You are viewing tacit

Previous Entry | Next Entry

nanohazard
A few months back, I wrote about a WordPress attack that affected a friend of mine. The hack was aimed at WordPress installs, and planted very subtle modifications to core WordPress files that redirected users to spam pharmacy sites.

At first, I thought the attack was aimed at unpatched Wordpress sites, though my friend's site was fully patched and updated. As I pursued the patch, I started noticing that a highly disproportionate number of the hacked sites were hosted on the same Web hosting provider my friend's site lived on: namely, Dreamhost.

Dreamhost, as I observed later, seemed to be hosting quite a number of these hacked sites. And more worrying, the sites were generally fully patched, suggesting somesort of zero-day exploit against Dreamhost's Web hosting servers.

I made note of it, fired off some emails to Dreamhost's abuse team, and forgot about it.

Fast forward to today.

Today, I received a number of spam emails that used redirectors planted on hacked sites to redirect to a spam pharmacy page selling fake Viagra. More concerning, the site appeared to be attempting an exploit to download malware. It's an exploit I've seen before, often used to distribute the W32/ZeuS banking Trojan.

In the spam messages I received, the redirect file had the same name: "jbggle.html", So, curious, I did a Google search for sites with this filename in the URL and discovered quite a large number of hacked sites that redirect to the same spam pharmacy page:

http://cottinghamhuntingclub.com/images/fbfiles/avatars/gallery/jbggle.html
http://www.hesslerdesign.com/clients/alkarsteel.com/images/navigation/jbggle.html
http://theaquilareport.com/images/fbfiles/avatars/gallery/jbggle.html
http://view.ghava.org/cache/Inspiration/Moving_imagery/Stop_frame_animation/Kristofer_Strom/jbggle.html
http://ketchup-mustard.com/sketchbooks/jbggle.html
http://irenderer.com/photo/data/seasonal/1171063984/jbggle.html
http://hisdoulos.com/media/wpmu/uploads/blogs.dir/3/files/jbggle.html
http://bahiarestaurant.net/administrator/components/jbggle.html
http://www.mcc-studio.org/components/com_flexicontent/librairies/phpthumb/cache/source/jbggle.html

*** WARNING *** WARNING *** WARNING ***

All these URLs are live as of the time of this writing. All of them will redirect you to a spam pharmacy Web site which may also attempt to download malware on your server.

And interestingly, ALL of these Web sites is hosted by Dreamhost. Every. Single. One.

I strongly recommend that people steer well clear of Dreamhost. I have not seen this level of compromised Web sites on a single server since the zero-day exploit against iPower Web several years ago.

Dreamhost's security team seems unwilling or unable to deal with this problem, which is quite disappointing for a large, mainstream Web hosting company.

Edited to add: Within minutes of this blog post going live, I received an email from Dreamhost's security team that they had started examining the sites on their servers to remove these redirectors. It is not clear from the email whether or not they have identified the exploit being used to plant them, or indeed intend to do so.

Comments

( 15 comments — Leave a comment )
sylphon
Feb. 23rd, 2012 07:54 pm (UTC)
I've been with dreamhost for years now, but I really have to find somewhere else I think. They're nice folks, but their servers seem to be ridiculously vulnerable these past two years or so. Blech. I used to just host stuff out of my home servers but I have so many business sites I host for other people I couldn't rely on my comcast business internet to stay up fully and had to find an outside host.
apestyle
Feb. 23rd, 2012 07:57 pm (UTC)
Do you have a suggestion for a hosting company that is diligent? I'm about to start a charity auction site and I'd rather not have to deal with that kind of difficulty. :/
tacit
Feb. 24th, 2012 09:24 am (UTC)
When I first started considering pulling my Sprawling Web Empire off GoDaddy, I spent a couple of months researching Web hosting providers. I made a list of providers, placing a premium on reliability, bandwidth, speed (I was experiencing severe MySQL latency issues with GoDaddy), and uptime. I wanted the ability to host multiple sites on one hosting account, share databases between sites and subdomains, and run complex software like content management systems.

