Msg#: 4294909 posted 10:09 am on Apr 10, 2011 (gmt 0)
I have a bunch of websites - around 20 - and we are affiliates of a major player in our industry. Traffic is tracked via a ClientID string number and sales made are tracked and paid monthly. Recently I discovered what I perceived to be a wrong ClientID reference string on one of our websites and to cut a long story short, I went on to discover that the number was the affiliate number of an ex-employee who had set up a number or very similar websites to mine and had registered as an affiliate of the same major player. Using his ClientID on my websites in order to claim OUR sales commissions as his. Customers booking on our websites were credited to HIS affiliate ID. Using the waybackmachine Internet archive, I went on to discover this had been going on for 2 years over most of our websites. My question is , what is a clever way to detect/police this activity for the future ? ClientID's are sprinkled throughout the websites and it would take a huge amount of time to check each website daily. Of course, doing all the coding myself and not relying on staff would do the job, but it's not practical because of the size of the websites. I need to use labour. Trust and verify but how to verify in the most effective manner. Any ideas please how to lock the door after the horse ... etc...? -keevill-
Msg#: 4294909 posted 11:29 am on Apr 10, 2011 (gmt 0)
Search using what ? At the moment,the only way I can do it is to "view source" and then search for ClientID but thats on hundreds of pages ! Not really practical. Obviously, Google doesn't index source code. The devilment isn't done on my local network and then sent up via FTP - it's done on the hosting server so the search has to be done online somehow. Not easy! If indeed it can be done ! -keevill-
am i missing the point? why haven't you just informed the police - i should think this is a serious criminal offense in any country.
... then inform the company you are an affiliate of and tell them what has happened and include the crime report reference.
>>it's done on the hosting server so the search has to be done online somehow.
first you must at the very least change all passwords and also inform your host of what has happened, if they have any security questions that they ask to retrieve 'forgotten' passwords, then change them.
if your site is database driven, just write a query to search for the wrong id's in the database.
if it is hard coded the easiest way would be to download the entire site and then one of the many available programs that can search through text files en masse - your current text editor may be able to.
if the server is a linux server and you can run commands, then using grep will enable you to search for the unwanted id's without downloading any files at all.
Msg#: 4294909 posted 1:21 am on Apr 11, 2011 (gmt 0)
the punishment ( police ) is another matter. I am trying to avoid any repeat - not from the same person but from future employees who see a very easy way to make money dishonestly. The websites are all database driven and it's easy to check on the local server but someone with FTP access could easily change the affiliate ID on one or more of the high traffic sites to an affiliate ID of their own. Even temporarily would hurt. I am beginning to think that this is the responsibility of the Affiliate Host. They should be able to marry the affiliate ID to the website and track if another affiliate ID is offered from one of my websites. And yes ! I have changed all passwords and even the host. -keevill-
>>but from future employees who see a very easy way to make money dishonestly.
in which case why have employees got ftp access? this is a MAJOR hole in your security. only appropriate employees should have that kind of access not all of them, you should also set appropriate permissions on the server to prevent changing files.