申購 Dreamhost 前請注意

隨著 Dreamhost 在台灣的用戶愈來愈多之後,國內罵 Dreamhost 的人也愈來愈多了。由於 Lifetype 無預警的被 Dreamhost 關閉,Mark 目前看起來正在氣頭上,另外熱心的網友「喬」來信提供了 Dreamhost 安全性的問題:

連上發現 Dreamhost 有個 bug,讓人可以輕易的存取其他人的網站目錄。

使用者的網域是建立在使用者目錄下,雖然其他人無從得知那個使用者有那個網域,
但是每個使用者下都有一個 logs 目錄,裡面就有網域的名稱。
因此有心人就可以從 logs 下找到使用者的網站目錄,然後進到網站目錄下,
如果說使用者檔案沒有加密或設定檔案權限,其他人就可以利用 cat 等指令就看到檔案資訊。

發現這個問題後我馬上修改我的 blog 的 php 檔案屬性成 400,但網站馬上掛掉,因為 Apache 無法開啟 php 檔。
因此去函 Dreamhost 請他們提供解決方案。後來他們有做過調整,讓檔案屬性是 o-r 的 php 檔也可以正常執行。
而他們回信說除了設定正確的檔案屬性之外,並沒有辦法避免其他人窺視檔案內容。
而我認為 Dreamhost 也不可能在短期內把使用者目錄下的 logs 拿掉,讓人無法從 logs 目錄下取得網域名稱。
因此要在 Dreamhost 上架站最好把檔案屬性設成 o-r,或是加密。

告訴你這件事,一方面請你提高警覺,免得 MySQL 帳號、密碼被人用上述的方式得知,而遭人侵入。
另一方面想請你在 blog 上提出這個警告,讓其他在 Dreamhost 上架站的人有所警覺。

除了「喬」提供的這個安全性問題之外,Dreamhost 另外還有一個嚴重的 PHP 安全性漏洞,我在申租的時候也跟 Dreamhost 反應過,不過 Dreamhost 雖然說會處理,但是實際上一直都沒有處理。看起來 Dreamhost 的促銷真的有點過火了,使用者爆增的結果,服務的品質有不斷下降的趨勢,如果真的要租用 Dreamhost 還是多考慮一下吧,如果不跑程式,當下載用的伺服器倒是不錯的選擇。

12 comments On 申購 Dreamhost 前請注意

  • 最近想改用虛擬主機,這麼說來,確實這類的問題很多人都不會瞭解。

    想請教一下neo,godaddy和bluehost,這兩家的虛擬主機一般方案,誰比較好呢?

  • ivan:
    抱歉,這二家我都沒用過,可以建議你去 TWFTP 看看:
    http://www.twftp.org

  • 我最近也打算把公司網站搬回台灣主機, 目前考慮
    http://www.dollarhosts.com.tw
    http://www.hotels.com.tw
    搬家已經是家常便飯了

  • 我有個問題想請教neo和大家
    如何知道我的虛擬主機的等級–就是機器的速度

    因為廣告上的我不太相信
    尤其有xoop的如果速度不佳
    實在會很慢
    像我有xoop的網站就不敢放在戰xx那邊
    dollarhosts應該也有分吧

  • 南庄民宿網:

    試試 phpsysinfo 吧:
    http://phpsysinfo.sourceforge.net/

  • 从小就听说:便宜没好货,好货不便宜。
    我也用dreamhost,现在也郁闷得要死,不过还没过97天,不知道退款会不会出问题

  • CARE!! Dreamhost is stealling domain name!!!
    See my experience:
    ————————————————————
    On Tue, 19 Jun 2007, you wrote:

    > Hello, I am trying to transfer my domain name XXXX.com to another
    > register, it request the authorization code provided by
    Dreamhost.com, but I
    > can not find it in my account, please advise, thank you.
    >

    This account was closed for suspected fraud. We will not be able to
    release the domain registration.

