Image via Wikipedia
According to DreamHost’s Status and Blog, staff noticed some unusual activity on one of their databases that held user login information for shell accounts. While the passwords were mostly encrypted, hackers “hacker found a legacy pool of unencrypted FTP/shell passwords in a database table that we had not previously deleted,” according to DreamHost CEO Simon Anderson.
As a precaution, ALL shell/FTP account passwords were reset by DreamHost. While it will cause some inconvenience for users trying to access their sites over SSH/FTP, the implications are much more serious. A lot of CMS systems store their database username and passwords in plaintext on configuration files. If whoever gained access to DreamHost’s shell account database and managed to decrypt the information, then they would have unmitigated access to not only sites’ files, but they could potentially (and most likely) gain access to the back-end database driving those sites with all user data. This could be a very major breach of user data from one of the largest web hosts in the United States.
DreamHost is being unusually mum about the technical details about the hack and is angering customers over their negligence regarding out-dated server software. While most front-end software is kept up-to-date, their back-end software is grossly outdated and there appears to be no real effort nor care by DreamHost to keep OS and back-end software updated. What makes things worse is that DreamHost’s official stance on their security solution is to not disclose what technologies they use. Rather than taking a proactive and relatively transparent stance to their own security systems, the company has decided to take-up a reactive and a “security through obscurity” stance.
Related articles
- DreamHost Security Issue Prompts FTP Password Resets (sucuri.net)
- Changing Shell/FTP Passwords due to Security Issue (dreamhoststatus.com)
- Security Update (dreamhost.com)
WordPress founder Matt Mullenweg posted on WordPress.org’s News page today that several popular WordPress plugins had changes committed to them that had been determined to not be from their developers. The commits actually added back doors that would compromise potentially hundreds of thousands of WordPress installations that utilized them. As a precautionary measure, all changes were reverted for these plugins and ALL passwords to WordPress.org, BuddyPress.org, and bbPress.org reset. There aren’t many more details as of yet, but there is sure to be a witch hunt over the integrity of WordPress.org’s security as well as all code that powers the CMS.
