Jump to content

Dreamhost leaks 3,500 FTP passwords


Justin Ewing

Recommended Posts

http://www.caydel.com/dreamhost-leaks-3500-ftp-passwords/

just recieved this email from Dreamhost. It seems that they’ve leaked 3500 FTP account passwords somehow.

That explains a lot - about 2 weeks ago, someone used my password to upload tons of spam links to my sites. At the time, I contacted Dreamhost indicating the problem, and they assured me that their servers were secure, and it *must* be my problem. Looks like it wan’t me.

Link to comment
Share on other sites

It is FTP. Do they even need to steal the passwords? How lame...

I'll bite. So they're running an FTP. How would you get your hands on those passwords?

And please be specific. Particularly about the part where you explain how you're going to sniff the traffic in a hosting center that should take more than a smile to get into in the first place.

If you read the post it would seem Dreamhost was lax in their security. They fell behind a few patch levels, and someone presumably bit them in the ass with it. The only thing lame about this whole deal is that some scammer tried to use his newfound access to apply a little link farming of sorts.

Link to comment
Share on other sites

Guest requiemnoise

First, the concept of pen testing isn't all about looking for errors in patching. The subscribing to various mailing list for look for vulnerabilities in services aren't what security is about. Only relying on the source and not destination credential by using not very restricted password scheme were never a good solution. The concept of FTP service is flawed.  It is only good for an anonymous login. Even in the past, it even had issues gaining higher privilege even it was only using anonymous, because how it handles the protocol. Notice, MS has issues patching  their applications. It has to be constantly re-patched? If there are flaws in the original ideas or codes, the idea has to be abandoned. Also, the concept of examining an unencrypted network is more than looking for user names and passwords. It is gathering more information for a bigger ideas.  Also, even certain encryption schemes are very unreliable.  Sniffing the networking isn't hacking. That's just an examination. I don't know the detail of this incident, but finding weakness in FTP has around for decades for now. It isn't reliable.

Link to comment
Share on other sites

It is FTP. Do they even need to steal the passwords? How lame...

I'll bite. So they're running an FTP. How would you get your hands on those passwords?

And please be specific. Particularly about the part where you explain how you're going to sniff the traffic in a hosting center that should take more than a smile to get into in the first place.

If you read the post it would seem Dreamhost was lax in their security. They fell behind a few patch levels, and someone presumably bit them in the ass with it. The only thing lame about this whole deal is that some scammer tried to use his newfound access to apply a little link farming of sorts.

Am I the only one who thinks that if you acquire this information you don't (ab)use it? unless you need to?
Link to comment
Share on other sites

The concept of FTP service is flawed.  It is only good for an anonymous login. [...] finding weakness in FTP has around for decades for now. It isn't reliable.

And yet *everybody* uses it. It's the defacto standard for file transportation between users and hosting providers the world over. And the only reason for that is because flawed as it may be, it *works*.

The two flaws that can actually be attributed to the FTP protocol are the unencrypted connection and using separate connections for the actual file transfer.

The latter point is actually mostly annoying for firewall operators, and by allowing the FXPing of files it is seen as quite a cool feature by a lot of people aswell.

All other flaws are from the shoddy implementation. And with servers like vsftpd around even that part seems to be improving sharply. Plus, vsftpd (as I'm sure by now several others) integrate with PAM, so using FTP says absolutely _nothing_ about how the passwords are kept. The article doesn't specify either, so I'm sticking with the assumption that this asshole hacker got into a box, installed a sniffer, watched some 3500 passwords fly by in the clear and took it from there...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...