Overview
As a major web host provider, DreamHost periodically encounters situations where individuals utilize its servers to negatively impact the servers of others. This can entail unauthorized access to third-party systems, hosting of Trojans/viruses, denial of service (DOS) attacks, and so on. All such activities are prohibited by DreamHost's Terms of Service.
If you believe that a DreamHost customer is engaging in such activities, feel free to skip to the Reporting cracking/intrusion/DOS to DreamHost section below.
Rules
DreamHost prohibits a number of activities related to illegal computer intrusion. The following describes the most common ones.
Cracking/intrusion
Anyone attempting to exploit technical weaknesses in the security of third-party systems/services or procure sensitive information (including passwords) using social engineering or deception will have their account permanently disabled without refund.
Denial of service (DOS)
Similarly, anyone using any means to intentionally disrupt or overload third-party systems/services (aka engage in "denial of service" attacks) will have their account permanently disabled without refund.
Tools, Trojan horses, and so on
Notwithstanding the above, the hosting or storage of tools primarily used for cracking/intrusion or denial of service attacks is also prohibited, and will result in an account being permanently disabled without refund.
Termination
DreamHost reserves the right to terminate any account found to be engaging in any of the above activities at any time, with or without prior notice. Depending on the circumstances, DreamHost may also contact relevant law enforcement officials and cooperate fully with any resulting investigation.
Handling exploits
Occasionally DreamHost receives a complaint that, upon further investigation, indicates that a customer's account has been exploited and is being used without their knowledge or consent to engage in prohibited activities (typically spamming or phishing). When this occurs, DreamHost may take a number of actions to secure the account and prevent ongoing abuse, including the temporary disablement of related sites or accounts. DreamHost will then contact the customer to let them know what has happened and give them an opportunity to secure their account.
While DreamHost understands that as a customer you did not intend for your account to be abused by someone in this way, you are still ultimately responsible for ensuring the security of any third-party software hosted under your account. If DreamHost notices anything obviously awry, you will be contacted. However, DreamHost is unable to perform a full security audit of the contents of your account(s) or perform any upgrades for you.
By performing the following steps you can secure your account.
Step 1 — Change all passwords
Even though it's fairly uncommon for customer account passwords to be leaked out into the open, you should still immediately change all passwords associated with the exploited account. This include both Shell/FTP passwords and database user passwords
Step 2 — Check for spyware, keyloggers, and other malware
You should check your local computer to ensure that there is no spyware, keyloggers, or other malicious software installed. Such malicious software could have been installed without your knowledge in any number of ways—even by simply visiting the wrong website.
You will have to check online for the most current and recommended products for your operating system. The following link provides a good overview of such products.
If any such malware is found, remove it immediately and change your passwords again (your recently changed/new passwords could have been intercepted as well).
Step 3 — Remove suspicious files/directories
Often, intruders leave behind tools or scripts for later use. In securing your account, it is important to look for and remove any such items before they can be used again. You should go through each and every directory under your account and remove any suspicious files you did not upload yourself or otherwise do not belong. Be sure to look for hidden files and directories as well (use the ls -alh command from the shell or turn on hidden file viewing from within your FTP client to view them).
Step 4 — Upgrade or replace software
Simply removing the product of the intrusion (phishing sites or web-based shell access scripts, for example) is not enough—you must also remove the exploit that the intruder used to get into your account in the first place.
This means upgrading all software or scripts hosted under your account with the latest secure versions, or if the software is no longer maintained, replace it with secure alternatives.
Popular website software such as WordPress, Joomla, and Drupal are regularly updated to plug holes found by developers. If you use these types of software, make sure to check often for security updates and patches.
Note that in the event of a confirmed defacement/exploit, DreamHost recommends replacing all files entirely if at all possible, as intruders may have added their own exploit code to otherwise secure files.
General recommendations
Don't let your guard down! Even after resolving the exploitation of your account, it's important to remain vigilant to ensure that your computing and web hosting experience is kept safe. To avoid further exploits, you need to practice "safe computing" at all times.
In practice, this means:
- Regularly scan your personal computer(s) for malware with reputable malware tools.
- Do not click links sent to you via email unless you trust the sender. Never click links claiming to be from your bank, eBay, Paypal, etc.
- Avoid opening email attachments unless you are absolutely sure they are safe—especially those sent in chain letters, "greeting cards", etc.
- Choose secure passwords at least 8 characters in length, comprised of random letters and numbers. Do not base them on words or names.
- Actively check for updates of third-party scripts/software installed under your website. Install updates when they are available.
- In general, avoid running third-party software unless you trust its source.
Reporting cracking/intrusion/DOS to DreamHost
If you believe that a customer is engaging in any of the above activities, DreamHost asks that you contact a support rep as soon as possible so the matter may be looked into further.
What does DreamHost need in order to track down the offender?
- Contact DreamHost as soon as possible, ideally while the activity is in progress. The closer to the time the abuse is occurring the more likely it is that DreamHost can catch the offender, hopefully, while the activity is in progress.
- Aside from that, DreamHost needs as much relevant information as you can provide. The IP address associated with the originating server(s) as well as the destination IP are helpful, as is a sampling of any log files you can provide that show what is happening.
- If the abuse is occurring over a span of time, some idea as to the duration and length of the abuse is also of great help to DreamHost.
Where do I send cracking/intrusion/DOS complaints?
You can contact DreamHost at the following email address:
- abuse@dreamhost.com