cheap shared accounts.
I don’t fault DH for the security breach (mistakes happen) as much as for the fact that they don’t offer an easy control panel interface to restore old files from the backups they automatically make for us. To restore from backups you have to tinker in the .snapshot directory via the command-line — cumbersome, and many users have no idea what a command-line is.
time to move away from dreamhost then, they gotten unusually shady recently.
BEware of Dreamhost. Thanks for the info.
Well, I’m not sure whather I’m on dreamhost or not. Officially not, but from what I see in my stats it might well be a dreamhost reseller.
I don’t think I’m going to move because of this. Basically these guys now will become as paranoid about security as one can be to restore their image, so trying my luck with someone that hasn’t got that many reasons to be paranoid doesn’t make much sense.
As per bad service, sites going down etc… we all get what we pay for: cheap space. Cheap means cheap, you cannot expect to have the service level that costs 1k$/mo for 3 bucks, can you?
Ugh. How awful. This account reminds me to do something I do not do enough — change my FTP information on a regular basis. Sorry about your misfortune and I hope you have better success with the new host.
Can somebody tell me where i can get a „realtime“ backlink check for free for the SEO Results?
I have the problem that every backlink checker in the Search Engines gives a different result – sometimes more than 500 + or -.
Do you also know which is the best backlinck checker in web for an SEO beginner?
Thank you for your answer and greetings.
I never use anything but scp/ssh for maintaining my site. I am hosted on DH and so far everything has been great but I have not been there long. DH is really one of the few places that have ssh/shell accounts. Like its been said above no site is 100% secure.
DreamHost has been like this since the beginning of time. Once, when I entered a brief fued (Misunderstanding actually) with a very basic script kitty, he literally downloaded a DoS program, DoS’d me, and in 5 minutes, my DreamHost website was down (Once the misunderstanding had ended, he explained to me how quickly DreamHost went down, and suggested a change to a more secure host).
But FTP is always passed in clear text and this is true on any hub. A packet sniffer on port 21 will always result in access to the password used to login unless there is a certificate and most providers don’t give you that. If I’m wrong, someone explain it and show documentation.
I’d been a DH customer since 2001 and am a designer and I do hosting resell thru DH. I never had even the slightest problem with their services, up until about a year or so ago, when my clients sites would intermittently go down for no real reason and then the excuse would be some piece of equipment they had been fixing and something went berzerk somewhere, then when it happened again, look at their status logs and come to find them using the same excuse for the SAME piece of equipment they blamed months ago that they claimed they replaced.
This aritcle is the first I’d heard of the ftp leak issue.
One of my customers just sent me an email a couple hours ago complaining that their site was hacked.
Turned out it WAS just an index problem, I went and changed the root FTP user and db passwords and thankfully the sql db was not touched.
I think they also oversold, over-crapped, over-promised and under delivered for one year too long.
I realize they are a shared host and I also know that I’ve outgrown them. so I’m REALLY glad I bought an account with Media Temple a few months ago. It’s $50/mo, and will likely cost me a bit more once I get everyone moved over, but it’s Virtual Dedicated, I have total control of the server, and no one else is on my grid container except ME and MY CLIENTS. I have over 39 domains to host so I’d started migrating them over little by little, but I’ve only got 4 of them over completely. Guess I’d better pick up the pace! I’m outta here, Dreamhost! It’s been real.
[…] En los siguientes días estaré realizando los retoques finales a los archivos y restaurando el Radioblog que fue destruido hace un tiempo. […]