homepage Welcome to WebmasterWorld Guest from 54.196.189.229
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Ecommerce
Forum Library, Charter, Moderators: buckworks

Ecommerce Forum

    
Source Code Stolen - What To Do?
olimits7




msg:4503226
 11:23 pm on Oct 2, 2012 (gmt 0)

Hi,

An outsourced company I use contacted me the other day to tell me to change all my website passwords; which I did, because they said that their computers could have been hacked into.

Now today, I have a "live chat" option on my site and I notice a site with my exact website but they just changed the logo and I guess some links still redirect to my site so this is why I noticed it.

I don't know what to do now; fortunately I did a whois on the person and they are in the same US state as I'm in.

Is there anything I can do? How can I get their site shut down for stolen source code?

Thank you!

 

olimits7




msg:4503268
 2:16 am on Oct 3, 2012 (gmt 0)

Hi,

I came across this old webmasterworld.com post and it seems like something like this is happening to me now.

[webmasterworld.com...]

I noticed when I made a change to my site that the change immediately effected the other hacker domain that has my website on it.

So this means to tell me that they are mirroring my site, but the strange part is all of my company name text is changed to their new domain they created. But when I look at my *.php files it still shows my company name; so I don't know how they are doing this.

They can't possibly have access to my FTP anymore I changed every single one of my passwords.

How are they able to mirror my site still but have their domain name text show instead of mine showing? But when I make a change to a page on my server it immediately changes on their domain name?

Thank you!

lorax




msg:4503426
 11:57 am on Oct 3, 2012 (gmt 0)

I'm not sure how they're doing it but I know that I'd be looking at my log files to see if I can spot an IP address that's been visiting my site a lot. Then I could do something about it. Another thought is to put in some custom PHP code that checks the server's DN or IP and if it doesn't match yours then redirect the user to the correct one and see if that doesn't cause them some issues. But I'm just flipping ideas so take these with a grain of salt.

lorax




msg:4503427
 11:59 am on Oct 3, 2012 (gmt 0)

Read through that thread a little closer. I hope you're following some of the suggestions posted there.

TypicalSurfer




msg:4503445
 1:35 pm on Oct 3, 2012 (gmt 0)

I would use .htaccess to either block their incoming requests for your content or redirect them, you could do a number of things depending on how much fun you want to have with them.

The first thing to do is get the IP that is grabbing your content. You could tail/watch your access log and make a few page requests at their site and from there it's just a matter of how you want to deal with them.

look around for "redirect by IP" for htaccess rules.

olimits7




msg:4503453
 1:48 pm on Oct 3, 2012 (gmt 0)

They are definitely mirroring the site and also using a text replacement script to change my company name to theirs.

I downloaded a full copy of the site, and I would like to do a batch compare of the code/files to see what has changed. Does anyone know of a softwre that can do a bulk/batch process comparing code/files in the same directory layout?

I tried using Beyond Compare but I have to go one-by-one into each file which will take forever.

Thank you!

TypicalSurfer




msg:4503519
 3:50 pm on Oct 3, 2012 (gmt 0)

Take some screenshots if you must but why waste time trying to figure out how much is being stolen, my priority would be to stop the theft.

olimits7




msg:4504517
 3:10 pm on Oct 5, 2012 (gmt 0)

Yes, that's what I'm trying to do by comparing the files I want to find out what vulnerability they used to hack into my site.

After looking at logs, I see they gained access by brute-force attach on my WordPress blog, and they ended up uploading this exact 404.php shell that this guy created.

I ended up securing my site more by applying different security measures, but now I'm in a cat and mouse game with this hacker. I find the site uploaded and I'm going through a DMCA takedown with each hosting company his site is listed on.

He is not using the site the way I built it; he is basically uploading it to different domains and has a "Work For Us" scam page.

I doubt he is going to make any use of what the site does because he does not have the network I have to provide these services, but it just looks bad for my company if his sites start getting scam reviews and people notice that it looks exactly like my site. I'm actually thinking of having my programmer re-design the layout of the site (e.g. graphics, box layouts, design, etc.) so it looks different.

My issue now is how long will I have to keep up this cat and mouse game before this hacker gives up?

If I keep on getting his sites taken down through DMCA, I would think eventually he will just stop doing this; well, at least this is what I hope he does.

Thanks!

[edited by: incrediBILL at 11:19 pm (utc) on Oct 5, 2012]
[edit reason] removed URL, no links to harmful code please [/edit]

Gibble




msg:4504520
 3:14 pm on Oct 5, 2012 (gmt 0)

Does anyone know of a softwre that can do a bulk/batch process comparing code/files in the same directory layout?


WinDiff can compare directories.

incrediBILL




msg:4504667
 10:57 pm on Oct 5, 2012 (gmt 0)

I'd file a police report, especially since they're in the same state, and start the process of sending them to jail for this as it's beyond the pale of just copying your site.

olimits7




msg:4505957
 3:04 pm on Oct 9, 2012 (gmt 0)

Well finally got most of the sites taken down by using a DMCA take down letter. I guess I just have to monitor the internet now to see if this hacker continues to open new sites up...hopefully they give up soon.

At first I thought that the same state "whois" was real, but now that I see based on the other domains registered they are just using different locations for the domains (e.g. UK, US, Canada, etc...).

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Ecommerce
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved