You can now disable ftp for users at the dreamhost panel – see the dreamhost blog entry on this subject. This comes hot on the heels of the security issue with ftp accounts being compromised. From what I’ve seen around the web, this issue was not limited to dreamhost but they seem to be the biggest (or public) hoster affected at the moment.
Interesting to see that MovableType beta 4 is released. This came the day after I spent some looking around to see how to get a static page built into MT for an “about me” page for this website. I want to be able to edit this file from within MT (for ease of use) and then publish the updated contents. Apparently that is only really possible through the use of pulling in another blog until version 4 comes out….So I might be upgrading to 4 beta soon. Alternatively if I have to go through the pain of migrating again it may be worth upgrading to WordPress instead (which seems to be where most of the development is taking place now)
I received the following email from dreamhost this morning which is not good news. Although I was one of the account affected, I’ve been able to login ok and it looks like everything was untouched on my account.
This email is regarding a potential security concern related to your
‘xxxxxxx’ FTP account.
We have detected what appears to be the exploit of a number of accounts belonging to DreamHost customers, and it appears that your account was one of those affected.
We’re still working to determine how this occurred, but it appears that a 3rd party found a way to obtain the password information associated with approximately 3,500 separate FTP accounts and has used that information to append data to the index files of customer sites using automated scripts (primarily for search engine optimization purposes).
Our records indicate that only roughly 20% of the accounts accessed – less than 0.15% of the total accounts that we host – actually had any changes made to them. Most accounts were untouched.
We ask that you do the following as soon as possible:
1. Immediately change your FTP password, as well as that of any other accounts that may share the same password. We recommend the use of passwords containing 8 or more random letters and numbers. You may change your FTP password from the web panel (“Users” section, “Manage Users” sub-section).
2. Review your hosted accounts/sites and ensure that nothing has been uploaded or changed that you did not do yourself. Many of the unauthorized logins did not result in changes at all (the intruder logged in, obtained a directory listing and quickly logged back out) but to be sure you should carefully review the full contents of your account.
Again, only about 20% of the exploited accounts showed any modifications, and of those the only known changes have been to site index documents (ie. ‘index.php’, ‘index.html’, etc – though we recommend looking for other changes as well).
It appears that the same intruder also attempted to gain direct access to our internal customer information database, but this was thwarted by protections we have in place to prevent such access.Similarly, we have seen no indication that the intruder accessed other customer account services such as email or MySQL databases.In the last 24 hours we have made numerous significant behind-the-scenes changes to improve internal security, including the discovery and patching to prevent a handful of possible exploits.
We will, of course, continue to investigate the source of this particular security breach and keep customers apprised of what we find. Once we learn more, we will be sure to post updates as they become available to our status weblog: http://www.dreamhoststatus.com/
Thank you for your patience. If you have any questions or concerns, please let us know.
– DreamHost Security Team
It’s going to be a long day for sysadmins who use AutoIT on their production Lan as symantec has detected the product as MSN.flooder in their dat files – the last time this happened was Jan 2006. Fortunately I only have it on a couple of pc’s but it is going to be a real pain for someone who uses it on every desktop or in login scripts. This follows about a week after they crippled thousands of chinese pc’s by detecting windows files as virus’s. I sure wouldn’t want to be a chinese sysadmin running autoit! Home users can log a report at the symantec false positive report site but enterprise gold or platinum users need to contact support or submit a false positive report after updating the dats. To report using the antivirus application – right click the file in quarantine and choose submit to symantec security response. Unfortunately on my work pc I don’t have rights to do this!
Update Downloading the latest updates to May 31st defs, releasing the files from quarantine and then scanning did not quarantine the files again.
Update 2 It looks like the same definition patterns also got a false positive in Search & Destroy according to SANS.
Update 3 Html corrected to ensure the updates appear properly.
My $10 copy of Visual Studio standard 2005 came in the post today – I took the two required webcasts ages ago and when I went to check the status of my registration I couldn’t find any documentation but the funny thing is that the next day I got an email to say the product was on the way. I’m quite eager to get started on the programming – it will be interesting to see how much has changed. The last serious programming I did was with VB6 – I started off with VB3, but I did a bit of programming 2 years ago whilst looking for a job, so to get a full copy of Visual Studio for free (plus $10 shipping) and two hours of my time was a bargain. There is still time to register for this offer yourself at the VB upgrade labcast webpage. I know you can already download the express versions of the software, but this is more complete for the home programmer, but a feature comparison chart should help you decide if you want to go for this product (the list price is $249 at amazon)
I started my Square Foot Garden blog this weekend – there are some photos at flickr to go with the project too. So far I’ve just got the soil down – seeds to go in later today
I did a short (2 min) audio clip for In The Trenches on keeping up to date with Microsoft downloads. It was fun to do – took me a couple of times to get right and I actually wrote most of the script out first to make it easier. A couple of edits to remove some annoying deep breaths and I sent it to George and Kevin to post. Let me know what you think – podcasting is harder than it sounds.
I’m in the middle of a Swing Migration and received the message “”this server has a trust relationship with domain.local” after continuing the standard setup (after I’ve done most of the hard work migrating the existing settings). It took me a while to hunt down, but this is solved by editing a registry value and rebooting as per the details on Jared Griego’s sbs blog and at event id. I’m posting the details in the extended entry for safe keeping. Not sure why it happened, I guess there was a stage missed in editing AD or dns, but it all looked ok after double and triple checking.
Today is May 25th and therefore Towel Day as a tribute to the late Douglas Adams. Unfortunately I don’t have a don’t panic towel and I can’t find my Steelers terrible towel so I’ll have to make do with carrying a plain towel around instead.
I noticed that client machines hadn’t been checking into some of the WSUS servers since the server was upgraded to version 3. Checking the log files of the desktop pc’s had errors such as “Reporter failed to upload events with hr = 80244016”
After a bit of digging and looking at the IIS console, I noticed that the wsus directories were now listening on port 8530 instead of the normal port 80. To fix this I changed the Group Policy setting “Set the intranet update service for detecting updates” and “Set the intranet statistics server” to read http://servername:8530 instead of http://servername, ran gpupdate on the desktop, restarted Automatic Update service, dropped to a command prompt and ran “wuauclt /detectnow” to ensure the desktop checked in *now* rather than later on.