Matt K
asked on
Found several dozen files named 'logins-[10-digit-number].txt' on my dreamhost server, of unknown origin. Where are they coming from?
I host several websites with Dreamhost. Today, I shelled into my main user account and found a few dozen .txt files at the top level of my main user account that looked incredibly suspicious. They are named `logins.1234567890.txt` (the numerical portion being uniquely generated, it appears) and contain csv's showing apparent logins under this main username, including IP addresses and (variably) times/dates of the login. Most of them are my IP, but several are not, and some come from locations both near my home and business as well as outside the US (Canada was the only one I've seen so far).
Here's what I've found:
The files are generated at around the same time every week since last June (yeah, this is the first time I've noticed them – I'm not a frequent shell user). They appear to show logins with IP addresses and number of logins, along with dates and/or times. More often than not, it's my IP address, but sometimes it shows others.
Below I peeked inside a few of the files (with ls -l) to find out when they were created, in the order in which they appeared:
...etc. I noted the dates were exactly 1 week apart. I also noted in further poking around that the year was included up until last October, at which point it was no longer shown. At that point, the time of day began to be shown instead when doing a "ls -l" on these files.
Did I mention that this is weird?
Looking deeper into one of the files (posted on Feb 23, 2018), I noted it oddly contained login records dating all the way back to October through the day before (Feb. 22). According to the contents of this file, in that time I had logins from my home neighborhood (not quite my house, but maybe close enough), a neighboring town in WA state, and Chino CA, where I definitely was not on October 25, 2018... among others.
However, I did a grep for logins to this user on DH over the past month, and none of them line up in the slightest with what I'm seeing inside these files. The grep shows only my logins, and what appears to be 00:00 logins from what appears to be Dreamhost itself:
(a google search for the IPV6 (I think?) address 2607:f298:5:100a turns up Dreamhost). See here. I'm not sure if that means it's DH itself, or someone else using DH. Why would this login be for 00:00 duration? I'm in way over my head here.
This all leads me to believe that maybe it's not the Dreamhost account specifically that is seeing these logins, but something else with the same "myuser" username – perhaps a Wordpress install that I lost track of – though I don't see that. Hoping someone here can help me figure this out... perhaps you've seen this naming convention in a similar situation or otherwise have an inkling as to what's happening.
FWIW, Dreamhost performed a scan and found no malware or other issues, and everything seems to be fine with all my sites, but these files and their contents are very unsettling and confusing. I'm sure there's a reasonable explanation, but I have no clue right now what it could be.
I know this is a sticky one. I hope I've explained the issue clearly enough, but obviously feel free to ask questions if anything isn't clear.
Here's what I've found:
The files are generated at around the same time every week since last June (yeah, this is the first time I've noticed them – I'm not a frequent shell user). They appear to show logins with IP addresses and number of logins, along with dates and/or times. More often than not, it's my IP address, but sometimes it shows others.
Below I peeked inside a few of the files (with ls -l) to find out when they were created, in the order in which they appeared:
myuser@my_dreamhost_server:~$ ls -l logins-1554572892.txt
-r-------- 1 myuser pg17700 234 Apr 6 10:55 logins-1554572892.txt
ladot@ds11468:~$ ls -l logins-1553969843.txt
-r-------- 1 myuser pg17700 180 Mar 30 11:24 logins-1553969843.txt
ladot@ds11468:~$ ls -l logins-1553364634.txt
-r-------- 1 myuser pg17700 180 Mar 23 11:17 logins-1553364634.txt
ladot@ds11468:~$ ls -l logins-1552759601.txt
-r-------- 1 myuser pg17700 179 Mar 16 11:12 logins-1552759601.txt
ladot@ds11468:~$ ls -l logins-1551553628.txt
-r-------- 1 myuser pg17700 1093 Mar 2 11:12 logins-1551553628.txt...etc. I noted the dates were exactly 1 week apart. I also noted in further poking around that the year was included up until last October, at which point it was no longer shown. At that point, the time of day began to be shown instead when doing a "ls -l" on these files.
Did I mention that this is weird?