After I'd looked at the hosting providers out there, I narrowed the list down to Bluehost, Dreamhost (ironically), Hostgator, A2 Hosting, and Hostmonster. I specifically excluded 1&1 hosting (I've worked with them inthe past and I have clients who host with them, and I've experienced a number of problems with them), Above.net (they are, in my experience, highly tolerant of spam on their networks, and do not take action quickly against phish reports), and The Planet (for reasons similar to Above.net).

I read all the hosting plans, conditions, and bandwidth and disk space policies, and narrowed the list down to 3: A2, Bluehost, and Hostgator. I then read all the policies and Terms & Conditions for all three--which was a hell of a slog through mountains of legalese, let me tell you--and discovered that the content of my site at xeromag.com probably runs afoul of Bluehost's Ts & Cs. That narrowed it down to two, A2 and Hostgator.

A2 was my preferred choice, but its Terms & Conditions are entirely ambiguous about what the qualify as "adult" Web sites, so I emailed them with the URL for xeromag.com and asked them if it violated their policies. They got back to me a day later and said that they were not willing to host it. That left Hostgator.

I've set up all my sites on Hostgator and I've been very happy with them so far. I was able to set up my sites without difficulty (Xeromag.com is more complex than it looks; it's a database-driven CMS and the same database on the same hosting server also powers thinkbeyond.us and morethantwo.com -- that was a pain in the ass to set up, and I sincerely do not want to move again). They provide a free SSL certificate for business class hosting and nominally provide unlimited bandwidth, though I have so much traffic across all my sites that I can't realistically serve them all from one shared hosting acocunt (I have two). I've found their abuse team to be quite responsive.

I actually have a reseller affiliate link for Hostgator, which will pay for a month's hosting should you choose to go with them, but any of the ones on my top 5 list (with the possible exception of Dreamhost, given their apparent security issues) will likely work well.
zotmeister
Feb. 24th, 2012 02:37 pm (UTC)
I just wanted to say that "acocunt" may be the most amusing typo I've ever seen anyone make :) I should try adding it to the Urban Dictionary. - ZM

EDIT: Well, I'll be: it's already there!

Edited at 2012-02-24 02:41 pm (UTC)
(Anonymous)
Feb. 23rd, 2012 10:10 pm (UTC)
DreamHost abuse team responds.
The full story here is that you sent us 5 email notifications this morning between 10 and 11am Pacific time. at 11:02 PST (just before your post here) I sent you this response:

"As always the notifications are appreciated, and these pages are being taken down. We have a sufficient number of filenames to go off of so I will start on digging out all of these spam pages by hand now so hopefully this will mitigate the issue before you receive these spam emails."

I am not sure how this qualifies that our abuse team was being unwilling to address these issues. We promptly addressed your issues, thanked you for the assistance and used the information you provided to performing further scans against on our entire network to continue tracking down and removing these files based on the information you provided.

The central cause of these compromises has been identified and has been confirmed as a basic security consideration these customers overlooked in regards to managing their files. Each reported affected customer has been notified about the matter and the attack vector secured.

If you are a Dreamhost customer and concerned your sites may be affected by this or any other compromise please write our support team and we will be glad to perform a security scan against your site(s).
tacit
Feb. 24th, 2012 09:37 am (UTC)
Re: DreamHost abuse team responds.
If this had been the only situation, I would not be nearly so frustrated.

However, it seems to me that there is some kind of ongoing, endemic security issue at Dreamhost which you are simply writing off as one-off attacks against vulnerable software without investigating closely. I have observed--and notified you about--a number of attacks against WordPress and Joomla hosted sites on your servers which can't easily be blamed on your customers'f failure to patch correctly, as they seem to be affecting fully patched and updated copies of these software.

Worse, your automated software updating system seems cunningly designed to introduce numerous security vulnerabilities in your customers' sites. When a customer uses your tools to, for example, update WordPress, your updater copies the outdated files into a .old directory, where it remains live and accessible to the Internet...so your customers who are security savvy and who attempt to do the right thing to secure their sites still have these old vulnerabilities present and exploitable.

