[Toybox] DreamHost Security Alert
Rob Landley
rob at landley.net
Wed Apr 24 11:10:48 PDT 2024
Alas, my website's likely to be down for a bit while I explain to them that "the
compiler that got used to build an exploit" and "the exploit" can share strings
because gnu is incompetent and leaks the path where things got built into the
resulting binaries, but that does not mean that the compiler the strings came
from in the first place is actually infected.
I mean, here's an article from 2018:
https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/
Rob
(I'd point to old blog entries where I went "huh, my compilers got used to build
random russian malware" ten years ago, but my blog was on my site so you
wouldn't see it unless I fish it out of archive.org...)
-------- Forwarded Message --------
Subject: DreamHost Security Alert - Malware on landley.net
Date: Wed, 24 Apr 2024 09:53:09 -0700 (PDT)
From: DreamHost Abuse Team <support at dreamhost.com>
To: rob at landley.net
Hello Rob Landley,
We have received a report of malware at the following location:
hXXps://landley.net/aboriginal/downloads/old/binaries/1.2.6/cross-compiler-armv7l.tar.bz2
This means that your site has likely been compromised. We have taken the site
offline by renaming its directory (appended _DISABLED_BY_DREAMHOST). Please do
not re-enable it until you can address the problem.
In general, the three most common entry points for a compromised website are:
1. Vulnerable, typically out-of-date software (such as blogs, forums, CMS,
associated themes and plugins, etc.)
2. A cracked/brute-forced admin login for a web application like WordPress,
Joomla, Drupal etc.
3. A compromised FTP/SFTP/SSH user password.
1. All software you have installed under your domain should always be kept
up-to-date with the most recent version available from the vendors' website, as
these often contain security patches for known issues. Older versions of
well-known and popular web software (including Wordpress, Drupal, Joomla, etc.)
are known to have vulnerabilities that can allow injection and execution of
arbitrary code.
2. If you utilize a web application with a script-based administrative backend
(like WordPress, Joomla, or Drupal), make sure that you're not using a generic
username like "admin" or "webmaster" for the user with administrative
privileges. Hackers will slowly brute-force common usernames in order to get
access to a script's backend and whatever tools exist there that allow file
uploads, alterations, or execution of code.
3. FTP/SFTP/SSH passwords can be compromised and used to modify files. The most
important part of securing your account in this case is to change your FTP
user's password via the (USERS > MANAGE USERS) -> "Edit" area of the control
panel. Passwords should not contain dictionary words and should be a string of
at least 8 mixed-case alpha characters, numbers, and symbols. It is also
recommended to always use Secure FTP (SFTP) or SSH rather than regular FTP,
which sends passwords over the internet in plaintext. You can disable FTP for
your user(s) within the DreamHost panel (USERS > MANAGE USERS) section.
At this point, we recommend logging into your DreamHost server and removing the
content we listed. (Note: You may first need to reset the permissions). You
should also look for any other files/directories you did not upload yourself and
update all your website components where applicable. As for determining which
entry point is the cause of this incident, for 1 and 2, you can review the
Apache logs for suspicious activity and requests to suspicious files. Keep in
mind that we typically only keep around 5 days worth of Apache logs. For 3, you
can refer to this article to find recent logins to your user:
https://help.dreamhost.com/hc/en-us/articles/214915728-Determining-how-your-site-was-hacked
For further help on this topic, you can refer to our Knowledge Base:
https://help.dreamhost.com/hc/en-us/articles/215604737-Hacked-sites-overview
https://help.dreamhost.com/hc/en-us/sections/203242117-Logs
Lastly, we have scheduled an automated malware scan and if anything is found, we
will send you a separate email with those results.
If you need further assistance, please respond directly to this email.
Thank you for your cooperation!
-DreamHost Abuse Team
More information about the Toybox
mailing list