Dreamhost compromised by hackers AGAIN!

If you are interested in real hackers and real hosting and the reality of how the internet work you will read through all this ranting and raving and discover that DREAMHOST is the WORST PLACE TO EVER HOST ANYTHING.

I’m now fed up with Dreamhost enough that I’m not going to keep silent. In fact, I will expose a “dirty little secret” that they have had a hard time dealing with. And the only reason I am going to expose it is because they now deserve to be on everyone’s list of a place to NEVER EVER HOST ANYTHING WITH. This company does NOT deserve your money and I will explain to you why. I will not just explain you once, not twice, but at least three times.

It all starts with the e-mail I just received. And you know what, I don’t care much about e-mail I receive after 9pm because by then I’m watching a movie or doing something non-technical to “wind down” from the day. Today, however, it is a different matter because the e-mail I received from Dreamhost is totally unacceptable. And I am going to tell you, who might not be as “expert” about things, why you should avoid this company like a plague.

Let’s start with the e-mail I got…

Hello,

During a recent security scan we have identified that one or more of your hosted sites show signs of being compromised as they are hosting known, malicious web-based backdoors. Specifically, the following file(s) have been accessed by intruders and have been associated with unsolicited bulk email, denial of service or other abusive activity:

We have identified the following known backdoors under your account:
/home/stefandidak/etc. etc.

During a security scan, eh? And this so-called infection got there how exactly? Care to actually explain that if you dare? I bet you don’t because your service has been known as the WORST POSSIBLE when it comes to having sites infected over and over again. And not because of your customers. Not because they didn’t update their WordPress installation or plugins. I understand that it is CONVENIENT for YOU to blame your customers for not keeping up but you can only pull that shit on customers who don’t know any better or actually have some sort of completely misguided belief that YOU are some sort of “authority” of knowledge when it comes to these things.

Well, let me tell you, publicly, that I think you are a bunch of total LIARS who deserve to have NO customers AT ALL. And no, I will not just rant and say that, I will damn well provide you with the details. Something YOU have completely failed at and certainly would never do. Especially because if you did provide the actual details it would show exactly what I just said, that your hosting system is the WORST POSSIBLE for anyone who wants to host a website.

Thank you Dreamhost and your completely incompetent system administrators for the many years of frustration you’ve caused me. It is no surprise that any time hosting comes up I immediately, as a first thing on my mind, tell people to NEVER HOST WITH DREAMHOST. However, today I am canceling the last services I have running with you because frankly, my hourly rate costs more than 2 years of your SLOPPY INCOMPETENT HOSTING and you’ve now cost me another 2 hours to deal with the crap as a result of YOUR PERSISTENT NETWORK INTRUSIONS of which you happily seem to imply your customers are to blame. It’s not worth it.

Let me just move these few leftover unimportant domains and sites over to one of the VPS’s I’ve got that I completely control and clearly do a damn lot well better at managing and securing, which is more than clear based on YOUR track record!

I know that whatever I pay you every year is not going to matter SHIT to you but that’s ok. It doesn’t matter to me either. However, the 2500+ visitors to my website might actually have something to say about it and while they may not tell you that to your face like I will, at any opportunity, they will say so with their credit cards and checkbooks and decide not to make the mistake of hosting ANYTHING with Dreamhost, ever. Which would be entirely to their benefit.

But let’s not get into any historical aspects of why you’re known to me as the LOUSIEST HOST on the planet. Let’s focus on the kind of DRIVEL you send you paying customers…

We have disabled the page(s) in question (via adjusting permissions on the files, e.g. chmod, or backing up the file first renaming it to “filename.INFECTED” and cleaning up the injected code) until you are able to address this matter.

WONDERFUL! What an amazing help you folks are. But then you go on an ACCUSE ME… and probably many more of your PAYING CUSTOMERS. Which is great if you can get away with that sort of crap, especially since probably most of your paying customers don’t know shit about computers, websites, internet, or anything. Except it doesn’t fly with me one bit and it won’t fly for one bit with anyone who understands just a bit more than what you think your customers are capable of understanding.

