DreamHost Web Hosting: Abuse Center
Section: Spam & UBE
Section: Copyright Infringement
Section: Trademark Infringement
Section: Cracking, Intrusion & DOS
Section: Fraud, Phishing & 419 Scams
Section: Libel & Defamation
Section: Child Pornography
Cracking, Intrusion & DOS

As you can imagine, as a web host we do periodically encounter situations where individuals utilize our servers to negatively impact the servers of others. This can entail unauthorized access to 3rd party systems, hosting of trojans/viruses, denial of service attacks, etc. All such activities are prohibited by our Terms of Service.

Note: If you believe that a DreamHost customer is engaging in such activities, feel free to skip here.
We prohibit a number of activities related to illegal computer intrusion. Some of the more common ones follow:
Anyone attempting to exploit technical weaknesses in the security of 3rd party systems/services or procure sensitive information (including passwords) using social engineering or deception will have their account permanently disabled without refund.
Denial of service
Similarly, anyone using any means to intentionally disrupt or overload 3rd party systems/services (aka engage in "denial of service" attacks) will have their account permanently disabled without refund.
Tools, trojans, etc.
Notwithstanding the above, the hosting or storage of tools primarily used for cracking/intrusion or denial of service attacks is also prohibited, and will result in the account being permanently disabled without refund.
DreamHost reserves the right to terminate any account found to be engaging in any of the above activities at any time, with or without prior notice. Depending on the circumstances, DreamHost may also contact relevant law enforcement officials and cooperate in full with any resulting investigation.
Handling exploits
From time to time we receive a complaint that, upon investigation, indicates to us that a DreamHost customer's account has been exploited and is being used without their knowledge or consent to engage in prohibited activities (typically spamming or phishing). When this occurs, we may take a number of actions to secure the account and prevent ongoing abuse, including the temporary disablement of related sites or accounts. We will then contact our customer to let them know what has happened and give them an opportunity to secure their account.

Note that while we understand that as a DreamHost customer you did not intend for your account to be abused by someone in this way, you are ultimately responsible for ensuring the security of any 3rd party software hosted under your account (including that installed using our One-Click Installer feature). If we notice anything obviously awry we will certainly let you know, but unfortunately DreamHost will be unable to perform a full security audit of the contents of customer accounts or perform upgrades for you.

By following the following steps you can secure your account:
Step 1: Change all passwords
While in our experience it's actually pretty uncommon for customer account passwords to be leaked out into the open, you should still immediately change all passwords associated with the exploited account. This not only includes shell/FTP passwords, but also MySQL passwords that could have been obtained from script configuration files or elsewhere.
Step 3: Remove suspicious files/directories
Often, intruders will leave behind tools or scripts for use later. In securing your account, it is important to look for and remove any such items before they can be used again. You should go through each and every directory under your account and remove any suspicious files that you did not upload yourself or otherwise do not belong. Be sure to look for hidden files and directories as well (use the "ls -alh" command from the shell or turn on hidden file viewing from within your FTP client to view them).
Step 4: Upgrade or replace software
Simply removing the product of the intrusion (phishing sites or web-based shell access scripts, for example) is not enough - you must also remove the exploit that the intruder used to get into your account in the first place. This means upgrading all software or scripts hosted under your account with the latest secure versions or - if the software is no longer maintained - replacing it with secure alternatives. Popular scripts such as Wordpress, Gallery, etc. are regularly updated to plug holes found by developers. If you use such software, please be sure to check often for security updates and patches.

Note that in the event of a confirmed defacement/exploit, we recommend replacing all files entirely if at all possible, as intruders may have added their own exploit code to otherwise secure files.
General recommendations
Don't let your guard down! Even after resolving the exploitation of your account, it's important to remain vigilant to ensure that your computing and web hosting experience is kept safe. To avoid further exploits, you need to practice "safe computing" at all times.

In practice, this means:
  • Regularly scan your personal computer(s) for malware, using tools such as Adaware and Spybot.
  • Do not follow links sent to you via email unless you trust the sender. Never follow links purporting to be from your bank, eBay, Paypal, etc.
  • Avoid opening email attachments unless you are absolutely sure they are safe - especially those sent in chain letters, "greeting cards", etc.
  • Choose secure passwords at least 8 characters in length, comprised of random letters and numbers. Do not base them on words or names.
  • Actively check for updates of 3rd party scripts/software installed under your web site. Install updates when they are available.
  • Avoid historically insecure software, prefering safer alternatives (ie. use the Firefox web browser instead of Internet Explorer, Thunderbird instead of Outlook, etc).
  • In general, avoid running 3rd party software unless you trust its source.
Reporting cracking/intrusion/DOS activity to DreamHost
If you believe that a DreamHost customer is engaging in any of the above activities, we ask that you contact us as soon as possible so that we may look into the matter further.
"What do you need to track down the offender?"
The first thing we need is for you to contact us as soon as possible, ideally while the activity is in progress. The closer to the time the abuse is occurring the more likely it is that we can catch the offender (in the act, even!). Aside from that, we need as much relevant information as you can provide. The IP address associated with the originating server(s) as well as the destination IP are helpful, as is a sampling of any log files you can provide that show what is happening. If the abuse is occurring over a span of time, some idea as to the duration and length of the abuse is also of great help to us.
"Okay, so where do I send cracking/intrusion/DOS complaints?"
You may contact us at the following email address: