Preventing pages being hacked

Awestruck

How can I stop hackers from altering my hosted webpages? Around midnight every day, a piece of advertising javascript is added to six of my pages. I have to upload clean pages every day. This started to happen after a lousy host called 123-reg acquired all my websites from supanames. They also doubled the price and provide a dreadful customer help 'service' compared with supanames. The pages being hacked are php. The host does not reply to my support requests.

One of my client's sites is also being hacked regularly, you advice would be most welcome.

Awestruck

laserlight

Change host.

HuHuNL

Or fix the injection-leaks in your webpages.

Awestruck

Thanks lazerlight, but that is not possible yet as some of my client's websites have just been renewed and they would have to pay a big penalty. When the renewal dates are near I will transfer each website to another host.

HUHUNL. Thanks for the reply, but what are injection leaks and how do I fix them?
Regards
Awestruck

laserlight

Well, assuming that your new host is to be trusted... did you write those PHP scripts yourself?

When you say that "a piece of advertising javascript is added to six of my pages", can you trace this Javascript to content stored in a database? It sounds like you cannot, but rather the PHP scripts are being "intelligently" modified... in which case it could be that your account/server could have been compromised.

Awestruck

The pages are mainly HTML or XHTM with a snippet of PHP to operate a page counter.

If on the FTP client I set the CHMOd to 644 would that make them more secure?

Awestruck

laserlight

Awestruck wrote:
The pages are mainly HTML or XHTM with a snippet of PHP to operate a page counter.

So, you are saying that the Javascript is added to the PHP script itself, but in a spot where it does not interfere with the PHP code?

Awestruck wrote:
If on the FTP client I set the CHMOd to 644 would that make them more secure?

You should do that anyway.

Awestruck

Oops! I forgot the other part of your question. The rogue java script sits immediately after the <body> tag and is similar to this <script language='JavaScript' src='http://someurl.be/afile.js'></script>
The url and file differ occasionally.
Regards
Awestruck

laserlight

Right. The problem is that because it is your file itself that being modified, rather than something that depends on user input, it may be the case that the server has been compromised, your account has been compromised, or maybe you allowed write access on shared hosting so some malicious user has been running a script that does this to you.

Besides only allowing read access to your scripts, change your password.

Awestruck

Oh dear! I have just realise that if I make the files 644 the PHP visitor counter won't work.
Now I am puzzled what to suggest next. If I try to change the password the dreadful host will probably wreck the site.
Awestruck

laserlight

You can make that visitor counter file writable. Make sure that you cast the data read from that file to int.

Awestruck

Er... Sorry to be so ignorant but how do I make it writable? The counter code on the pages being hacked is
<div>
<?php include("counthome.php");
?>
</div>
</body>
</html>

And what does int. mean please?
Thank you for your patience
Awestruck

laserlight

The count is stored in a separate file, right? This file is the one that counthome.php opens, reads and updates, right? That file is the one that should be writable.

Awestruck

The .dat file is already set to 777. The counthome.php file is also set as 777 and it writes the new count figure to the page that is being hacked.
If I set the page being hacked to 644, surely the counthome.php will not be allowed to write the incremented figure to that page?
Sorry to be so obtuse.
You might like to see the source code of one of the pages being hacked it is
www.colycomputerhelp.co.uk/index.php

The hacker inserts the javascript immediately after the <body> tag
Regards
Awestruck

laserlight

Awestruck wrote:
The .dat file is already set to 777. The counthome.php file is also set as 777 and it writes the new count figure to the page that is being hacked.
If I set the page being hacked to 644, surely the counthome.php will not be allowed to write the incremented figure to that page?

You can leave the .dat file as 0777 (or rather, 0666), but chmod counthome.php to 0644.

Awestruck

Thank you
I have just checked the CHMOD settings of all the hacked files and they are already at 644. This is suspicious and makes me think that someone within the host organisation is doing the hacking. They had all been infected again a quarter of an hour ago.
Awestruck

laserlight

Awestruck wrote:
This is suspicious and makes me think that someone within the host organisation is doing the hacking. They had all been infected again a quarter of an hour ago.

You are presumably on shared hosting, so even if the host can be trusted, their server configuration might be insecure.

Awestruck

Thank you. I have checked the CHMOD settings of all the hacked files and they are already set to 644. This is supicious and makes me think the host has an internal hackker or has been compromisd as you suggested.

The files had ben hacked again about 20 minutes ago. I have had to replace them once again.
Awestruck

Awestruck

Sorry I repeated myself as I could not see my previous message on the page.

Pikachu2000

It's completely possible that the new hosting company is doing this intentionally. If they won't even answer a tech support request, I'd dump them regardless of the fee (which I'd refuse to pay anyhow).