The existence of these pages on your website(s) is likely a sign you have been compromised.

I have been compromised? Really? Sorry guys, you damn incompetent fools over there at Dreamhost, you are the ones who have ONCE AGAIN been compromised.

Nice choice of words, though. Tell me, and I promise not to tell, how much did you have to spend on the spin doctor or the PR person to come up with those words to imply it is the fault of your paying customers? Was it more than the average hourly rate of a PR person? Was it less? Did you perhaps hire them through odesk or some other low-wage bottom-feeder bottom-barrel system because that would be the kind of value I think you would put on it? Just guessing here based on the overall quality of your network, your systems, and the kind of business you think you are running. Call me biased but I’ve got a long list of things in which you have completely and utterly FAILED to provide even basic services that you listed for a price that you got people sold on.

Let me tell YOU that YOU are the ones who are ONCE AGAIN have been compromised.

And this is not the first time that I am telling you that, is it?????????

Do you want me to go back into my mail archives? Do you? Well, I can… and I will show the entire world the e-mail thread between your support folks and me from way back in the day when I first got an account at Dreamhost. Well, you know what, the way you accuse, by implied language, that your paying customers are compromised because of something they did or didn’t do pisses me off so much that I’m just going to tell it anyway. And yes, you know what, you feel the need to combat this, go ahead and hire the best lawyers you can find because I can back up EVERY SINGLE WORD I AM GOING TO SAY. Don’t think I can, then go ahead and try your best because boy, that will create quite a lot of really cool media coverage for you guys, don’t you think?

I first signed up with Dreamhost sometime early December 5th in 2006.

On December 28th in 2006 I had to contact their support department with the following:

Hi guys,

Sorry for using the OMG! EXTREME CRITIAL etc. tag but the others didn’t quite seem to fit.

I have, quite accidentally, stumbled upon a way that people with malicious intentions could use to intercept mail from other DH hosted domains. It would take me a long time to write it down in detail so if you can provide me with a direct phone number of someone who would like to hear about this then please let me know (and let me know what a good time to call would be -relative to  hatever timezone you’re in-). I’m in The Netherlands (GMT+1), I’ll call on my dime, no problem.

— Stefan.

Yes, note that I was more than willing to call them ON MY COST because this was an issue that really went beyond the regular stuff I had seen at hosting companies in the past, This was BAD. I got a rely from “Jeff” saying…

Thanks for writing. I’m afraid that we don’t have a number to call for this sort of thing, but if you can give me a brief explanation via email it’d be appreciated (also, in case this method is a technical nature, I’d like to have it written down so that I can explain the specifics to administrators if necessary).

Oh, great, so instead of being efficient about it, on my cost even, Dreamhost rather had me write it all down. Well, you know what THIS SECURITY ISSUE OF EPIC PROPORTIONS was serious enough that I actually did spend the time writing it all down. And because I don’t want to burden you, my valued readers, with more crap than you can handle in a day (mentioning Dreamhost more than once is enough to ruin anyone’s day, I’m sure) I will give you the short version.

• My Fiancee (Sallie) was pondering moving her domains.
• I said, I got this “code monster” account at Dreamhost I can easily host all your domains too.
• I went ahead and CREATED THE DOMAINS
• I created the e-mail address for her domains and the appropriate MX records
• Sallie decided a few weeks later she was going to host it at some other place

Note that I CONFIGURED the domains at Dreamhost but those were just internal domain ASSIGNMENTS. These domains already EXISTED and had their DNS running ELSEWHERE and were fully functional ELSEWHERE. At no point did any A or MX record EVER point to Dreamhost.

A few weeks passed and I forgot to take those domains I created at Dreamhost down. Well, they weren’t real domains, they were just configurations in their system. No harm done, right?

WRONG!

Anyone who has any understanding of DNS knows that a domain is only active and live once the proper A records and MX records (for mail) are pointed at servers that are told to accept incoming connections (web, mail, whatever). So I never thought that pre-configuring the domains would cause an issue of any kind. I would just remove them but I was just a little lazy and slow in doing so.

