] I checked the files in folders for my other domains stored under this user, and the foreign injected code was there, too.
I checked the domains hosted under over a dozen different users at the same host and thankfully all of them are clean and not affected; the infected user being my primary user account that I first created when registering with the host and under which I built a handful of eight or a dozen of my personal websites before questioning whether it might be beneficial to create each new website under its own user, for security purposes or in the unfortunate event of some breakdown or accident down the road (after deciding that would be wise I still added domains to the user on occasion by accident when hurriedly and carelessly constructing new domains).
I had to take those websites offline, and I have rebuilt most of them. I read of others who have found the same code in their domain folders in the comments on the host’s support blog. [http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/] I wonder how rampant the invasion spread?
As I’m looking and trying to recall, I do recall a seperate incident from only days before:
Last night we detected some unauthorized activity within one of our databases. While we don’t have evidence that customer passwords were taken at this time, we’re forcing a change out of caution. [http://www.dreamhoststatus.com/2012/01/20/changing-ftpshell-passwords-due-to-security-issue/]
That was a pain to me in that I had to change all kinds of passwords for the users in my dozens of websites hosted there. Also there is the deeper threat of stolen passwords and personal information alleged to have been perhaps improperly stored in this company’s databases.[http://blog.dreamhost.com/2012/01/21/security-update/]
Since then that same host has gone almost entirely offline (save for a few lucky VPS nodes perhaps) for several hours when it was hit by a ‘dedicated denial of service’ (DDoS) attack. This is a very popular shared hosting and VPS hosting provider with a good reputation (despite obligatory detractors who’ve had the bad luck of bad experience) and decently clean uptime and security history, so while I understand that it might be a big target for such an attack, I must say I’m left feeling a little uncomfortable that it seems to happen so seemingly nonchalantly.
We’ve investigated the cause of the network outage and determined that a distributed denial of service (DDOS) attack severely impaired a network link between our border and core routers. We have DDOS mitigation systems in place, but given the increase in activity in 2012, we’d already been testing new more powerful systems to implement within the next month. We’ll be accelerating this implementation. [http://www.dreamhoststatus.com/2012/01/30/connectivity-issues-in-one-datacenter/#comments]
With all of that it’s no wonder I’m questioning the state of web hosting security. In the same week and still today another host with whom I do business is woefully offline — this one a shared cloud hosting platform, and while the verdict is still out on what has occurred, I have begun looking around and questioning where I might go to be safe from these unreliable hosting environments.
To be fair, I hope I can stay with these web hosting companies. I promote them in the ads on my site and I sometimes even make money when I refer new business to them. Not only that but I promote them because despite the recent difficulties I believe they are a good place to host my websites and those of the people and businesses with whom I work. I know these are difficult outside threats and perhaps malfunctioning or mismanagement of machines or procedures, and that lessons learned are valuable in building strength for better, more secure environments.
But in the middle of the day it’s often the business owner, and not the web contractor, who makes the call to make a change to another provider.