Looking deeper into one of the files (posted on Feb 23, 2018), I noted it oddly contained login records dating all the way back to October through the day before (Feb. 22). According to the contents of this file, in that time I had logins from my home neighborhood (not quite my house, but maybe close enough), a neighboring town in WA state, and Chino CA, where I definitely was not on October 25, 2018... among others.
However, I did a grep for logins to this user on DH over the past month, and none of them line up in the slightest with what I'm seeing inside these files. The grep shows only my logins, and what appears to be 00:00 logins from what appears to be Dreamhost itself:
myuser ftpd29085 2607:f298:5:100a Fri Mar 22 14:29 - 14:29 (00:00)(a google search for the IPV6 (I think?) address 2607:f298:5:100a turns up Dreamhost). See here. I'm not sure if that means it's DH itself, or someone else using DH. Why would this login be for 00:00 duration? I'm in way over my head here.
This all leads me to believe that maybe it's not the Dreamhost account specifically that is seeing these logins, but something else with the same "myuser" username – perhaps a Wordpress install that I lost track of – though I don't see that. Hoping someone here can help me figure this out... perhaps you've seen this naming convention in a similar situation or otherwise have an inkling as to what's happening.
FWIW, Dreamhost performed a scan and found no malware or other issues, and everything seems to be fine with all my sites, but these files and their contents are very unsettling and confusing. I'm sure there's a reasonable explanation, but I have no clue right now what it could be.
I know this is a sticky one. I hope I've explained the issue clearly enough, but obviously feel free to ask questions if anything isn't clear.
ASKER
Thanks for the help, David.
I learned from Dreamhost today that these .txt files were placed there by them as part of a purchase I made last June of DreamShield, which is a service meant to protect from malicious content. These .txt files are scan results. Perhaps ironically, I received no notice or warning of suspicious logins (Foreign country login didn't set off any alarms, evidently). I only found and examined these files by pure accident.
"The ftpd29085 process ID is the clue."
Can you elucidate on this? In what specific way?
"scrub any hacked files"
Is there a recommendation to follow in this case? I don't see anything overtly wrong – everything actually seems in order, and so far from what I've seen the logins have a duration of 00:00, and seem to be coming from Dreamhost's Abuse Team (google that address and you get the whois for them). It looks like this:
So I've asked them to confirm if this is their team login into my user for 00:00 as part of their security process (waiting for response). The site passed their latest scan for malicious content, but apart from that I'm unsure what else to look for. Again, nothing seems out of order. Any guidance here would be appreciated.
So to clarify, by hacking WiFi, these young miscreants get your passwords?
Duly noted to never, ever use an insecure protocol. It's been some time since I've logged on to anything with an insecure protocol (lot of FTP applications are nagware about this now), but also some time since I changed my pass for this user. As God is my witness, I will never again use plain text. In the meantime, hoping to get back to business as usual.
Thanks again for the advice, David
I learned from Dreamhost today that these .txt files were placed there by them as part of a purchase I made last June of DreamShield, which is a service meant to protect from malicious content. These .txt files are scan results. Perhaps ironically, I received no notice or warning of suspicious logins (Foreign country login didn't set off any alarms, evidently). I only found and examined these files by pure accident.
"The ftpd29085 process ID is the clue."
Can you elucidate on this? In what specific way?
