Dreamhost took down our forum and tried to censor it

Questions and discussion about web design, search engine optimisation and hosting
Santeri
Posts: 287
Joined: 2017-7-5 09:58

Unread post by Santeri » 2019-5-26 23:36

Our forum went dark 2 days ago. We checked the hosting and the server, but there was nothing wrong. Soon after that we received an email from Dreamhost claiming that our forum had been compromised. The reason was "a report of phishing" they had received, and because of that they had taken the forum offline by renaming its directory. The email contained one broken link and 2 other links to instructions for checking logs and figuring out how the website has been hacked.
May 25, 2019, 9:08 PM
Subject: [antasa2 162813610] Message from support.

We have received a report of phishing at the following location:

forum.webseodesigners.com/commercial-ads-and-other-spam-f4/sell-cvv-
bank-login-dumps-track-1-2-transfer-wu-pa-t1145.html?sid=27fbb1ee33fc5983641da9d
800e925f9#p1261

This means that your site has likely been compromised. We have taken the
site offline by renaming its directory (appended _DISABLED_BY_DREAMHOST).
Please do not re-enable it until you can address the problem.

In general, the three most common entry points for a compromised website
are:

1. Vulnerable, typically out-of-date software (such as blogs, forums,
CMS, associated themes and plugins, etc.)
2. A cracked/brute-forced admin login for a web application like
WordPress, Joomla, Drupal etc.
3. A compromised FTP/SFTP/SSH user password.

1. All software you have installed under your domain should always be
kept up-to-date with the most recent version available from the vendors'
website, as these often contain security patches for known issues. Older
versions of well-known and popular web software (including Wordpress,
Drupal, Joomla, etc.) are known to have vulnerabilities that can allow
injection and execution of arbitrary code.

2. If you utilize a web application with a script-based administrative
backend (like WordPress, Joomla, or Drupal), make sure that you're not
using a generic username like "admin" or "webmaster" for the user with
administrative privileges. Hackers will slowly brute-force common
usernames in order to get access to a script's backend and whatever tools
exist there that allow file uploads, alterations, or execution of code.

3. FTP/SFTP/SSH passwords can be compromised and used to modify files.
The most important part of securing your account in this case is to
change your FTP user's password via the (USERS > MANAGE USERS) -> "Edit"
area of the control panel. Passwords should not contain dictionary words
and should be a string of at least 8 mixed-case alpha characters,
numbers, and symbols. It is also recommended to always use Secure FTP
(SFTP) or SSH rather than regular FTP, which sends passwords over the
internet in plaintext. You can disable FTP for your user(s) within the
DreamHost panel (USERS > MANAGE USERS) section.

At this point, we recommend logging into your DreamHost server and
removing the content we listed. (Note: You may first need to reset the
permissions). You should also look for any other files/directories you
did not upload yourself and update all your website components where
applicable. As for determining which entry point is the cause of this
incident, for 1 and 2, you can review the Apache logs for suspicious
activity and requests to suspicious files. Keep in mind that we typically
only keep around 5 days worth of Apache logs. For 3, you can refer to
this article to find recent logins to your
user: https://help.dreamhost.com/hc/en-us/art ... -your-site -was-hacked

For further help on this topic, you can refer to our Knowledge Base:

https://help.dreamhost.com/hc/en-us/art ... s-overview
https://help.dreamhost.com/hc/en-us/sec ... 42117-Logs

Lastly, we have scheduled an automated malware scan and if anything is
found, we will send you a separate email with those results.

If you need further assistance, please respond directly to this email.

Thank you for your cooperation!
-DreamHost Abuse Team
Dreamhost is more like a Nightmarehost We replied to them immediately explaining that the website is in fact a forum, and checking and/or removing individual forum posts is somewhat challenging without an access to the forum.

In the following chat with Dreamhost's technical support, helpful Olgie revealed to us that "for compromised sites you must follow the instructions on the notification you received and reply to the abuse team in case you have anymore doubts" and then refused to help us further because "this is a case that is only handled by the Abuse/Security team" and "that is only to be reached via ticket [by email]".

Next day DreamHost replied stating that their instructions were "clean" and we must remove phishing content or the site will not go live. According to them, there are no issues accessing the phishing content via FTP/SFTP/SSH for removing it. Finally they threatened that if we re-enable the site without obeying their ultimatum, they will shut us down more permanently.
May 26, 2019, 12:07 AM

Hello,
These were clean instructions, you just need to login via FTP/SFTP/SSH to
access your content. The site will not go live until you have removed
that phishing content. The
exact path for the content is
saturn:~/www/newforum_DISABLED_FOR_PHISHING_CONTENT_DREAMHOST_SUPPORT_dj

You should have no issues accessing the content. If the site is reenabled
we will have to disable it in a more permanent matter. We suggest you
monitor what is being uploaded to your site as that is your
responsibility since it is your site. Please let me know if you continue
to have issues accessing your content.

Regards,
Daniela J

--
DreamHost Support Team + support@dreamhost.com
Make up to $200 for each referral!
https://panel.dreamhost.com/?tree=referrals.dashboard
Find troubleshooting tips and how-tos at https://help.dreamhost.com/
To continue this support case, just reply to this email.
Open a new case at: https://panel.dreamhost.com/?tab=support
In our reply, we asked them to clarify
  1. who reported the page
  2. why was the page reported, and
  3. what exactly is wrong in that page.
After waiting one more day we migrated the forum away from Dreamhost and as you can see, it works again.

From here you can check the compromised "location" that Dreamhost wanted us to remove: SELL CVV/BANK LOGIN/DUMPS Track 1&2/TRANSFER WU/PAYPAL----- ICQ: 710530177. However, this old post criticising Dreamhost is more likely the real reason for taking this forum down.

