Found several dozen files named 'logins-[10-digit-number].txt' on my dreamhost server, of unknown origin. Where are they coming from?

Matt K
Matt K used Ask the Experts™
on
I host several websites with Dreamhost. Today, I shelled into my main user account and found a few dozen .txt files at the top level of my main user account that looked incredibly suspicious. They are named `logins.1234567890.txt` (the numerical portion being uniquely generated, it appears) and contain csv's showing apparent logins under this main username, including IP addresses and (variably) times/dates of the login. Most of them are my IP, but several are not, and some come from locations both near my home and business as well as outside the US (Canada was the only one I've seen so far).

Here's what I've found:

The files are generated at around the same time every week since last June (yeah, this is the first time I've noticed them – I'm not a frequent shell user). They appear to show logins with IP addresses and number of logins, along with dates and/or times. More often than not, it's my IP address, but sometimes it shows others.

Below I peeked inside a few of the files (with ls -l) to find out when they were created, in the order in which they appeared:

myuser@my_dreamhost_server:~$ ls -l logins-1554572892.txt
-r-------- 1 myuser pg17700 234 Apr  6 10:55 logins-1554572892.txt
ladot@ds11468:~$ ls -l logins-1553969843.txt
-r-------- 1 myuser pg17700 180 Mar 30 11:24 logins-1553969843.txt
ladot@ds11468:~$ ls -l logins-1553364634.txt
-r-------- 1 myuser pg17700 180 Mar 23 11:17 logins-1553364634.txt
ladot@ds11468:~$ ls -l logins-1552759601.txt
-r-------- 1 myuser pg17700 179 Mar 16 11:12 logins-1552759601.txt
ladot@ds11468:~$ ls -l logins-1551553628.txt
-r-------- 1 myuser pg17700 1093 Mar  2 11:12 logins-1551553628.txt

Open in new window


...etc. I noted the dates were exactly 1 week apart. I also noted in further poking around that the year was included up until last October, at which point it was no longer shown. At that point, the time of day began to be shown instead when doing a "ls -l" on these files.

Did I mention that this is weird?

Looking deeper into one of the files (posted on Feb 23, 2018), I noted it oddly contained login records dating all the way back to October through the day before (Feb. 22). According to the contents of this file, in that time I had logins from my home neighborhood (not quite my house, but maybe close enough), a neighboring town in WA state, and Chino CA, where I definitely was not on October 25, 2018... among others.

However, I did a grep for logins to this user on DH over the past month, and none of them line up in the slightest with what I'm seeing inside these files. The grep shows only my logins, and what appears to be 00:00 logins from what appears to be Dreamhost itself:

myuser    ftpd29085    2607:f298:5:100a Fri Mar 22 14:29 - 14:29  (00:00)

Open in new window


(a google search for the IPV6  (I think?) address 2607:f298:5:100a turns up Dreamhost). See here. I'm not sure if that means it's DH itself, or someone else using DH. Why would this login be for 00:00 duration? I'm in way over my head here.

This all leads me to believe that maybe it's not the Dreamhost account specifically that is seeing these logins, but something else with the same "myuser" username – perhaps a Wordpress install that I lost track of – though I don't see that. Hoping someone here can help me figure this out... perhaps you've seen this naming convention in a similar situation or otherwise have an inkling as to what's happening.

FWIW, Dreamhost performed a scan and found no malware or other issues, and everything seems to be fine with all my sites, but these files and their contents are very unsettling and confusing. I'm sure there's a reasonable explanation, but I have no clue right now what it could be.

I know this is a sticky one. I hope I've explained the issue clearly enough, but obviously feel free to ask questions if anything isn't clear.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Likely what's happened is this...

1) You've logged into Dreamhost using a plain text protocol...

So HTTP, rather than HTTPS or FTP, rather than SFTP.

2) If you access your site in any way using a clear text protocol, so HTTP/FTP/SQL/IMAP/POP/anything, stop now + immediately change to secured protocols.

3) If you access your site in any way using a clear text protocol, likely you've been hacked.

4) The ftpd29085 process ID is the clue.

Close all your security holes (plain text protocols), then check your system + scrub any hacked files.

5) WiFi is hackable. No way around this. A problem with the protocol. Any kid in your neighborhood can download a copy of aircrack + hack your WiFi soon as roughly 85K work of packets flow.

The only way to guard against neighbors hacking your logins, is to only use secure protocols, never any clear text protocols.
Matt KWeb Designer

Author

Commented:
Thanks for the help, David.

I learned from Dreamhost today that these .txt files were placed there by them as part of a purchase I made last June of DreamShield, which is a service meant to protect from malicious content. These .txt files are scan results. Perhaps ironically, I received no notice or warning of suspicious logins (Foreign country login didn't set off any alarms, evidently). I only found and examined these files by pure accident.

