Very Very experienced PHP programmer , HELP needed
#1
Very Very experienced PHP programmer , HELP needed
heres the situation.
Index.php file has include to _header.php file.
Some little shit, keeps hacking the site, and changing the code into the header.php file, which sets off a redirect.
Passwords are changed daily. !! Tried from 3 p.c.'s inc brand new clean pc.
Still the prick gets in and hacks the site.
Heres what I want to do, but I dont know how to do it.
We want to track modified pages and capture IP. on the fly.
No point tracking IP of page file access, as the site gets + 1 million hits per day !!!
So we need to instill a tracker of sorts, that immediately notifies us of FTP change, to the particular file.
Obviously the little twat doing this could be going via proxy. We have changed permissions till the cows come home.
I am at my wits end !
Not sure if there are other ways of protection, would changing the site to https make any difference?
Changing htaccess ?
have considered sitting the file on A N Other server, with read only access.. but not sure if that will jeopardise rank.
We have Google involved, also DMCA and a lawyer, as we know who is doing it !!! thats the pisser !!! .... but cannot prevent him doing it !
So any really really good programmers, know any suggestions, would really appreciate your help.
Index.php file has include to _header.php file.
Some little shit, keeps hacking the site, and changing the code into the header.php file, which sets off a redirect.
Passwords are changed daily. !! Tried from 3 p.c.'s inc brand new clean pc.
Still the prick gets in and hacks the site.
Heres what I want to do, but I dont know how to do it.
We want to track modified pages and capture IP. on the fly.
No point tracking IP of page file access, as the site gets + 1 million hits per day !!!
So we need to instill a tracker of sorts, that immediately notifies us of FTP change, to the particular file.
Obviously the little twat doing this could be going via proxy. We have changed permissions till the cows come home.
I am at my wits end !
Not sure if there are other ways of protection, would changing the site to https make any difference?
Changing htaccess ?
have considered sitting the file on A N Other server, with read only access.. but not sure if that will jeopardise rank.
We have Google involved, also DMCA and a lawyer, as we know who is doing it !!! thats the pisser !!! .... but cannot prevent him doing it !
So any really really good programmers, know any suggestions, would really appreciate your help.
#2
Re: Very Very experienced PHP programmer , HELP needed
I'm not experienced enough to help you with this particular issue, but you might want to try posting on www.phpexpertsforum.com - i've had some good help from there.
#3
Re: Very Very experienced PHP programmer , HELP needed
Sorry I can't help, but...
Intriguing...! You know who it is, but can't prevent it...? A competitor...? Send the boys around...!
Intriguing...! You know who it is, but can't prevent it...? A competitor...? Send the boys around...!
#4
Re: Very Very experienced PHP programmer , HELP needed
I'm not experienced enough to help you with this particular issue, but you might want to try posting on www.phpexpertsforum.com - i've had some good help from there.
They are based in USA. We managed to get them banned on Google Adsense, and a few other well known ad publishers... but this issue has been going on for 2 years ! In one form or another !!!
#5
Australia's Doorman
Joined: Jan 2005
Location: The Shoalhaven, New South Wales, Australia
Posts: 11,056
Re: Very Very experienced PHP programmer , HELP needed
Just asked our coder. He said ...
ftp access means that when you log in the username and password is being sent in the clear so changing to sftp is probably a good idea. I'm pretty sure that googles rank would not be affected by the site being moved. You could also try restricting access with an htaccess.
#6
Re: Very Very experienced PHP programmer , HELP needed
This is a really interesting issue, particularly when you know who is doing it... I'm going to ask around a couple of php techheads - if i come up with anything I'll let you know!
#7
Re: Very Very experienced PHP programmer , HELP needed
Is the server secure as they may be using some other account to get in. Typically its forum or calendar software that has the bug, and allows for file injection. Check you version of each module used, and check apache logs for uploads featuring the file name.
Perhaps have the include file outside of apache space. i.e.
if your directory setup is /home/user/public_html , then bung the include in a directory like /home/user/include so that there is no html access to it.
Perhaps have the include file outside of apache space. i.e.
if your directory setup is /home/user/public_html , then bung the include in a directory like /home/user/include so that there is no html access to it.
#8
Re: Very Very experienced PHP programmer , HELP needed
Just asked our coder. He said ...
ftp access means that when you log in the username and password is being sent in the clear so changing to sftp is probably a good idea. I'm pretty sure that googles rank would not be affected by the site being moved. You could also try restricting access with an htaccess.
Now im presuming that since the dickhead has access to the "_header.php" file, he also has full access to the rest of the site.
This is in itself, fact.. cos the dickhead, stole our entire mysql databases, which are literally gigantic.
Im not sure what sftp means?
Is the server secure as they may be using some other account to get in. Typically its forum or calendar software that has the bug, and allows for file injection. Check you version of each module used, and check apache logs for uploads featuring the file name.
Perhaps have the include file outside of apache space. i.e.
if your directory setup is /home/user/public_html , then bung the include in a directory like /home/user/include so that there is no html access to it.
Perhaps have the include file outside of apache space. i.e.
if your directory setup is /home/user/public_html , then bung the include in a directory like /home/user/include so that there is no html access to it.
( from php source code view )
The reason we know , who is doing it, because its been a 24 month battle !
We dont actually know physical name and address.
The hosting company, is on MUTE , they just ignore us.
If we were in America it would be adifferent matter, but then we'd probs be being hacked from Oz then lolol
I think in essence my query, is that we need actual proof of catching him hacking, by IP CAPTURE and logs.
We can prove he has our stuff.
We can demonstrate he has copied 15,000 pages of the website, we can even prove the scripts he is using are direct cloned copies right down to watermarked images we use, which still bear our complete logo !
What we cannot do at the moment, is catch him in the act.
Albeit each day, this particular file has been changed, and we are off playing silly buggers again.
The problem is he does it at about 2-2:30 am AEST. Which means we dont actually discover it till about 5am+
So yep, my ideology is to somehow, capture his IP, doing what he does, add this to lawsuit, and then use this to ban his ip range. ( albeit his IP is probably floating !!! )
Ste
#9
Re: Very Very experienced PHP programmer , HELP needed
The only thing he could have done is to have set up a cron to change the file, on a daily basis? I highly expect that this is possible.
The annoying thing is.... and this is the killer.
One of his hacks, points our site ( top of header file ) to a non existant file on server. So as the site gets re-indexed, then it throws up an incomplete XML sitemap scan. Obviously cannot spider entire site.
Now because he has EXACT clone of our site, his site instantly gets re-indexed in all of our keyword positions !
Imagine that !! How fkn annoying is that huh !
Fortunately, our google rep, was kind enough to do some trackbacks, and look at cached codes etc.. and discovered the issue. They immediately, banned the site ( from adsense ) but cannot ban him from the search engine.
Albeit, for 4 days of the week, his site appears Sandboxed !
My concern is, I think his next move will be to drop a google bomb script on our server !!
Grrrrrr
The annoying thing is.... and this is the killer.
One of his hacks, points our site ( top of header file ) to a non existant file on server. So as the site gets re-indexed, then it throws up an incomplete XML sitemap scan. Obviously cannot spider entire site.
Now because he has EXACT clone of our site, his site instantly gets re-indexed in all of our keyword positions !
Imagine that !! How fkn annoying is that huh !
Fortunately, our google rep, was kind enough to do some trackbacks, and look at cached codes etc.. and discovered the issue. They immediately, banned the site ( from adsense ) but cannot ban him from the search engine.
Albeit, for 4 days of the week, his site appears Sandboxed !
My concern is, I think his next move will be to drop a google bomb script on our server !!
Grrrrrr
#10
Re: Very Very experienced PHP programmer , HELP needed
Change the php include path, and move the include file to another directory ( unless the dir is hardcoded )
Perhaps you could then track the access to original un-used file
Perhaps you could then track the access to original un-used file
#12
Re: Very Very experienced PHP programmer , HELP needed
Strange to have the database as well as they normally have a different user/password unless the root account is hacked.
I guess the hack solution is 5 min cron job that checks the file, if changed replace the original back, alert you.
Has the replaced file got the same owner as the account ? If your app doesn't have any upload modules then it sounds like the server is compromised. Mine was the other day with an irc, and two fake httpd processes mailing spam. ( check /tmp dir for extra code ). Took me ages in the apache logs for all the domains to find where it was being uploaded.
I guess the hack solution is 5 min cron job that checks the file, if changed replace the original back, alert you.
Has the replaced file got the same owner as the account ? If your app doesn't have any upload modules then it sounds like the server is compromised. Mine was the other day with an irc, and two fake httpd processes mailing spam. ( check /tmp dir for extra code ). Took me ages in the apache logs for all the domains to find where it was being uploaded.
