October 31, 2009
A bad experience with Dreamhost
Posted by: roberb7 : Category: Hosting
I spent an afternoon completely away from computers, and when I got back, I received this email from the Dreamhost Security Bot:
-----
We have noticed your myacct user causing a large amount of load on the webserver. We also noticed that domains under this user are running outdated web software that may be hackable. Often times when domains get hacked the hackers will launch malicious processes that use a great deal of CPU time and thus increase the load on the machine caused by your user. This does not necessarily mean that your sites are hacked, but they could be. To ensure that your user is not compromised and contributing to server load unnecessarily (and, also not engaging in illegal activity typically associated with these types of hacks) we ask that you review the following and act accordingly.
Comment: so far, so good
Most commonly hacking exploits of this nature occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains. To secure your sites you should:
1) Update all pre-packaged web software to the most recent versions available from the vendor. The following site can help you determine if you're running a vulnerable version:
http://secunia.com/advisories/search/
Joomla (v1.5.8) : /home/myacct/disabled site.net/ (OUTDATED!)
I disabled this site six months ago.
Joomla (v1.5.12) : /home/myacct/joomla1512site.com/ (OUTDATED!)
There were three of these
WordPress (v2.8.4) : /home/myacct/wp284site.org/ (OUTDATED!)
There were six of these
- WordPress installations need to be updated to the current release of 2.8.5.
- Joomla installations need to be updated to the respective current secure release: 1.0.15 or 1.5.14.
- Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.
The (OUTDATED!) domains above have been disabled by renaming the domain directory to end in "_DISABLED_FOR_POSSIBLE_EXPLOIT__CONTACT_DREAMHOST". Please do not reinstate them until you are ready to immediately upgrade them, or until you have already upgraded them.
-----
So, nine of my sites were disabled, for a period of four hours, with NO ADVANCE WARNING from Dreamhost.
I send them a response, pointing out that:
1. I run a tripwire program, integrit, on a daily basis. It showed no evidence that any of these sites had been hacked.
2. My access logs showed no increase in activity on this date.
They wrote, "We have noticed your myacct user causing a large amount of load on the webserver." Well, I certainly would like some details on this, but I haven't received any.
Here's part of the response I got:
-----
In the case of some of the domains that were disabled your softwares were
years out-of-date.
------
Uh, no. Wordpress 2.8.4 was released August 12, 2009. Joomla 1.5.12 was released July 1, 2009. The only software that was "years" out of date was on two sites that had been disabled by me six months ago.
It's clear that these people are making things up as they go along. All they really had to do was send me a note saying, "Hey, Bob, could you update these Wordpress and Joomla sites sometime in the next few days?"
-----
We have noticed your myacct user causing a large amount of load on the webserver. We also noticed that domains under this user are running outdated web software that may be hackable. Often times when domains get hacked the hackers will launch malicious processes that use a great deal of CPU time and thus increase the load on the machine caused by your user. This does not necessarily mean that your sites are hacked, but they could be. To ensure that your user is not compromised and contributing to server load unnecessarily (and, also not engaging in illegal activity typically associated with these types of hacks) we ask that you review the following and act accordingly.
Comment: so far, so good
Most commonly hacking exploits of this nature occur through known vulnerabilities in outdated copies of web software (blogs, galleries, carts, wikis, forums, CMS scripts, etc.) running under your domains. To secure your sites you should:
1) Update all pre-packaged web software to the most recent versions available from the vendor. The following site can help you determine if you're running a vulnerable version:
http://secunia.com/advisories/search/
Joomla (v1.5.8) : /home/myacct/disabled site.net/ (OUTDATED!)
I disabled this site six months ago.
Joomla (v1.5.12) : /home/myacct/joomla1512site.com/ (OUTDATED!)
There were three of these
WordPress (v2.8.4) : /home/myacct/wp284site.org/ (OUTDATED!)
There were six of these
- WordPress installations need to be updated to the current release of 2.8.5.
- Joomla installations need to be updated to the respective current secure release: 1.0.15 or 1.5.14.
- Any old/outdated/archive installations that you do not intend to maintain need to be deleted from the server.
The (OUTDATED!) domains above have been disabled by renaming the domain directory to end in "_DISABLED_FOR_POSSIBLE_EXPLOIT__CONTACT_DREAMHOST". Please do not reinstate them until you are ready to immediately upgrade them, or until you have already upgraded them.
-----
So, nine of my sites were disabled, for a period of four hours, with NO ADVANCE WARNING from Dreamhost.
I send them a response, pointing out that:
1. I run a tripwire program, integrit, on a daily basis. It showed no evidence that any of these sites had been hacked.
2. My access logs showed no increase in activity on this date.
They wrote, "We have noticed your myacct user causing a large amount of load on the webserver." Well, I certainly would like some details on this, but I haven't received any.
Here's part of the response I got:
-----
In the case of some of the domains that were disabled your softwares were
years out-of-date.
------
Uh, no. Wordpress 2.8.4 was released August 12, 2009. Joomla 1.5.12 was released July 1, 2009. The only software that was "years" out of date was on two sites that had been disabled by me six months ago.
It's clear that these people are making things up as they go along. All they really had to do was send me a note saying, "Hey, Bob, could you update these Wordpress and Joomla sites sometime in the next few days?"
Comments Off : Add Comment