Much to my surprise between signing up on the 5th of December and the 27th of the same month I noticed that one of the e-mail accounts I created for Sallie had an actual size of more than 0. How could that be? More than 0? There’s no mail that could EVER arrive there, right? The MX records and everything else was pointing to a completely different host. A welcome message maybe? No….

It was a message from an acquaintance of Sallie, Tee Morris. Tee Morris had his domain and mail through Dreamhost as well at the time (http://teemorris.com). What was it doing there on a domain that could never be live and how?

Well, as I said, Tee Morris had his mail and website run through Dreamhost as well. It didn’t take me long to figure out what happened. I resolved the teemorris.com domain and instantly I knew what had happened. Of course, a few years prior I was headline news in The Netherlands and labeled (by the media) as a “cable internet expert” because I exposed a massive scandal involving the leaking of private information of subscribers who’s data packets were broadcast over the entire VLAN segment of the cable modems in my district.

I wasn’t a network “expert” and never claimed to be but I guess I knew more about it than most people (and of course I was using packet sniffers and analysis after seeing ghost packets arrive on my computers on the cable network system). I had already learned all about DNS, TCP/IP, etc. and had already been a developer who programmed TCP/IP protocols. So yeah, seriously, sorry to get all arrogant here but I knew EXACTLY what was going on. Have you already guessed it? Good for you and welcome to my world and you may be eligible for an account on http://arealdeveloper.com. If you haven’t…

Dreamhost’s internal DNS resolution included all domains configured by their customers REGARDLESS of whether the domain actually EXISTED or was even pointing anything at Dreamhost.

In other words, the people who configured the Dreamhost network were a bunch of incompetent fools that didn’t know what they were doing. And I believe most of Dreamhost is still in the same frame of expertise these days. Instead of resolving an external MX record they used local DNS (cached perhaps, I don’t know, but certainly fully internal in a way it should have NEVER BEEN IN THE FIRST PLACE) and mail would go to any domain that was perceived to be local whether it was TRUE OR NOT.

I outlined everything in detail, my findings, my repeated tests, and the full proof in the e-mail to them (because they couldn’t be bothered to take a call for which I offered to pay myself) and the response I got was that they COULD NOT FIX IT. In fact, let me just dig this up for the record because Dreamhost deserves some public shaming for this. “Jeff” responded back to me on January 5th 2007 saying…

I’m sorry for the slow response on this – I wanted to run it past another one of our technicians before responding, and things have been pretty busy these last few days.

Basically, the answer in this case is that what you describe does pose a potential threat of malicious activity, but it’s not something we can really ‘fix’ as this is normal/intended behavior for mail servers.

When sending mail locally, our system (and most/all others) does not actually consult DNS. If it appears to be local, we deliver it locally. There’s no way for us to anticipate what domains could fall victim to this sort of thing, though we do disallow the attempted addition of major domains such as yahoo.com, bankofamerica.com, etc. that may be common targets for such extraction.

Jeff,

So there you have it. Incompetent from the start and incompetent today. Acknowledging that what I DISCOVERED within my first month of being a PAYING CUSTOMER and saying they can’t really “fix” it.

I’m sorry but even in 2006 and 2007 I consider that a SEVERE ACT OF NEGLIGENCE AND INCOMPETENCE to the point where I think that YOU SHOULD NOT BE IN THE HOSTING BUSINESS AT ALL.

Shame on you Dreamhost. Shame on me for not going PUBLIC with it when I perhaps should have. I gave you the change to fix it and I am historically the kind of “hacker” who doesn’t believe in exposing things until a fix is in place (yeah yeah, call me crazy or misguided but back in 2007 I adhered to the official values that all of us hackers “grew up” with).

I continued to ask Dreamhost… “what if I created a bankofamerica.com domain”. Because I could DO THAT because bankofamerica was not hosted or run through Dreamhost. What if I create that and what will happen to the e-mail from ALL YOUR OTHER CUSTOMERS?

The response I got was basically “we would have noticed that and taken action”.

