Use Dreamhost? Check Your Websites for Malicious Code!

March 1, 2012

If you are using Dreamhost, you should check your website for malicious php code and redirects!

There is currently a prevalent hack going around that affects many websites on Dreamhost.

The most common hack seems to be the basic search bot redirect, so anytime Google bot, or other search bots, visit the website, they get served different content. Most likely it will be links to spam pharma sites, as well as links to other hacked websites.

From reading, a lot of folks seem to be waiting/expecting support to fix their website, but this is not something you should wait on!

Table of Contents

Who is Affected?

From searching twitter and Dreamhost’s forum, where a 12 page and counting thread of those affected is present, you can see that many people at dreamhost are affected.

While the default response from support is, of course, “you had outdated software or a bad plugin,” this does not wash.

For one, some people, including myself, had websites that were updated and running no plugins or only minimal plugins that were affected. Some even report having no CMS at all and still being hacked.

Further, in my case, I had the same web-shell dropped across multiple users accounts and websites. Only one of which was in sore need of updating, although it was running a 3.1+ wordpress install and had been updated within the month.

Given this, it seems much more likely that something much bigger is wrong with Dreamhost’s hosting platform. Short of a Zero Day on wordpress, in which case the hacks would probably be much more distributed, this seems like the more logical solution.

Return to Top of Page

How did this Happen?

The official response from Dreamhost support seems to be “you were using vulnerable code and it is your responsibility to keep it secure.”

However, given the reports, which include those who claim that they were not running a CMS or running an up-to-date CMS and were still infected, I think there is a bigger issue at play. My anecdotal evidence, which included several reasonably updated websites, as well as finding the same web-shell dropped onto a number of unrelated websites/user accounts, seems to confirm this suspicion.

Dreamhost has had a number of issues with down-time, as well as a serious hack that exposed many user’s shell passwords, so it is not a leap to assume that their hosting platform systems were heavily compromised.

In my case, I changed my shell passwords twice, once immediately after the report and again shortly after that. I think, as I mentioned above, a zero day in WordPress might also be responsible, but this is not likely and would probably be more common across web hosts.

Return to Top of Page

Is This Specific to Dreamhost?

No, if anything it is an issue that highlights problems with Shared Hosting.

I have cleaned up similar attacks on Media Temple, as well as other hosts, where, apparently, the issue was not specific to the user, but rather drive-by maleware.

Return to Top of Page

Support Not Doing Anything? Or Overwhelmed?

While they do reply with a standard form letter, as well as checking your account for web-shells, they appear to be in damage control mode.

I sent them a list of 5+ other Dreamhost websites that I found that were also hacked and as of 48 hours later, I have not received a response from support, nor have these websites been fixed or disabled. Depending on the scope of the problems with Dreamhost’s platform, this may mean they are affecting other user accounts too.

With that said, I understand that Dreamhost’s support, which has always been pretty great in the past, is probably getting slammed right now.

Many people, from reading the forums, are not competent to fix the problem themselves and are instead waiting for Dreamhost to fix it. Again, depending on the scope of the problem, this might only make it worse.

Personally, if it were my server, I would be actively going in and finding/disabling web-shells and trying to clean it up, without waiting for user’s to notice their website was hacked. Maybe they are, but this does not seem likely.

Update: 72+ hours in, they responded by saying they were running scans on 2 domains that I provided. I sent over 5+, so it is unclear whether they scanned these too…

Return to Top of Page

What to Look For

There are a few things you can check for.

If you have shell access, you can probably see by checking out the web-root and/or htaccess files, that something is amiss. You may see random files/folders that you know are not correct. However, it is possible that they may be hidden within other folders, so you will probably need to do some checking. Reviewing the logs can also help, as you may see the hidden files/folders in there.

You can also visit your website with a Googlebot User Agent. If it has been hacked, you will likely see a much different website than you are used to.

Since it is possible the hack might attempt to install maleware on your computer, you should disable javascript before you visit it. Or, use wget like so:

wget --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +" http://www.your_website_url

wget will download the file, saving it as index.html and then you can view it in a text editor to compare it against the main website.

Even if the website is not hacked, you should still check all folders, delete and reinstall plugins/cms, and check any remaining theme files. In my case, I had several web-shells hidden in multiple websites, which appear to have not been activated yet.

Return to Top of Page

How to Clean Up

Realistically, before cleaning up, you should investigate the files/folders/logs. Try to determine when the site was hacked, identify IP addresses, and check for any world-writeable files/folders.

TLDR: Backup, Delete and reinstall all software/plugins, Manually check any remaining files/databases, Ensure permissions are correct

This is a process for cleaning up wordpress, but similar concepts can be applied to other websites:

  1. Make a backup of your website and database
  2. Download the latest version of WordPress:
  3. Check for malicious logins to your shell account*:

    This Checks the most recent logins:

    last -i | grep user_name

    This checks for less recent logins.
    last -if /var/log/wtmp.1 | grep username

    Both of these may take awhile to run. If you see an IP address that you do not recognize, you should be concerned!