By way of one real-world example, this securily vulnerability affected a customer you were hosting at

http://sourcearchives.com/wings2/sites.old/all/jbggle.html

and it took some time for you to fix the problem after you were notified of it.

The attack I notified you of last night, and which prompted this blog post, began last month; I first notified you that redirectors named "jbggle.html" were appearing on many sites on your servers on January 29, but it was only after I blogged about it on February 23 that you began searching for sites compromised in this way. One of those sites,

http://cmdanigeria.net/administrator/components/com_categories/jbggle.html

remained active on your servers for some days even after I had repeatedly notified you that it was being used in spam emails.

Edited at 2012-02-24 09:39 am (UTC)
polylizzy
Feb. 23rd, 2012 11:52 pm (UTC)
I frequent a couple of forums that I now know are hosted on dreamhost. That are now suffering total and widespread outages.

Dreamhost is saying "its a hardware problem".

So do you have a list of virus, and bot destroyers that are cheap or better yet free, for those of us who are concerned about having picked up anything?
tacit
Feb. 24th, 2012 09:46 am (UTC)
I like Kaspersky's antivirus software for Windows machines, but it's not free. Trend Micro's free version appears to work quite well. For malware and spyware, Ad-Aware and Malwarebytes seem to work well.
polylizzy
Feb. 24th, 2012 01:42 pm (UTC)
Thanks!
I used to have a list, given to me by a friends code geek hubby, but In a few computer shifts I cant find it now.

I will be looking into the free ones today and possibly the not free ones in the near seeable future.

Thanks again for the heads up.
feedle
Feb. 24th, 2012 12:29 am (UTC)
As others have pointed out, Dreamhost seems to have a real problem. And they seem really incapable of figuring it out. I don't know who they pissed off, or if it is just their size now makes them a target.. but they are one.

I've seen a modest uptick in bogus traffic over the past few months. Fortunately, I'm pretty good at keeping my Wordpress installs secure.. but I'm not 100% certain I'm doing everything right. And, given the nature of shared hosting, even IF I do everything right all it may take is some butthead on my shared server to screw up and I'm potentially compromised.

I've been slowly moving to a dedicated virtual server hosted by another company (Linode), and just hosting static content on Dreamhost.. and that's only because my Dreamhost account is essentially free. It is getting increasingly hard to recommend Dreamhost.
tacit
Feb. 24th, 2012 09:52 am (UTC)
I've long suspected that some of Dreamhost's security issues may be related to a shared hosting vulnerability that gives an attacker who can access one site on a shared hosting server access to other sites on the same server, though of course I can't prove it.
edwardmartiniii
Feb. 27th, 2012 12:13 am (UTC)
"...but I'm not 100% certain I'm doing everything right."

This may help:

Log into your WP install.
You are, of course, running Akismet
Go to your list of posts
Note that Akismet reports it has trapped some number of spam posts.
Tell it to delete all that shit right now.
Log into your database admin console via your DH panel.
Dump that specific database to a text file -- every table.
Save that text file on your desktop (or wherever)
open that file using Notepad or whatever you favorite text editor is.
Look through all of it. Do searches for "pharm" or "cell" or other tidbits.
If you find such junk in there, then that junk is in your DATABASE, and not categorized as spam.
(Anonymous)
Mar. 11th, 2012 01:45 am (UTC)
Dreamhost again!
If memory serves, you traced similar activity to Dreamhost already several years back. It was the case with URL redirection to malicious sites but only if you follow google links to the intended site.

P
tacit
Mar. 11th, 2012 02:44 am (UTC)
Re: Dreamhost again!
The large attack I documented several years ago was against iPower Web rather than Dreamhost. Dreamhost isn't quite as insecure as iPower was, though there does seem to be a similarity in that, like iPower, they seem unwilling to acknowledge that they may have an ongoing security issue.
pickledginger
Mar. 31st, 2012 01:50 pm (UTC)
I quite like zero-day-focused Threatfire, which plays well with other security ware. Amd Avast is painless and had passed the "Mom's computer" test of hardiness and self-maintenance.
( 15 comments — Leave a comment )
Powered by LiveJournal.com
Designed by Lilia Ahner