Really? And how many of YOUR CUSTOMERS would I have been able to get into serious trouble before you noticed? How much money would YOUR CUSTOMERS have lost if I was an evil f*ck who went after their personal details and abused it every way I could? How many of YOUR PAYING CUSTOMERS would already be in serious trouble before you “noticed” and “took action”? I never got an answer to that question. It shows you the kind of really incompetent and irresponsible company Dreamhost was.. and as far as I am concerned with the recent crap, still IS.

I never believed for a moment that Dreamhost would be monitoring things like that because:

• if you monitor for those things it means your system is worthless crap
• If you monitor for those things you don’t trust your own configuration

I’ve been developing software and large scale systems since 1985 and you know what…. if you don’t TRUST your own code because you have a reason for it then YOUR SHIT SUCKS. It’s that simple and in the case of Dreamhost that certainly seems to be the case.

OK, sorry dear fans and readers of my blog that I bored you with a little bit of history but I had to write it and I and had to say. I don’t care what legal crap Dreamhost networks wants to try and pull to get this OFF the internet (lucky for me, it does not appear to be hosted on any of THEIR servers ha!) but it will not be removed and it will not be removed ever. It’s called having proof, facts, and having a backbone… something more people and companies should have if you ask me. This is not your average “Dreamhost Sucks” blog post of which there are countless. This one is actually written by someone who knows his stuff and has decided that Dreamhost needs to suffer the consequences of their recent “activities”. If you happen to be a very happy Dreamhost Customer and reading this, that’s ok, more power to you, just don’t come complaining to me when shit hits the fan and if it does while you were still with them, please don’t say I didn’t warn you!

Anyway, that’s a little detour into some of the dirty laundry that Dreamhost never informed you about. I’m sorry that I never informed you about it but I do believe in giving people a change to fix their errors. I still believe that but not when it comes to Dreamhost because they’ve clearly used up all their chances already and there’s no way back from that at this point. So let’s continue on to their crappy bullshit e-mail…

We completely empathize with your problem — having a site hacked can be a frustrating and stressful experience but we hope that this notification helps prevent this matter from being a serious one.

Boy, are you people thick in the head or what? Really? A stressful experience? Frankly, my stressful experience with your services and your lousy dreamhost hosting, which really should be branded “nightmare”-host, has nothing to do with websites and the ones I still had running with you for the past several years (because I was too lazy to do something about it and the cost was so low I wouldn’t even notice it). The stressful experience with Dreamhost is because the company is to incompetent to get their crap sorted and clearly has at least several unqualified people that are part of the entire operation.

You know what’s frustrating and infuriating? THIS IS…

http://www.stefandidak.com/2008/08/redditing-my-site-can-crash-servers-at-dreamhost/

Yes, remember that? Tens of thousands of people an hour trying to see pictures of my world famous home office. You couldn’t handle it. Your service was not ready for that level of traffic. Yet I never exceeded the bandwidth allowance on the “monster plan” that I was paying something like almost $300 a year for, nor did I exceed anything else that was listed in your crappy terms of service. But yet, because of the nature of shared hosting and my traffic pulling down your servers and hundreds of other sites you decided to YANK MY ENTIRE SITE. Leaving all the visitors to a nice 404 and 500 error. Thank you very much for that, guys. Well, I actually THANKED YOU properly for that by moving that particular site over to MediaTemple and guess what happened…

http://www.stefandidak.com/2009/01/bye-bye-dreamhost-hello-media-temple/

Yes, poor little lying Dreamhost, eat that… MediaTemple at $20 a month had no trouble giving me over 600.000 hits in just a few hours. No problem WHAT SO EVER. I was really happy moving there because you know what, it was just one day before that traffic spike hit. I bet you would have pulled my domain again, wouldn’t you?

I came to the conclusion that you were basically a bunch of lying a-holes with a worthless “terms of service”. In fact, I pretty much openly accused you (and will likely do so in perpetuity over it) of being completely incompetent because anyone who knows servers, Apache, load balancing, etc. would have put a rate limitation on the number of hits instead of yanking a site. But then again, you guys are called Dreamhost and that means you don’t understand anything about anything and will do whatever makes sense even if it looks completely foolish and incompetent to the rest of the world, especially the world of those who KNOW BETTER because they have more experience in matters concerning websites, servers, and how to properly configure and run them.

Sorry to rehash some old history here but I think my 40% of new daily visitors deserve a bit of background story on why I already took my important sites away from Dreamhost because I 1) couldn’t trust you in any technical facing and 2) couldn’t trust you as far as I could throw you.

We’re here to help but we need your assistance first as there are some actions we’re not able to take on your behalf as they involve changes to software versions and files under your account. To that end, we highly recommend that you take the following steps:

Please, on my behalf, don’t be there to “HELP” because I’ve seen what your concept of “HELP” actually means. Instead I’ve just decided to spend a few of my “expensive” (at least to Californian and Western standards since it exceed many times what I pay you each year) hours to move everything else I’ve still got on your servers away from you. In other words, I prefer to help myself. Because I can. And because I know how. And because I’ve been very lazy about not doing it sooner. However, now I have and that’s the end of it and the end of me having to deal with your incompetent crap ever again.

The people I feel sorry for are your current customers who haven’t yet moved away from you because you are accusing them, which is implied in the e-mail statement I received the other day, of not having taking enough steps to guard against hackers and infectious malware. I will tell you publicly that you are FULL OF SHIT if you think you can get away with that. Sure enough, you WILL get away with that with a lot of your customers but not with me and there’s a reason for that. One I will get to in a moment once I’m done ripping you the new a-hole you deserve to receive in the light of all this.

Your so-called “helpful” e-mail says…

Update any 3rd party software under the account, including content management systems, gallery software, weblogging tools, etc. Be sure to use current, secure versions and keep them up-to-date.

Update any plugins and/or themes on your sites (Recent attacks against websites have targeted vulnerable software such as timthumb.php which is included in some wordpress themes, separate from the core files)

Check your website(s) files for any signs of tampering (file timestamps show recent editing) or files you did not upload yourself and remove them. Looking at the reported files above should give you a good starting point.

Check your website(s) files for any 777 directories, (e.g. a directory that allows anyone on the server to write or edit the files in the directory; these permissions will look like rwxrwxrwx via the command line)

Change your FTP password(s). Be sure they are at least 8 characters in length and do not contain English words. Random numbers and letters work best.

Consider enabling the StopTheHacker service in your panel. Specficially consider signing up for StopTheHacker’s Comprehensive Malware Scanning. More info:http://wiki.dreamhost.com/StopTheHacker

If you have any questions, please feel free to reply to this email and we will be more than happy to assist you with securing your sites.

Wow. What am I going to say to all that? Maybe a stern and technical “go F yourself Dreamhost”? Well, that certainly will fit the situation. However, that’s not going to cut it because just saying “avoid Dreamhost” or “Dreamhost is bad” or “Dreamhost is crap” will not satisfy my intelligent readership. I would want some kind of evidence or proof if such a thing is said. Well, ok, then here we go… JUST THE FACTS….

Two of the domains I was still hosting websites for at Dreamhost (which aren’t mine, actually) have been INFECTED WITH MALWARE for MONTHS. For the past several months those sites have been infected. I knew it, the domain owner knew it, but you know stuff happens and you don’t get to deal with it (not my problems, for sure).

Was there EVER a notice from Dreamhost about the infection? NO!

I’m not going to even try asking them why there never was because I don’t believe a single word these LIARS at Dreamhost say anyway. It’s a moot point. Those sites are backed up and are moving elsewhere and will be clean from any malware infections when they do.

Instead, the incompetent jerks at Dreamhost decided to notify me of an infection on another site. OK, let’s see just what that means. You’ve seen what they sent out (above) right?

• The WordPress installation was updated 2 weeks ago.
• The plugins and everything else was 100% up to date (also 2 weeks ago).
• The user and password stuff would stand any regular attack.

Don’t ask me what I mean by “regular attack” because I don’t want to sound like someone who understands these things and is capable of such “attacks”. You’ll just have to trust me and I think 99% of my readership will. 🙂

I wanted to move several unimportant sites away from Dreamhost for a while but I have been lazy. I decided to move them away 2 week ago which is why I made backups and updated things and made sure things were fine for a transfer away from Dreamhost.