  4. In your web-root, delete the wp-admin, wp-includes folders
  5. In your web-root, rename wp-config.php to .temp.config
  6. verify that you do not have any custom php files in your root web directory
  7. delete all *.php files in your root web directory
  8. delete remaining files in your root web directory, except for .temp.config and any other custom files you might have.
  9. rename .temp.config -> wp-config.php
  10. View wp-config.php for any malicious code or anything out of the ordinary. You can compare it to wp-config-sample.php from the clean wordpress version in step #2 above.
  11. At this point, the only thing remaining in your webroot should be the folder “wp-content”, as well as wp-config.php, unless you have custom non-wordpress files/folders in your web-root.
  12. View your .htaccess file for any malicious content, including redirects and allowing php to be run on different types of files
  13. Search your wp-content folder for malicious php files

    You can start by using the find command to locate php files that might be within your uploads folder. From your web root directory, use the following command:

    find . -wholename '*wp-content/uploads/*.php'

    The above command searches the uploads folder for any php files. There should not, typically be any.

    You can automatically delete them by using this command:

    find . -wholename '*wp-content/uploads/*.php' -exec rm -rf {} \;

    If you have a gallery folder, or any other folder, aside from plugins or themes, do the same sort of check for malicious folders/files. Make sure to check for hidden files/folders, which start with a “.”

  14. Grep can be very useful too. Once you identify a hacked file, you can search your entire directory like so:

    grep -lnR "Some Bad Phrase" /home/user_name/

    A big part of it is finding patterns and it is common to see some “base64” encoded values, as well as a php “eval”, so both of those would probably be good greps to start with.

    If you end up with a ton of files, output the results to a text file, for easy searching/processing:

    grep -lnR "Some Bad Phrase" /home/user_name/ > output.txt

  15. Goto your plugins folder, wp-content/plugins.

    Assuming you are NOT using a paid or custom plugin, delete and download your plugins from wordpress’s website one at a time.

    If you have a custom plugin or one that you paid for, check each file/folder for malicious code.

  16. Goto your themes folder, wp-content/themes.

    Delete any unused themes. Inspect remaining themes, checking each file for malicous code, as well as checking for any hidden files/folders.

  17. Using PHP My Admin, or the Mysql Command Line, inspect the database. You will want to check for any added users, malicious javascript or links added to posts, as well as comments. Also, check the wp_options table for anything out of the ordinary.

    Using PHP My Admin may be easier for most folks, as it lets you visualize the database. You could also download the Mysql Workbench, but might have to configure a local Mysql Server and/or temporarily allow access remotely to the Dreamhost servers.

  18. Change your Mysql Password via the Dreamhost Panel and Update your wp-config.php file
  19. Extract new version of wordpress from step #2 and copy into web-root.
  20. Reset File Permissions, per WordPress’s recommendations. You can change this to be a little more strict if you want:

    Change Directories to 755.

    find ~/your_web_root/ -type d -exec chmod 755 {} \;

    Change Files to 644.

    find ~/your_web_root/ -type f -exec chmod 644 {} \;

  21. Your website should now work and you can be reasonably sure that it is free of malicious code. When in doubt, check EACH file/folder within your wp-content folder, as this should be the only remaining source of possible infection.

* If when checking for other logins, you find an IP you do not recognize, your entire account may be compromised

Return to Top of Page

My Website is Not Hacked, Should I Still Check?


In my case, I found the same web-shell dropped onto several websites that were on different user accounts.

Even if you do not think you have been compromised, you should still check to be sure!

Return to Top of Page

Going Forward

Under Users -> Manage Users -> Edit: enable enhanced user account security( and disable FTP.

Under Domains -> Manage Domains -> Edit: Make sure the most recent version of PHP is selected, as well as “Extra Web Security”

Routinely check for errors / suspicious activity within your websites/user accounts.

Routinely Backup Your Website: Dreamhost offers the one click backup, which you can download automatically via wget by using the following command

wget -r --user=provided_username --password=provide_password http://provided_url

Just replace “provided_” with the information sent via the confirmation email.

Return to Top of Page

Thoughts on Dreamhost

I have been using dreamhost for some time now, and overall have been very happy with them. Their support is always friendly and responsive, aside from right now that is, and there is a lot of things I like about them.

With that said, these past few months with dreamhost have been a little rough. They have had several major outages, as well as at least one major security breach and probably bigger issues, as evidenced by this post.

While these sorts of hacks happen all over, it certainly does seem to be fairly wide-spread across dreamhost accounts.

Return to Top of Page

You Are Speaking Gibberish! Please Help!

If feel comfortable making the above changes, you should be able to reverse the effects of the hack. Just make sure to backup files/database FIRST!!!

However, if you don’t feel comfortable, Dreamhost Support does seem to be helping, although in some cases not right away, so you can wait for them.

Otherwise, you can contact me and I can help you get back on track with an affordable fix.

Return to Top of Page


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s