Timber Floor Au

heres the situation.

Index.php file has include to _header.php file.

Some little shit, keeps hacking the site, and changing the code into the header.php file, which sets off a redirect.

Passwords are changed daily. !! Tried from 3 p.c.'s inc brand new clean pc.

Still the prick gets in and hacks the site.

Heres what I want to do, but I dont know how to do it.
We want to track modified pages and capture IP. on the fly.

No point tracking IP of page file access, as the site gets + 1 million hits per day !!!
So we need to instill a tracker of sorts, that immediately notifies us of FTP change, to the particular file.
Obviously the little twat doing this could be going via proxy. We have changed permissions till the cows come home.

I am at my wits end !

Not sure if there are other ways of protection, would changing the site to https make any difference?
Changing htaccess ?
have considered sitting the file on A N Other server, with read only access.. but not sure if that will jeopardise rank.

We have Google involved, also DMCA and a lawyer, as we know who is doing it !!! thats the pisser !!! .... but cannot prevent him doing it !

So any really really good programmers, know any suggestions, would really appreciate your help.

ridds

I'm not experienced enough to help you with this particular issue, but you might want to try posting on www.phpexpertsforum.com - i've had some good help from there.

DrWho

Sorry I can't help, but...

Intriguing...! You know who it is, but can't prevent it...? A competitor...? Send the boys around...!

Timber Floor Au

Have contacted a few friends in the trade, and none really know of a solution. Will look at the phpexperts site, have also posted this on other forums, looking for some assistance... who knows

They are based in USA. We managed to get them banned on Google Adsense, and a few other well known ad publishers... but this issue has been going on for 2 years ! In one form or another !!!

Hutch

Just asked our coder. He said ...

ridds

This is a really interesting issue, particularly when you know who is doing it... I'm going to ask around a couple of php techheads - if i come up with anything I'll let you know!

datamile

Is the server secure as they may be using some other account to get in. Typically its forum or calendar software that has the bug, and allows for file injection. Check you version of each module used, and check apache logs for uploads featuring the file name.

Perhaps have the include file outside of apache space. i.e.

if your directory setup is /home/user/public_html , then bung the include in a directory like /home/user/include so that there is no html access to it.

Timber Floor Au

The issue, as I see it with restricting the file in htaccess is that the file needs to be accessed, sitewide, as its an include?
Now im presuming that since the dickhead has access to the "_header.php" file, he also has full access to the rest of the site.

This is in itself, fact.. cos the dickhead, stole our entire mysql databases, which are literally gigantic.
Im not sure what sftp means?

if the file is .php then, there is not http access to the file anyway is there?
( from php source code view )


The reason we know , who is doing it, because its been a 24 month battle !
We dont actually know physical name and address.

The hosting company, is on MUTE , they just ignore us.
If we were in America it would be adifferent matter, but then we'd probs be being hacked from Oz then lolol

I think in essence my query, is that we need actual proof of catching him hacking, by IP CAPTURE and logs.
We can prove he has our stuff.
We can demonstrate he has copied 15,000 pages of the website, we can even prove the scripts he is using are direct cloned copies right down to watermarked images we use, which still bear our complete logo !

What we cannot do at the moment, is catch him in the act.
Albeit each day, this particular file has been changed, and we are off playing silly buggers again.

The problem is he does it at about 2-2:30 am AEST. Which means we dont actually discover it till about 5am+

So yep, my ideology is to somehow, capture his IP, doing what he does, add this to lawsuit, and then use this to ban his ip range. ( albeit his IP is probably floating !!! )

Ste

Timber Floor Au

The only thing he could have done is to have set up a cron to change the file, on a daily basis? I highly expect that this is possible.

The annoying thing is.... and this is the killer.

One of his hacks, points our site ( top of header file ) to a non existant file on server. So as the site gets re-indexed, then it throws up an incomplete XML sitemap scan. Obviously cannot spider entire site.

Now because he has EXACT clone of our site, his site instantly gets re-indexed in all of our keyword positions !

Imagine that !! How fkn annoying is that huh !

Fortunately, our google rep, was kind enough to do some trackbacks, and look at cached codes etc.. and discovered the issue. They immediately, banned the site ( from adsense ) but cannot ban him from the search engine.

Albeit, for 4 days of the week, his site appears Sandboxed !

My concern is, I think his next move will be to drop a google bomb script on our server !!

Grrrrrr

datamile

Change the php include path, and move the include file to another directory ( unless the dir is hardcoded )

Perhaps you could then track the access to original un-used file

Timber Floor Au

Wouldnt that tho, track every access to that file? which is about 1 to the power 9 per day lol ?

datamile

Strange to have the database as well as they normally have a different user/password unless the root account is hacked.

I guess the hack solution is 5 min cron job that checks the file, if changed replace the original back, alert you.

Has the replaced file got the same owner as the account ? If your app doesn't have any upload modules then it sounds like the server is compromised. Mine was the other day with an irc, and two fake httpd processes mailing spam. ( check /tmp dir for extra code ). Took me ages in the apache logs for all the domains to find where it was being uploaded.

Timber Floor Au

the hack is : <? include ("/dev/shm/_global.php"); ?>

Which does not exist.

However somehow today, when we discovered it, it redirected the site to:
http://webfetti.smileycentral.com/do...r=XXXXXXX=true

The Partner ID I have removed whilst we hear back from Fun Web Products, as to who the owner is, as I have a feeling it could be the hacker !

Sheesh...

Will sit down with eldest a little later when he is back, and go thru all the files we can ( that are possible issues )

Takes us ages too.. we usually work on the rule of thumb, pick the 1st loaded file, and work backwards.

We had a ebay / paypal doobery ( wont swear ) uploaded to a server couple of years ago, and caused no end of problems, fortunately the Police intervened, and was someone in the USA ! so wondering if its one and the same.

Wendy

Secure File Transfer Protocol http://en.wikipedia.org/wiki/SSH_fil...ol#SFTP_client

I had to convert as mine was hacked too

themerlin

You on a linux box, what permissions are the file.

If done correctly apache runs as web or nobody and this user should not be able to edit your files.

changing to https probably won't make a difference.

You can PM me if you like, worked on apache support a while ago, if it's a windows box then you deserve to get hacked lol