    Karl

    – DreamHost Abuse/Security Team
    – Terms of Service: http://www.dreamhost.com/tos.html
    – Anti-Spam Policy: http://www.dreamhost.com/spam.html

    ———————————————————–
    On Tue, 19 Jun 2007, you wrote:

    > Hello, I know my account was closed for some reason, but I don’t knwo
    what is
    > the “suspected fraud” mean, anyway if you feel uncomfortable to
    provide me
    > service it’s fine, I just want my domain name back, I NEED MY DOMAIN
    NAME
    > BACK, why you hold my domain name??? It’s not reasonable, the domain
    name was
    > registered under my name and now you just steal it from me??? Further
    more I
    > did not find any infomation about “service termination” in you terms
    and
    > conditions stats that you will hold my domain name under such
    situation,
    > otherwise I even won’t register with you guys. I really need talk to
    someone
    > who can take care of this matter, and I can not find a phone number
    on your
    > website, please advise, thank you for all your help.
    >
    >

    “Suspected fraud” means we suspect your account was signed up using a
    stolen credit card.

    If you would like to contest this, please fax me US state photo ID,
    plus
    another form of ID, both displaying the name and address information
    you
    signed up with:

    Jerry XXX
    84372-2 XXX XXXXX
    Killeen, TX 76544, US

    Write “ATTN: KARL” at the top of the fax.

    The fax number is: 213-624-1143

    Karl

    – DreamHost Abuse/Security Team
    – Terms of Service: http://www.dreamhost.com/tos.html
    – Anti-Spam Policy: http://www.dreamhost.com/spam.html

    ————————————————————
    On Tue, 19 Jun 2007, you wrote:

    > Hello, thanks for your reply, I am not US residents, I am Chinese, I
    register
    > with my US address because I was studing in US when I hosting my
    website on
    > dreamhost, but the credit card has no problem, I can fax you the copy
    of both
    > sides of the credit card, the monthly statement and my Chinese ID
    card, does
    > this help? I need the last four digts of the card number to help me
    remember
    > which card I used to signed up, but I promise I never use a fraud
    card, and I
    > do need my domain name back, please help, thank you!!
    >
    >

    No. We will need to see your US ID in the name of “Jerry Smith” with
    the
    address you gave us when signing up. If this information is false, you
    committed fraud, which simply supports the reason your account was
    disabled in the first place.

    Karl

    – DreamHost Abuse/Security Team
    – Terms of Service: http://www.dreamhost.com/tos.html
    – Anti-Spam Policy: http://www.dreamhost.com/spam.html
    ———————————————————–
    Hello, but you said it’s about my credit card, right? So now I can prove that I am the card holder, then what’s the matter, what fraut is this? And what’s this related to getting my domain name back?? I use my english name register several domanain never have problem, I am not US resident, I dont have a US ID card, you never ask I have to use my name on the ID card to singe up, but all my Credit card info is correct, including holder’s name, and billing address, and I don’t think this will be the excuse that you steal my domain name from me, it’s not logical. I pay you guys to register the domain name but not pay you to check all my privacy, the credit card payment via google checkout has no problem, I did not do any fraut, you refund my money by yourself and now I lose my ownership of my domain name, what a hell is this?? Do you get an phone cal that I can talk to some supervisor please, I want resolve this problem as soon as possible, thank you.

    Then NEVER REPLIED……….I just feel my domainame will never come back, is it fair????

  • 真是強人啊, 一個比一個厲害。

  • 有沒有一些適合架設部落格或論壇的主機可以介紹一下
    我也不想再用夢host主機了。以前有客戶的兩個靜態網站
    因為流量大一點就被關了(alex排名33萬),藉口是spam。

  • 有沒有好一點的美國虛擬主機可以介紹一下?
    最好是像dreamhost那樣可以綁很多域名的。

  • 刚刚入隹.现阶段没有发现问题,只能用用看先啊.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar