Peter Marklund

Peter Marklund's Home

Mon June 16, 2008
Programming

DreamHost Hacked: All My Files Exposed Publicly

An ex-colleague of mine discovered that all my files in my home directory at the hosting company DreamHost were publicly viewable and downloadable on the web. I was quite shocked. I had certainly not intended to share all my private files with the world, especially since they contained some highly sensitive information. I assumed my account at DreamHost had been hacked. However the response from DreamHost support was that this was not the case. They explained that it was merely a symbolic link to my home directory that had been created:

"if you would like to keep this from happening you can prevent all other users on the server from viewing your account's files by enabling the Enhanced Security feature for your user. Just go to the Users > Manage Users section of your panel, click the "Edit" link next to your user, and then check to enable the Enhanced Security option. Hit the "Save Changes" button and you should be set in about 20 minutes.

The /home/ directory is public and it is not a security breach that the other user was able to create a symbolic link to /home/. Other users on the server have always had the same access, which means that they have been able to view your files but they absolutely cannot make any changes to your files or folders. The Enhanced Security feature takes it a step further and prevents any user from even viewing your files or folders.

So, just to be clear, there is no indication of a server hack or any security intrusion."

I wrote back that I had changed to "Enhanced" security and that my files were still exposed. Here are some excerpts from their second reply:

"Ultimately this was just some funny permissions on your home directory which caused this to be allowed to happen."

"When I changed your home directory's group ownership back to your default group (pg136611) this corrected the insecurity of other user's accessing your files via apache"

"The interesting part is it may have been enabling the extra web security which caused this insecurity."

A few days later I found that my files were still exposed and I had to manually change the group of my home directory. Basically as far as I'm concerned this means the issue has still not been fixed in a reliable fashion.

I've heard no apology from DreamHost so far. In fact, there is not much in their replies that indicates that they are even taking the issue very seriously. I'm quite disappointed and I am not left with much confidence in DreamHost when it comes to security and privacy.

Comments

Peter Marklund said over 6 years ago:

It's been five days since I reported this issue to DreamHost (12th of June). They have still not been able to resolve the issue and my files are still exposed...

--------------------------------------------------------------------------------

Jun said over 6 years ago:

Hi Peter,

I have noticed some negative feedbacks about DreamHost. You may want to start shopping around for alternatives.

Jun

--------------------------------------------------------------------------------

James said over 6 years ago:

Oh my god, I can't believe they thought it was a non-issue that other people could read your files.

Reading them is half the battle, and all you need to commit identity theft. What a pathetic response.

If I was you, I'd terminate my business relationship ASAP, and perhaps see if there is any legal redress available.

In the cut-throat world of hosting, I'm afraid you get what you pay for, when it comes to cheap, though.

I'm with MediaTemple, but I've heard good things about SliceHost from other developers.

--------------------------------------------------------------------------------

download games said over 5 years ago:

Good post. My opinion, Dreamhost is good hosting

--------------------------------------------------------------------------------

Gavin said over 4 years ago:

Wow, I am seeing similar devious behavior on my Dreamhost hosted sites. Files are getting modified and the logfiles are empty. They definitely seem to have a security issue.

--------------------------------------------------------------------------------

saad said over 4 years ago:

My experience with dreamhost is awesome.I'm in love wid them.

--------------------------------------------------------------------------------