HACKED!

by John Pasden

in personal

08 Jun 2007

My web hosting provider, DreamHost, got hacked recently. In an e-mail to me, they wrote:

> We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.

> We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).

> Our records indicate that only roughly 20% of the accounts accessed – less than 0.15% of the total accounts that we host – actually had any changes made to them. Most accounts were untouched.

So yes, I was affected. So was Brendan at Bokane.org. Apparently what the hackers did on my websites was replace every index.php file with their own copy, which just linked to all kinds of ad sites, and apparently even contained some viruses (probably only an issue for IE users). Anyway, the whole thing is very annoying, but easy enough to undo. (Luckily I do have backups of those files.)

The blog and main page are back to normal, and other pages should be returning to normal in the next few days.

P.S. Has anyone else noticed that a lot of Flickr’s image servers are all of a sudden being blocked in China? Not all Flickr images are blocked, but many are now. For instance, I can no longer see the Chinese doughnut image from my last entry.

John Pasden

John is a Shanghai-based linguist and entrepreneur, founder of AllSet Learning.

Comments

jpv206 Says: June 8, 2007 at 12:56 am

Another of the other blogs I read (i.e., seattlest.com) was having flickr issues, not on the site itself, but when it showed up in my reader. Maybe it’s not China…

Dan Says: June 8, 2007 at 1:06 am

John

When I logged into your site this morning from work I immediately received a note from my company’s internal IT boffins saying that a Trojan virus had been detected on my computer. It may be unrelated but seems remarkably coincidental.

May be something that others should be aware of.

Dan

Global Voices Online » China: Flickr filtered Says: June 8, 2007 at 2:18 am

[…] top of Bullog being gone for the moment and Flickr photos showing up empty boxes, service was temporarily disrupted on June 7 at several English-language China-based blogs hosted by DreamHost—Bokane, Sinosplice […]

laolao Says: June 8, 2007 at 8:26 am

Well, at least you’re not blocked…. 🙁

Micah Says: June 8, 2007 at 8:36 am

There’s a discussion of the Flickr block on the Flickr forums, but my connection gets reset by the GFW keyword filters when I try to view it.

http://msittig.blogspot.com/2007/06/riku-on-wappblog-introduced-me-to-new.html

kmm Says: June 8, 2007 at 9:15 am

Dude, you have to find out who they were and hax0r them back.

ana Says: June 8, 2007 at 9:20 am

having the same issues with flickr as well, i think only the photos that were in my cache are showing – all new photos are being blocked. bummer.

kastner Says: June 8, 2007 at 10:28 am

Firefox user, me was safe here.

dd Says: June 8, 2007 at 4:49 pm

Speaking of the GFW, the Shandong Provincial government’s website is blocked on my service provider, but accessible through a proxy. I find it amusing that the GFW is being used on a state site…accidental that it may be.

doom Says: June 8, 2007 at 9:25 pm

John,

I was hacked too. And then I saw you were hacked. So I waited. Something is still wrong with my admin page though.

Rick Says: June 9, 2007 at 3:15 pm

Danwei seems to think it might be because of the Chemical plant protests in Xiamen, which were heavily covered on Flickr.

kastner Says: June 10, 2007 at 10:18 am

oh, i read the news somewhere else, now all clear why Flickr being blocked.

see

kastner Says: June 10, 2007 at 10:20 am

click me

(sorry, fault again)

Gareth Says: June 11, 2007 at 9:17 am

I think its probably because of the xiamen incident, flickr has a lot of pics of that

Kevin S. Says: June 14, 2007 at 11:52 am

John, I’m seeing some very strange behavior on my machine at the moment, which seems related to the Dreamhost hack. I run Polipo, which is a local web proxy similar to Privoxy, to tie my browser and Tor together. As it runs, Polipo outputs data in a shell. Whenever I open a new webpage in Firefox I get the following output

Couldn’t create directory /opt/local/var/cache/polipo/www.bokane.org/: Permission denied.

Now, the reason permission is denied is because Polipo does not have permission to write to /opt/local/var/cache/, and there’s nothing worrying about that. What’s worrying is the http://www.bokane.org bit, as I’m not trying to connect to http://www.bokane.org. I know that Brendan’s site got hacked and, while I can’t remember if I visited the site in my browser or not at the time, my RSS reader certainly did, http://bokane.org/feed/. I’m only seeing these results when I run Firefox through Polipo and try to connect to a webpage, and not other browsers, like Camino or Safari.

What’s really worrying is that sometimes the “bokane.org/: Permission denied” message simply disappears in the shell if refresh the screen by bring a new window over and then moving out of the way or by scrolling up and down in the terminal window. It’s as if it is trying to hide the fact that it is trying to connect to bokane.org

Of note, netstat is not showing any connection to bokane.org.

I’m running Firefox 2.0 on Mac OS X 10.4.9 with all the latest security and system patches.

I’m not asking for your technical help, I’m just letting you know. I will be getting in touch with Dreamhost and Brendan about this too.

Kevin S. Says: June 14, 2007 at 2:57 pm

http://www.chinabloglist.org/csl/ hacked?

No Longer Happy with DreamHost | Sinosplice: Life Says: November 3, 2009 at 1:53 pm

[…] site was hacked while at DreamHost once. (One time is […]