#13
Re: Very Very experienced PHP programmer , HELP needed
Strange to have the database as well as they normally have a different user/password unless the root account is hacked.
I guess the hack solution is 5 min cron job that checks the file, if changed replace the original back, alert you.
Has the replaced file got the same owner as the account ? If your app doesn't have any upload modules then it sounds like the server is compromised. Mine was the other day with an irc, and two fake httpd processes mailing spam. ( check /tmp dir for extra code ). Took me ages in the apache logs for all the domains to find where it was being uploaded.
I guess the hack solution is 5 min cron job that checks the file, if changed replace the original back, alert you.
Has the replaced file got the same owner as the account ? If your app doesn't have any upload modules then it sounds like the server is compromised. Mine was the other day with an irc, and two fake httpd processes mailing spam. ( check /tmp dir for extra code ). Took me ages in the apache logs for all the domains to find where it was being uploaded.
Which does not exist.
However somehow today, when we discovered it, it redirected the site to:
http://webfetti.smileycentral.com/do...r=XXXXXXX=true
The Partner ID I have removed whilst we hear back from Fun Web Products, as to who the owner is, as I have a feeling it could be the hacker !
Sheesh...
Will sit down with eldest a little later when he is back, and go thru all the files we can ( that are possible issues )
Takes us ages too.. we usually work on the rule of thumb, pick the 1st loaded file, and work backwards.
We had a ebay / paypal doobery ( wont swear ) uploaded to a server couple of years ago, and caused no end of problems, fortunately the Police intervened, and was someone in the USA ! so wondering if its one and the same.
Last edited by Timber Floor Au; Feb 5th 2008 at 5:34 am.
#14
Re: Very Very experienced PHP programmer , HELP needed
I had to convert as mine was hacked too
#15
Re: Very Very experienced PHP programmer , HELP needed
You on a linux box, what permissions are the file.
If done correctly apache runs as web or nobody and this user should not be able to edit your files.
changing to https probably won't make a difference.
You can PM me if you like, worked on apache support a while ago, if it's a windows box then you deserve to get hacked lol
If done correctly apache runs as web or nobody and this user should not be able to edit your files.
changing to https probably won't make a difference.
You can PM me if you like, worked on apache support a while ago, if it's a windows box then you deserve to get hacked lol
heres the situation.
Index.php file has include to _header.php file.
Some little shit, keeps hacking the site, and changing the code into the header.php file, which sets off a redirect.
Passwords are changed daily. !! Tried from 3 p.c.'s inc brand new clean pc.
Still the prick gets in and hacks the site.
Heres what I want to do, but I dont know how to do it.
We want to track modified pages and capture IP. on the fly.
No point tracking IP of page file access, as the site gets + 1 million hits per day !!!
So we need to instill a tracker of sorts, that immediately notifies us of FTP change, to the particular file.
Obviously the little twat doing this could be going via proxy. We have changed permissions till the cows come home.
I am at my wits end !
Not sure if there are other ways of protection, would changing the site to https make any difference?
Changing htaccess ?
have considered sitting the file on A N Other server, with read only access.. but not sure if that will jeopardise rank.
We have Google involved, also DMCA and a lawyer, as we know who is doing it !!! thats the pisser !!! .... but cannot prevent him doing it !
So any really really good programmers, know any suggestions, would really appreciate your help.
Index.php file has include to _header.php file.
Some little shit, keeps hacking the site, and changing the code into the header.php file, which sets off a redirect.
Passwords are changed daily. !! Tried from 3 p.c.'s inc brand new clean pc.
Still the prick gets in and hacks the site.
Heres what I want to do, but I dont know how to do it.
We want to track modified pages and capture IP. on the fly.
No point tracking IP of page file access, as the site gets + 1 million hits per day !!!
So we need to instill a tracker of sorts, that immediately notifies us of FTP change, to the particular file.
Obviously the little twat doing this could be going via proxy. We have changed permissions till the cows come home.
I am at my wits end !
Not sure if there are other ways of protection, would changing the site to https make any difference?
Changing htaccess ?
have considered sitting the file on A N Other server, with read only access.. but not sure if that will jeopardise rank.
We have Google involved, also DMCA and a lawyer, as we know who is doing it !!! thats the pisser !!! .... but cannot prevent him doing it !
So any really really good programmers, know any suggestions, would really appreciate your help.