So this infection occurred just how?

Not because anything I failed to do.

The 90 days logs I just analyzed for the infected site shows no unusual data either. Oh, yeah, sorry you poor incompetent and misguided PR people at Dreamhost, there are people out there who are PAYING CUSTOMERS who *can* actually read logs and may have hundreds of dollars of log analysis tools available to them. I’m so sorry that I just happen to be the kind of customer you prefer to not have because I can actually TELL that you are lying through your teeth or at least having your spin doctors imply to the lesser capable customers that it’s possibly their fault. Is this the way you communicate to your customers? Shame on you! Make sure you only sign up customers who are less capable. You could perhaps have a form online prior to potential customers putting in their credit card numbers that does some kind of technical Q&A test at which point you filter out everyone like me?

So, nothing in the logs and nothing else to explain why certain WordPress PHP files were “suddenly infected”.

For many years real professionals have said to NEVER EVER host your sites at Dreamhost because they are more vulnerable to infections. They’re right because clearly that’s the case. No matter what you do, sites WILL get infected on Dreamhost. For “no reason”. Funny that over 4 DOZEN of my other domains in at least 4 “elsewhere” locations are not suffering the same fate. Must be a Dreamhost thing, then. I must concur that if you have site at Dreamhost you ARE and WILL BE more likely to get infected.

This holds up how? You do the same updates, secutiy, etc. and yet your sites at Dreamhost get infected with malware PHP crap. The only technical and logical answer is that “Dreamhost sucks” and they don’t have enough in place to defend their customers’ websites and for not having such they will make you think it is YOUR FAILING.

This is disgusting and despicable. Then again, those are two words I would immediately associate with Dreamhost any day at any time because that’s the truth for anyone who’s had any length of experience with them. Which I have given the 2006 sign up. Just saying that it’s been almost 7 years now even though all my heavy traffic and cool and important sites have long since been removed from Dreamhost.

It is clear to me that once again many sites got infected with malware at Dreamhost except at this particular time I can say it may not be the fault of customers because neither the logs or the pattern makes any sense; My guess is that the rotten and totally INCOMPETENT configuration of servers at Dreamhost is at fault here. Clearly as you can read in my little “dirty little secret” about Dreamhost such a thing may not come as a surprise to folks like me who’ve been around and been around the block more times than Dreamhost has been in business.

So FWIW, I don’t really care any more how Dreamhost is going to LIE to their customers by implying it was their fault instead of their host. I’m done with them and gone from there and bye bye. As in, really bye bye. I can only hope this blog post scores as high as the previous two on Dreamhost related searches because the more people don’t host there the better off they will be.

The only thing I have to say to Dreamhost is something I’d prefer to do privately but then again I’m writing all this publicly which is a bit of a conundrum. Let’s just say that my final words to Dreamhost are “FU”. As in really F-U. Totally F-U and your incompetent fools along with you. F-U now and F-U forever. You shouldn’t be in the web hosting business at all because you totally suck at it and you’ve PROVEN yourself to suck at it since at least since late 2006.

The only technical conclusion to be reached from all this is that Dreamhost has been compromised by hackers again. And I say AGAIN because this is not the first time, not the second time, but the “countless” time. My wife who is a WordPress consultant encounters more malware infected websites of clients who host with Dreamhost more than any other host. Based on the evidence I’ve gathered and solidified today I can say that whatever Dreamhost says they are full of sh*t and are passing on “the blame” when every shred of evidence and proof shows that they are just the worst place to host your site. I can substantiate all of it but prefer to save it for a future post because this has been going on too long already!

And if you wish to contact me, you know where to reach me. If you wish to stick a group of angry lawyers at me saying that I am defaming you… PLEASE PLEASE PLEASE be my guest because I’ve crushed larger and more worthy opponents when it comes to that. And I will guarantee you that you will get a fair enough exposure online and in the tech media for doing so. So, please keep in mind that all I have to say to you is “F U” with a cherry on top! Sayonara you complete imbecilic spin-doctoring incompetent liars!