Dreamhost Security Bot Alerts User on Suspicious Script Discovery

by on February 10th, 2012

Majority of web hosting companies do little when your website gets compromised. They will only tell you to leave when your hosting space gets bugged. You alone are responsible for your data. Use of open source software brings vulnerabilities in scripts which can be used by hackers who can bypass security measures implemented by you and your web host and access your website information. Hackers can inject scripts in your website directory and by using those scripts they can access your files, edit/delete them if they want. I used a good web host in near past, and they told me to leave, take my data and find any other web host. Only few web hosts will actually protect you by assisting you in eliminating the dangerous scripts if your website has any. Dreamhost is web hosting company I have been using for my websites and it feels like home with them. They alert the customers if a vulnerability is found in their web space.

Recently I received an email with the subject of “site compromised” from DreamHost Security Bot. They pointed out few files which they had disabled public access to. They told me that those files were suspicious and must be eliminated.

During a recent security scan we have identified that one or more of your hosted sites have been compromised with known malicious web-based backdoors. Specifically the following file which has been accessed by likely malicious parties has been found on your site and is known to be connected with sending unsolicited bulk email

They mentioned the files and disabled the page(s) in question (via adjusting permissions on the files, e.g. chmod, or backing up the file first and renaming it to INFECTED.php and cleaning up the injected code).

They further recommended the following steps:

  • Update 3rd party software under the account
  • Update plugins and/or themes on your sites (Recent attacks against websites have targeted vulnerable software such as timthumb.php which is included in some wordpress themes, separate from the core files)
  • Check website(s) files for any signs of tampering
  • Check website(s) files for any 777 directories, (e.g.. a directory that allows anyone on the server to write or edit the files in the directory; these permissions will look like rwxrwxrwx via the command line)
  • Change FTP password(s)

At Dreamhost blog “About DreamHost Security Notifications” post addresses questions about these security notifications that users receive if Dreamhost finds any vulnerability in the user’s account or hosted files.

DreamHost has multiple levels of services that they run for all customers at no extra cost (Web application firewalls, server/network firewalls, jailed environments, secure server configurations, password generators and a highly skilled security and admin team to manage all of these services.)

They further talk about these security notices as following:

Don’t be afraid of these emails, they’re just notices to let you know we’ve found something you should probably know about. These emails are sent to the account owner, as needed when one or more of their sites may be threatened by criminals! This isn’t to say we will email everyone immediately when their site’s software has an update, only when our security team has identified their hosted sites may be vulnerable to an imminent attack (sort of a warning before the storm). These email notifications will be sent from a DreamHost.com email address and will show up in your panel’s support history page.

They perform a completely non-invasive review of each site’s web activity. This scan reviews somewhere around 1,000,000 sites hosted across 20,000 or so servers, in only 30-45 minutes without sites being affected by this scan. If your site is detected as in danger they will keep it up and let you know of the danger (and what to do to prevent an attack). If your site has already been compromised they will quarantine the problem and let you know what to do next.

This is a great security feature at Dreamhost. Dreamhost actually assists users by informing them about the suspicious scripts found in the files. They disable access to those files and notify user by email. User can check those backdoors, find security holes and patch them to avoid any risk. We are very much satisfied with this feature and congratulate Dreamhost for their effort in assisting user to prevent data or web hosting account loss.