How can anyone trust a hosting company that pulls this kind of stunts on their customers?



Santeri
Posts: 287
Joined: 2017-7-5 09:58

Unread post by Santeri » 2019-5-28 14:56

Needless to say, Dreamhost support has not yet replied to our questions. The following advertisement was added on Dreamhost Web Panel today:
Dreamhost DreamShield Malware Remover Spam This could also explain the sudden take down of the forum. Similar incidents have happened before. One and a half years ago, Dreamhost upsold a useless VPS service to one of my customers. They had created an artificial issue by using procwatch to kill PHP processes and triggering email spam advertising VPS as a solution to the problem of PHP processes running out of memory quota. What they forgot to mention was that the VPS would have had exactly the same problem, and the reason was not lack of resources but crappy WordPress PHP code that was so messed up that it could not be updated. They admitted the scam when I confronted them.
Aug 30, 2017, 9:35 PM

Hi XXXXXXXXXX!

Our monitoring systems show that one (or some) of your user accounts may be making your web hosting account operate inefficiently. We took a peek and noticed you’ve frequently hit the memory limits of your shared hosting plan over the last couple weeks. Each time that happens, our automated process watcher system stops the associated process which negatively impacts your website performance.

Here are the FTP/shell users on your account, alongside the number of times they’ve hit their memory limits:

XXXXXXXXXX: 716

If you’re happy with the performance of your site, then we are too! Your site may continue to run into your shared hosting plan’s resource limits, and our automated system will restart your hosting processes as necessary.

If you want to improve the performance of your site, you can try to optimize things with the help of our Knowledge Base, or enlist the help of a skilled webmaster to help you.

If optimization doesn’t get the results you’re looking for - or if you simply need more power - you may want to consider upgrading your hosting to a fully managed Virtual Private Server (VPS). You’ll get instant access to scalable resources tailored to your site’s exact needs.​

Learn More about DreamHost VPS!

Our managed Virtual Private Servers are just as easy to use as your current hosting. You’ll interact with the exact same control panel for not much more than what you’re paying now. The difference is your sites will have more resources available to them and will be virtually “walled off” from the actions of other customers.

We’re so confident you’ll love the DreamHost VPS experience that we’re offering you $15 off your managed VPS hosting if you sign up within the next 30 days*. If you’re not thrilled with your VPS performance, one click in the control panel is all it takes to go back to the hosting you’ve got now.

Add a Virtual Private Server Now!

Give it a try! You’ve got nothing to lose, and our award-winning technical support team is standing by to assist.​

-The Happy DreamHost Making-Sites-Better Team

*Offer expires on September 28, 2017 @ 11:59 PM.
I wonder how many others have been victims of the DreamShield Malware Remover marketing campaign, if that was the reason for the take down. Two years ago Facebook did a similar trick in order to sell virus scanners.

Santeri
Posts: 287
Joined: 2017-7-5 09:58

Unread post by Santeri » 2019-5-29 06:19

The saga continues. Dreamhost have had plenty of issues with their emails being eaten by spam filters. Two years ago we tried to convince them to fix their broken email servers with no luck.

As it happens, this time they were themselves the victims of their broken email servers as the reply from their support went straight into the gmail spam filter. The reply reveals that the take down had nothing to do with phishing. It was initiated by a company called RiskIQ claiming to work on behalf of JPMorgan Chase Bank N.A. (“JPMC”), and it was indeed an attempt to try to force us to censor our discussion forum.
26 May 2019, 00:32

Hello,

The exact email so you have for your own records is as follows:

*********BEGIN***********
Event Type: Unlawful Credential Distribution – Financial Data

IP Address: 173.236.183.46 (“Internet Presence Location”)

ASN: DREAMHOST-AS - New Dream Network, LLC, US

Defanged URL(s):

hxxps://forum.webseodesigners[dot]com/commercial-ads-and-other-spam-f4/sell-cvv-
bank-login-dumps-track-1-2-transfer-wu-pa-t1145.html?sid=27fbb1ee33fc5983641da9d
800e925f9#p1261
(collectively, “Stolen Financial Credentials”)

See formal notice below.

Dear Abuse Team:

We are the authorized agent for JPMorgan Chase Bank N.A. (“JPMC”),
with a website located at https://www.jpmorganchase.com/, in connection
with the above-captioned digital threat incident as described below.

JPMC has discovered that the website to which you are supplying services
at the Internet Presence Location is actively participating in the
distribution of Stolen Financial Credentials and other personally
identifiable information (PII), endangering the public safety by
publishing
and attempting to distribute/phishing and/or distributing the Stolen
Financial
Credentials and other PII.

Please take appropriate action under your terms of service with a sense
of
urgency, as time is of the essence to mitigate this threat. We recommend
that you investigate your customer that is participating in this activity
and remove the Stolen Financial Credentials and other PII immediately.

If you need any support or additional information, please let us know by
reply email at your earliest convenience.

Thank you for your support in safeguarding the public.

Sincerely,

Digital Threat Incident Response Team

RiskIQ, Inc. <https://www.riskiq.com/>

22 Battery St. 10th Floor

San Francisco, CA 94111

Incident 43854111
*********END***********

We take these emails seriously hence the site taken offline. For the site
to be live again you'll need to remove that link.

Daniela J,

--
- DreamHost Abuse/Security Team
- Terms of Service: http://www.dreamhost.com/legal/terms-of-service/
- Anti-Spam Policy: http://www.dreamhost.com/spam.html
- Abuse Center: http://abuse.dreamhost.com/
If nothing else, the request proves that JPMorgan has indeed been hacked, financial credentials had been stolen, and the post on the forum is legitimate.

Post Reply