"The ftpd29085 process ID is the clue."

Can you elucidate on this? In what specific way?

"scrub any hacked files"

Is there a recommendation to follow in this case? I don't see anything overtly wrong – everything actually seems in order, and so far from what I've seen the logins have a duration of 00:00, and seem to be coming from Dreamhost's Abuse Team (google that address and you get the whois for them). It looks like this:

myuser    ftpd17075    2607:f298:5:100a Fri Apr  5 15:00 - 15:00  (00:00)    
myuser    pts/2        [my.ip.address]   Wed Apr  3 14:04 - 18:18  (04:13)    
myuser    ftpd28909    2607:f298:5:100a Tue Apr  2 14:21 - 14:21  (00:00)    
myuser    ftpd27834    2607:f298:5:100a Wed Mar 27 14:43 - 14:43  (00:00)    
myuser    ftpd10285    2607:f298:5:100a Mon Mar 25 13:10 - 13:11  (00:00)    
myuser    ftpd9645     2607:f298:5:100a Mon Mar 25 12:52 - 12:52  (00:00)    
myuser    ftpd9597     2607:f298:5:100a Mon Mar 25 12:50 - 12:50  (00:00)    
myuser    ftpd30298    2607:f298:5:100a Fri Mar 22 14:49 - 14:49  (00:00)    
myuser    pts/2        [my.ip.address]   Fri Mar 22 14:39 - 16:52  (02:13)    
myuser    ftpd29085    2607:f298:5:100a Fri Mar 22 14:29 - 14:29  (00:00)    
myuser    pts/2        [my.ip.address]  Fri Mar 22 13:55 - 14:29  (00:34)    
myuser    ftpd22674    2607:f298:5:100a Fri Mar 22 11:11 - 11:11  (00:00)    
myuser    ftpd20628    2607:f298:5:100a Thu Mar 21 15:46 - 15:46  (00:00)

Open in new window


So I've asked them to confirm if this is their team login into my user for 00:00 as part of their security process (waiting for response). The site passed their latest scan for malicious content, but apart from that I'm unsure what else to look for. Again, nothing seems out of order. Any guidance here would be appreciated.

So to clarify, by hacking WiFi, these young miscreants get your passwords?

Duly noted to never, ever use an insecure protocol. It's been some time since I've logged on to anything with an insecure protocol (lot of FTP applications are nagware about this now), but also some time since I changed my pass for this user.  As God is my witness, I will never again use plain text. In the meantime, hoping to get back to business as usual.

Thanks again for the advice, David
Fractional CTO
Distinguished Expert 2018
Commented:
ftpd29085 - This suggests an FTP connection, rather than an SFTP connection, which suggests a plain text protocol is running.

Only you, or whoever setup your server can determine if this is true.

Or  you can post your site (host or domain) name for scanning.

Scrub any hacked files - Depends on code you're running on your site.

Might be a CMS like WordPress or custom code.

Each code base has a particular structure.

For example with WordPress, you can see if all core files match pristine files out of the related WordPress archive file. If any core file is hacked, that likely means other files are hacked + also database is hacked.

Hackers - So to clarify, by hacking WiFi, these young miscreants get your passwords?

Yes. Using clear text logins is primary way hackers access sites.

Also... shudder... if same user/pass is used for both FTP + WordPress admin login... this is even worse.

Tip: Use a 16-32 byte unique alpha-numeric string for every single password. Period. No exceptions. In other words, never duplicate using the same password twice.

Note: Miscreants can scrape any clear text protocol. So if your site runs HTTP, rather than HTTPS, same problem will occur.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

David FavorFractional CTO
Distinguished Expert 2018

Commented:
You're welcome!

Hang in there!
Matt KWeb Designer

Author

Commented:
Thanks again for the response, David.

"This suggests an FTP connection, rather than an SFTP connection, which suggests a plain text protocol is running."

Does this mean the user associated with that specific 00:00 duration login used plaintext? My logins were not, it looks like.

As I mentioned, a scan from Dreamhost showed nothing out of order. There is a single Wordpress-containing directory (admin protected by super-password, and I've been on pure SFTP since before that install), but apart from that it's static html, css and js. What can I do? Where do I even begin? Is there any sort of tool I can use?

I'm a little freaked out. This is not unlike when my car was broken into the other day. I couldn't remember if I'd had anything of any value in there, and I could tell someone had rifled through it. They didn't take a dump on the dashboard (malware), but they left evidence of their presence. That's about all I had to go on.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You've already mentioned the *.txt files are owned by something called DreamShield which you purchased.

Likely the short durations are DreamShield probing your system for some data.

Just a guess.

Take a look at the DreamShield docs. It appears DreamShield does an SFTP login + does a scan, so likely all's well.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial