I just got the email from Dreamhost at about 3:30AM EST. I checked out their status blog and found something interesting: over the past month a good number of people have had malicious .htaccess files and scripts inserted into their Wordpress installs. That would include me.
About a month ago one of my Dreamhost sites was hacked. An .htaccess file was modified to insert some PHP scripts that provided a backdoor to the site and that also embedded ads. I see now that I'm not the only one who has had this problem. When I reported this at the time I submitted as much information as possible but only got a canned, autogenerated response. Dreamhost ran an automatic scan on my site and IIRC it did pick up the offending file, but by the time that had been done I had already found it. The particular backdoor was c99shell.I. As I've read more comments, people have had .htaccess files modified who weren't using Wordpress, so it's not a Wordpress problem.
This leads me to ask: Is this compromise related to the hacks that I and other users have experienced? If so, how long has the password database been compromised?
Thankfully I use GMail for email, so at least that level of personal information wasn't stored on their servers. But this makes me wonder just how long someone has had free reign to access many Dreamhost accounts.
Needless to say, I will be switching hosts and will never recommend Dreamhost again. I guess you get what you pay for, and if I had been able to speak with an actual human being about my site being hacked maybe they could have connected the dots. Furthermore, they've had this weak password system since 1999?
Edit2: I just remembered that I got a strange call from a friend a few months ago who said that when he tried to access my site his corporate firewall had blocked it because of the presence of pornography. This is a church's web site we're talking about, so of course there was no porn on it. This is the same site that was later more overtly hacked in December. Apparently the initial hack only inserted text when a crawler hit the site, so it was an SEO hack. In December, the text became visible to regular users of the site. This post has more detail: http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-...
After a few emails with DH support, I discovered that there was a file created by another user in two of my accounts. Somehow the permissions for two directories had been set to 777, and a compromised user put a trojan in them. I think that I jumped into conspiracy theory territory above, and misrepresented Dreamhost's security and response as a result of that. The combination of my emotions and my inexperience with dealing with hacking on web hosts led to an incorrect judgment.
About a month ago one of my Dreamhost sites was hacked. An .htaccess file was modified to insert some PHP scripts that provided a backdoor to the site and that also embedded ads. I see now that I'm not the only one who has had this problem. When I reported this at the time I submitted as much information as possible but only got a canned, autogenerated response. Dreamhost ran an automatic scan on my site and IIRC it did pick up the offending file, but by the time that had been done I had already found it. The particular backdoor was c99shell.I. As I've read more comments, people have had .htaccess files modified who weren't using Wordpress, so it's not a Wordpress problem.
This leads me to ask: Is this compromise related to the hacks that I and other users have experienced? If so, how long has the password database been compromised?
Thankfully I use GMail for email, so at least that level of personal information wasn't stored on their servers. But this makes me wonder just how long someone has had free reign to access many Dreamhost accounts.
Needless to say, I will be switching hosts and will never recommend Dreamhost again. I guess you get what you pay for, and if I had been able to speak with an actual human being about my site being hacked maybe they could have connected the dots. Furthermore, they've had this weak password system since 1999?
Edit: Here's a link to the status blog post: http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-...
Edit2: I just remembered that I got a strange call from a friend a few months ago who said that when he tried to access my site his corporate firewall had blocked it because of the presence of pornography. This is a church's web site we're talking about, so of course there was no porn on it. This is the same site that was later more overtly hacked in December. Apparently the initial hack only inserted text when a crawler hit the site, so it was an SEO hack. In December, the text became visible to regular users of the site. This post has more detail: http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-...