"scrub any hacked files"
Is there a recommendation to follow in this case? I don't see anything overtly wrong – everything actually seems in order, and so far from what I've seen the logins have a duration of 00:00, and seem to be coming from Dreamhost's Abuse Team (google that address and you get the whois for them). It looks like this:
myuser ftpd17075 2607:f298:5:100a Fri Apr 5 15:00 - 15:00 (00:00)
myuser pts/2 [my.ip.address] Wed Apr 3 14:04 - 18:18 (04:13)
myuser ftpd28909 2607:f298:5:100a Tue Apr 2 14:21 - 14:21 (00:00)
myuser ftpd27834 2607:f298:5:100a Wed Mar 27 14:43 - 14:43 (00:00)
myuser ftpd10285 2607:f298:5:100a Mon Mar 25 13:10 - 13:11 (00:00)
myuser ftpd9645 2607:f298:5:100a Mon Mar 25 12:52 - 12:52 (00:00)
myuser ftpd9597 2607:f298:5:100a Mon Mar 25 12:50 - 12:50 (00:00)
myuser ftpd30298 2607:f298:5:100a Fri Mar 22 14:49 - 14:49 (00:00)
myuser pts/2 [my.ip.address] Fri Mar 22 14:39 - 16:52 (02:13)
myuser ftpd29085 2607:f298:5:100a Fri Mar 22 14:29 - 14:29 (00:00)
myuser pts/2 [my.ip.address] Fri Mar 22 13:55 - 14:29 (00:34)
myuser ftpd22674 2607:f298:5:100a Fri Mar 22 11:11 - 11:11 (00:00)
myuser ftpd20628 2607:f298:5:100a Thu Mar 21 15:46 - 15:46 (00:00)So I've asked them to confirm if this is their team login into my user for 00:00 as part of their security process (waiting for response). The site passed their latest scan for malicious content, but apart from that I'm unsure what else to look for. Again, nothing seems out of order. Any guidance here would be appreciated.
So to clarify, by hacking WiFi, these young miscreants get your passwords?
Duly noted to never, ever use an insecure protocol. It's been some time since I've logged on to anything with an insecure protocol (lot of FTP applications are nagware about this now), but also some time since I changed my pass for this user. As God is my witness, I will never again use plain text. In the meantime, hoping to get back to business as usual.
Thanks again for the advice, David
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You're welcome!
Hang in there!
Hang in there!
ASKER
Thanks again for the response, David.
"This suggests an FTP connection, rather than an SFTP connection, which suggests a plain text protocol is running."
Does this mean the user associated with that specific 00:00 duration login used plaintext? My logins were not, it looks like.
As I mentioned, a scan from Dreamhost showed nothing out of order. There is a single Wordpress-containing directory (admin protected by super-password, and I've been on pure SFTP since before that install), but apart from that it's static html, css and js. What can I do? Where do I even begin? Is there any sort of tool I can use?
I'm a little freaked out. This is not unlike when my car was broken into the other day. I couldn't remember if I'd had anything of any value in there, and I could tell someone had rifled through it. They didn't take a dump on the dashboard (malware), but they left evidence of their presence. That's about all I had to go on.
"This suggests an FTP connection, rather than an SFTP connection, which suggests a plain text protocol is running."
Does this mean the user associated with that specific 00:00 duration login used plaintext? My logins were not, it looks like.
As I mentioned, a scan from Dreamhost showed nothing out of order. There is a single Wordpress-containing directory (admin protected by super-password, and I've been on pure SFTP since before that install), but apart from that it's static html, css and js. What can I do? Where do I even begin? Is there any sort of tool I can use?
I'm a little freaked out. This is not unlike when my car was broken into the other day. I couldn't remember if I'd had anything of any value in there, and I could tell someone had rifled through it. They didn't take a dump on the dashboard (malware), but they left evidence of their presence. That's about all I had to go on.
You've already mentioned the *.txt files are owned by something called DreamShield which you purchased.
Likely the short durations are DreamShield probing your system for some data.
Just a guess.
Take a look at the DreamShield docs. It appears DreamShield does an SFTP login + does a scan, so likely all's well.
Likely the short durations are DreamShield probing your system for some data.
Just a guess.
Take a look at the DreamShield docs. It appears DreamShield does an SFTP login + does a scan, so likely all's well.
1) You've logged into Dreamhost using a plain text protocol...
So HTTP, rather than HTTPS or FTP, rather than SFTP.
2) If you access your site in any way using a clear text protocol, so HTTP/FTP/SQL/IMAP/POP/anyt
3) If you access your site in any way using a clear text protocol, likely you've been hacked.
4) The ftpd29085 process ID is the clue.
Close all your security holes (plain text protocols), then check your system + scrub any hacked files.
5) WiFi is hackable. No way around this. A problem with the protocol. Any kid in your neighborhood can download a copy of aircrack + hack your WiFi soon as roughly 85K work of packets flow.
The only way to guard against neighbors hacking your logins, is to only use secure protocols, never any clear text protocols.