I wish you all the best,
John

I find it even more alarming that eBay contains your changed password in the confirmation e-mail. I’m dealing with those idiots to get that practice stopped. I’m just stating that if something like this happens again (and it probably won’t considering they probably handled the aftermath properly) I will have to go somewhere else for my hosting. I’m as happy as I can be with Dreamhost; it’s just that this security breach was nothing but a headache for me (and apparently for them, too).

Some people got their panel hacked into as well as FTP and I was one of them. They got a list of FTP accounts and passwords along with a short list of panel accounts and passwords before Dreamhost caught it. I have the e-mail to prove it urging me to change my password immediately. Before I knew it they gained access to my FTP account, downloaded everything off of my server then got into the panel and gained all my information from there as well including adding in some MySQL databases (I didn’t have any prior to their hacking). My panel uses and has used a different password since I’ve started being hosted here. From there they gained access to my e-mail account, altered my postmaster e-mail account, and had all my e-mail from my e-mail account forwarded also to that one. During all of this I changed my passwords across the board and eBay has the bright idea of including your changed password in the confirmation e-mail. From there they gained access to my eBay account and then started trying to sell things on eBay.

This all started from that security hole.

If something like this happens again I swear I will cancel my account. If you cannot secure FTP passwords you need to close doors. Since the hacking they gained access to my e-mail accounts and from there gained access to my eBay account by reading e-mails I received through eBay.

And your inability to pick a different password for email than for FTP is DH’s fault how? That’s what I thought.

By reading the comments here you’ve already lost customers as a result of this stupid oversight.

Yes, sending plaintext passwords across the internet is not especially secure, but only if one of the bad guys has access to and has subverted one of the intermediate nodes. Do a traceroute between your machine and DreamHost. It would have to be one of those machines that was subverted (or a machine on the same subnet). In my case:

traceroute to http://ftp.bannister.us (208.97.130.244), 30 hops max, 40 byte packets
1 gateway.bannister.home (192.168.1.1) 7.496 ms 0.267 ms 0.188 ms
2 ip70-181-68-1.oc.oc.cox.net (70.181.68.1) 9.654 ms 8.961 ms 8.765 ms
3 ip68-4-14-141.oc.oc.cox.net (68.4.14.141) 8.688 ms 9.195 ms 7.867 ms
4 rsmtdsrj02-ge600.0.rd.oc.cox.net (68.4.14.213) 21.449 ms 9.425 ms 7.846 ms
5 langbbr01-as0.r2.la.cox.net (68.1.0.230) 11.677 ms 11.681 ms 13.279 ms
6 68.105.30.190 (68.105.30.190) 24.827 ms 24.014 ms 25.927 ms
7 core1.lax.inappnet-12.cr1.lax009.internap.net (66.79.149.130) 17.736 ms 15.801 ms 15.967 ms
8 border1.po2-bbnet2.ext1a.lax.pnap.net (216.52.255.95) 12.592 ms 12.024 ms 11.789 ms
9 newdream-1.border1.ext1a.lax.pnap.net (216.52.220.78) 12.599 ms 12.646 ms 12.655 ms
10 apache2-argon.rexford.dreamhost.com (208.97.130.244) 12.499 ms 11.665 ms 11.065 ms

My FTP password was taken. Were all the DreamHost customers caught in the breach also Cox customers? I doubt this. Did the bad guys subvert a node on the backbone? Very unlikely (then this would be a lot more than just a DreamHost problem). That leaves machines on the DreamHost network. Was a machine managed by DreamHost subverted? Possible – but my guess is the methods to avoid and detect subversion of machines at a hosting service are well known even to the DreamHost folks.

That really leaves two most-likely possibilities. First, the DreamHost software was written by young, enthusiastic guys who more than likely did not know what could cause them trouble, and thus were vulnerable to one of the more common attacks. The next most likely possibility is a “social engineering” attack. Someone working at DreamHost either intentionally or unintentionally gave the bad guys access.

My guess is that SFTP versus FTP would have made no difference, in this instance.

For example, how many users use FTP at work or at public access points? It happens. The larger your user community, the more likely at least one host will be compromised at some point.

I was hacked, fixed it, reported it, changed my password and was hacked again before Dreamhost even seemed to be aware of the situation. I’m still not happy with the story being presented by dreamhost, I *only* ever use SFTP to access my sites (WinSCP is just so much nicer to user than any FTP client would be anyway!), and I ran exhaustive scans for viruses, malware, keyloggers on both my machines and found nothing.

In short, I’m still not happy with the official story about what happened.

I’ve since done a bit of research and moved 90% of my sites over to a managed dedicated server, sure – it costs a fair bit more. But if you’re doing anything professional I’ve now come to realise it’s necessary. I wasted nearly a whole week dealing with the fallout of this event, and time is money.

Dreamhost is a bargain, there’s no debating it. But I think this event has shown that perhaps it’s got a bit _too_ big to handle situations like this with the required amount of customer care.

I’ll still be using my Dreamhost account until it expires for file storage, but I’ve now moved on to a smaller and better things.