My PR4 site has been breached 4 times with chinese coder hacks. They add code to my site to: 1. Change the google serps snippet to read gobledegook 2. Disallow my front page from opening or being accessed in anyway. Naturally both the server company and my developer are befuddled and ofcourse not guilty in any way. So that I can bash some ideas at them please share your thinking. 1/ The site is php 2/ The server is a linux and running the site, dedicated server. NB - Three weeks ago I had the keystroke virus. It got my Paypal hacked for 7k but did not seem to record any of my other keystrokes. Similarly the password for the server has not been used on this machine, but the password to the back end of the site's CMS has been. Is it likely that the hacker can place code perhaps in the CMS part of the site and thus this whole thing is my fault? Love you Note my junior status... ( like a little teenage junior cheerleeder co ed )
What do you host on your site? Is there a login script? If so then does it record access attempts and block login attempts after X failed attempts? Do you have any nulled scripts on the site? Have you put any scripts onto your site from unofficial sources?
You are pretty much saying like "I'm human and I'm ill, what's wrong with me?", you have to provide apache error and access logs for the hack time, core dumps if there are any would also help, all your software versions(CMS, apache, php, etc), even configurations on php.ini.
Without knowing more specifics here's what I'd do. Create a html only "holding page" and host at a different location (temporary, use a cheap cheap host). Change the DNS to point to the temporary holding site. Do a full secure backup of everything on the site. Go through every bit of code with no mysql or php turned on. If you don't know how to do this, get someone who does. Get all vunerability lists from the maker of your php code, php, mysql, etc. Make sure your code isn't doing something stupid (like register_globals on). Have your host completely destroy your old account and set you up a new one. On a different server. Different usernames, passwords, etc. And only on the phone, no email. Only when you are certain that your code is completely clean, database data is clean, etc. upload your cleaned code and move on.
WOOOOOOOOOW Will do the thanks tomorrow Talking to the server peeps and the coders they say it was accessed via an open port or via hacking my password... Seems to be fixed but I want to KNOW whos fault it is... I will send the code reports shortly xxx
