Justin Ewing Posted June 6, 2007 Share Posted June 6, 2007 http://www.caydel.com/dreamhost-leaks-3500-ftp-passwords/ just recieved this email from Dreamhost. It seems that they’ve leaked 3500 FTP account passwords somehow. That explains a lot - about 2 weeks ago, someone used my password to upload tons of spam links to my sites. At the time, I contacted Dreamhost indicating the problem, and they assured me that their servers were secure, and it *must* be my problem. Looks like it wan’t me. Quote Link to comment Share on other sites More sharing options...
Sparda Posted June 6, 2007 Share Posted June 6, 2007 Shouldn't this be in News? Quote Link to comment Share on other sites More sharing options...
Justin Ewing Posted June 6, 2007 Author Share Posted June 6, 2007 iut it here becouse more people look this this thread more then news Quote Link to comment Share on other sites More sharing options...
Guest requiemnoise Posted June 6, 2007 Share Posted June 6, 2007 It is FTP. Do they even need to steal the passwords? How lame... Quote Link to comment Share on other sites More sharing options...
cooper Posted June 6, 2007 Share Posted June 6, 2007 It is FTP. Do they even need to steal the passwords? How lame... I'll bite. So they're running an FTP. How would you get your hands on those passwords? And please be specific. Particularly about the part where you explain how you're going to sniff the traffic in a hosting center that should take more than a smile to get into in the first place. If you read the post it would seem Dreamhost was lax in their security. They fell behind a few patch levels, and someone presumably bit them in the ass with it. The only thing lame about this whole deal is that some scammer tried to use his newfound access to apply a little link farming of sorts. Quote Link to comment Share on other sites More sharing options...
Guest requiemnoise Posted June 6, 2007 Share Posted June 6, 2007 First, the concept of pen testing isn't all about looking for errors in patching. The subscribing to various mailing list for look for vulnerabilities in services aren't what security is about. Only relying on the source and not destination credential by using not very restricted password scheme were never a good solution. The concept of FTP service is flawed. It is only good for an anonymous login. Even in the past, it even had issues gaining higher privilege even it was only using anonymous, because how it handles the protocol. Notice, MS has issues patching their applications. It has to be constantly re-patched? If there are flaws in the original ideas or codes, the idea has to be abandoned. Also, the concept of examining an unencrypted network is more than looking for user names and passwords. It is gathering more information for a bigger ideas. Also, even certain encryption schemes are very unreliable. Sniffing the networking isn't hacking. That's just an examination. I don't know the detail of this incident, but finding weakness in FTP has around for decades for now. It isn't reliable. Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted June 7, 2007 Share Posted June 7, 2007 It is FTP. Do they even need to steal the passwords? How lame... I'll bite. So they're running an FTP. How would you get your hands on those passwords? And please be specific. Particularly about the part where you explain how you're going to sniff the traffic in a hosting center that should take more than a smile to get into in the first place. If you read the post it would seem Dreamhost was lax in their security. They fell behind a few patch levels, and someone presumably bit them in the ass with it. The only thing lame about this whole deal is that some scammer tried to use his newfound access to apply a little link farming of sorts. Am I the only one who thinks that if you acquire this information you don't (ab)use it? unless you need to? Quote Link to comment Share on other sites More sharing options...
cooper Posted June 7, 2007 Share Posted June 7, 2007 The concept of FTP service is flawed. It is only good for an anonymous login. [...] finding weakness in FTP has around for decades for now. It isn't reliable. And yet *everybody* uses it. It's the defacto standard for file transportation between users and hosting providers the world over. And the only reason for that is because flawed as it may be, it *works*. The two flaws that can actually be attributed to the FTP protocol are the unencrypted connection and using separate connections for the actual file transfer. The latter point is actually mostly annoying for firewall operators, and by allowing the FXPing of files it is seen as quite a cool feature by a lot of people aswell. All other flaws are from the shoddy implementation. And with servers like vsftpd around even that part seems to be improving sharply. Plus, vsftpd (as I'm sure by now several others) integrate with PAM, so using FTP says absolutely _nothing_ about how the passwords are kept. The article doesn't specify either, so I'm sticking with the assumption that this asshole hacker got into a box, installed a sniffer, watched some 3500 passwords fly by in the clear and took it from there... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.