Infuriating isnt it !!! Okies, with ya now, SSH. I think he uses Putty to do it, I never get that invloved.. but will be learning fast !!!

Yer its Linux. Running Apache.
I cant see how this person has access, its baffling us. Unless theres a backdoor route in.

Son is the coding whizzkid.. so will ask him when he gets in, and see what the go is. Im pretty sure, somehow and somewhere there is some security compromise, within our own code... its like finding a needle in a haystack.

Will report back, cheers mate

If you make sure only root can write to the files it should be sorted.

Putty *is* an ssh implementation. IIRC sftp is a separate application from Putty or Unix-based ssh applications.

You might get better answers if you post this in The Lab, where all the geeks hang out. Including me.

Will do !!! Just prefer familiarity

Do ya mean file permissions , as in 644 777 etc?

Yep but not 777!
public should only have read access to the files.

Yer we have all files and permissions set appropriately.

The header.php file is actually set to 644 !

Then each day, its back to 777 ! ( yet after doing initial permission changes, we check and 644 it is )

Go figure...someones being very very norty !

who owns the file? And who does apache run as ?

we do

What user? The user that apache runs as shouldn't be able to change the file.

Now im somehwat lost. lol

If we go in via ftp, using root user and root pass, we can modify any file.

Have we got access permissions wrong?

not sure

Basically when you start apache it forks child process that actually process the requests from the outside world. There is a setting in your httpd.conf file that sets the user to fork the processes as, it's normally nobody.
Nobody should not be able to do anything other then read files. That way if there is a hole in apache the hacker could only be in as nobody and not be able to do much damage.

I don't think they have your root password or they would do more then change the header

Okies... starting to make sense..

Will check httpd files !!

Restart apache, and make sure that all httpd process have the new/later start time and that they are running as nobody.

do netstat -a and see what comms is there incase there is a perm comms backdoor into the box

Gonna do just that, speaking with Tech at Host Co. at mo.. gonna tell them what you and Merlin have suggested.

Respect ! ^5 to both of yas ( well everyone thanks )

Any joy with your problem? Had some advice from a mate which is below...

DO you have root access to the server? If so you could install
mod_security for apache, as that should be able detect any intrusions
and block/alert you about them.

If you keep changing the password then it is unlikely he is getting in
that way, he's probably exploiting some weakness in a script to do a
code or sql injection.

- Check that all your sql queries that use user data are being escaped
with mysql_escape_string().

- Check if you are using any exec() functions in the PHP code, and if so
that there is no possibility for a user to insert a string into these
functions.

You could pay someone like security metrics
https://www.securitymetrics.com/ about $100 to do a regular automated
security sweep of your server. They will look for vulnerabilities and
alert you of them.


HTH