The Dreamhost security breach - could ProFTPD be involved


As some of you might have heard, Dreamhost has gotten itself into a mess of 3500 ftp-logins being on the loose. link

This security breach seem to be from a XSS-vulnerability in their control panel, however Dreamhost are hinting that something else might be at play here. So, my concern is now if there’s an issue with proftpd that Dreamhost as runs that is also included with Interworx?!

Could this be a possible 0-day exploit?

Hi Henrik,

From what I’ve read, it sounds a list of FTP accounts and passwords was obtained somehow. This means that clear-text FTP passwords must have been stored somewhere, and they were located by the attacker(s). Clear-text passwords aren’t stored by default with proftpd, so it doesn’t seem likely at this time that there is cause for concern with all proftpd installs at this point.

We will continue to monitor the situation for more details, which are still pretty light at this point. So far it seems like it probably isn’t a 0-day proftpd exploit.


Hello Paul,

Yes, that’s my impression also. There are rumours that the attacker gained root-access to the afflicted box(es), though I am leaning more towards the XSS-flaw in Dreamhost’s control panel and the passwords not being hashed/salted down.

Was it possible to exploit the earlier weakness in proftpd in a way to gain accesse to privileged users and to harvest user-information btw?

And to end up; I don’t why they are hinting that other hosting providers has been subjected to the same kind of attack if it’s only related to their own coded control panel.

Marketing and spin basically i would assume. If you get reporters looking at someone else they aren’t looking at you.

That could be, though Dreamhost updated their statusblog yet again on this issue [link], where they more blatantly hint that something similar happened to other webhosts.