I host several websites with Dreamhost. Today, I shelled into my main user account and found a few dozen .txt files at the top level of my main user account that looked incredibly suspicious. They are named `logins.1234567890.txt` (the numerical portion being uniquely generated, it appears) and contain csv's showing apparent logins under this main username, including IP addresses and (variably) times/dates of the login. Most of them are my IP, but several are not, and some come from locations both near my home and business as well as outside the US (Canada was the only one I've seen so far).
Here's what I've found:
The files are generated at around the same time every week since last June (yeah, this is the first time I've noticed them – I'm not a frequent shell user). They appear to show logins with IP addresses and number of logins, along with dates and/or times. More often than not, it's my IP address, but sometimes it shows others.
Below I peeked inside a few of the files (with ls -l) to find out when they were created, in the order in which they appeared:
myuser@my_dreamhost_server:~$ ls -l logins-1554572892.txt
-r-------- 1 myuser pg17700 234 Apr 6 10:55 logins-1554572892.txt
ladot@ds11468:~$ ls -l logins-1553969843.txt
-r-------- 1 myuser pg17700 180 Mar 30 11:24 logins-1553969843.txt
ladot@ds11468:~$ ls -l logins-1553364634.txt
-r-------- 1 myuser pg17700 180 Mar 23 11:17 logins-1553364634.txt
ladot@ds11468:~$ ls -l logins-1552759601.txt
-r-------- 1 myuser pg17700 179 Mar 16 11:12 logins-1552759601.txt
ladot@ds11468:~$ ls -l logins-1551553628.txt
-r-------- 1 myuser pg17700 1093 Mar 2 11:12 logins-1551553628.txt
...etc. I noted the dates were exactly 1 week apart. I also noted in further poking around that the year
was included up until last October, at which point it was no longer shown. At that point, the time of day began to be shown instead when doing a "ls -l" on these files.
Did I mention that this is weird?
Looking deeper into one of the files (posted on Feb 23, 2018), I noted it oddly contained login records dating all the way back to October through the day before (Feb. 22). According to the contents of this file, in that time I had logins from my home neighborhood (not quite my house, but maybe close enough), a neighboring town in WA state, and Chino CA, where I definitely was not on October 25, 2018... among others.
However, I did a grep for logins to this user on DH over the past month, and none of them line up in the slightest with what I'm seeing inside these files. The grep shows only my logins, and what appears to be 00:00 logins from what appears to be Dreamhost itself:
myuser ftpd29085 2607:f298:5:100a Fri Mar 22 14:29 - 14:29 (00:00)
(a google search for the IPV6 (I think?) address 2607:f298:5:100a turns up Dreamhost). See here.
I'm not sure if that means it's DH itself, or someone else using DH. Why would this login be for 00:00 duration? I'm in way over my head here.
This all leads me to believe that maybe it's not the Dreamhost account specifically that is seeing these logins, but something else with the same "myuser" username – perhaps a Wordpress install that I lost track of – though I don't see that. Hoping someone here can help me figure this out... perhaps you've seen this naming convention in a similar situation or otherwise have an inkling as to what's happening.
FWIW, Dreamhost performed a scan and found no malware or other issues, and everything seems to be fine with all my sites, but these files and their contents are very unsettling and confusing. I'm sure there's a reasonable explanation, but I have no clue right now what it could be.
I know this is a sticky one. I hope I've explained the issue clearly enough, but obviously feel free to ask questions if anything isn't clear.