Hi,

I came across this old webmasterworld.com post and it seems like something like this is happening to me now.

[webmasterworld.com...]

I noticed when I made a change to my site that the change immediately effected the other hacker domain that has my website on it.

So this means to tell me that they are mirroring my site, but the strange part is all of my company name text is changed to their new domain they created. But when I look at my *.php files it still shows my company name; so I don't know how they are doing this.

They can't possibly have access to my FTP anymore I changed every single one of my passwords.

How are they able to mirror my site still but have their domain name text show instead of mine showing? But when I make a change to a page on my server it immediately changes on their domain name?

Thank you!

I'm not sure how they're doing it but I know that I'd be looking at my log files to see if I can spot an IP address that's been visiting my site a lot. Then I could do something about it. Another thought is to put in some custom PHP code that checks the server's DN or IP and if it doesn't match yours then redirect the user to the correct one and see if that doesn't cause them some issues. But I'm just flipping ideas so take these with a grain of salt.

Read through that thread a little closer. I hope you're following some of the suggestions posted there.

I would use .htaccess to either block their incoming requests for your content or redirect them, you could do a number of things depending on how much fun you want to have with them.

The first thing to do is get the IP that is grabbing your content. You could tail/watch your access log and make a few page requests at their site and from there it's just a matter of how you want to deal with them.

look around for "redirect by IP" for htaccess rules.

They are definitely mirroring the site and also using a text replacement script to change my company name to theirs.

I downloaded a full copy of the site, and I would like to do a batch compare of the code/files to see what has changed. Does anyone know of a softwre that can do a bulk/batch process comparing code/files in the same directory layout?

I tried using Beyond Compare but I have to go one-by-one into each file which will take forever.

Thank you!

Take some screenshots if you must but why waste time trying to figure out how much is being stolen, my priority would be to stop the theft.

Yes, that's what I'm trying to do by comparing the files I want to find out what vulnerability they used to hack into my site.

After looking at logs, I see they gained access by brute-force attach on my WordPress blog, and they ended up uploading this exact 404.php shell that this guy created.

I ended up securing my site more by applying different security measures, but now I'm in a cat and mouse game with this hacker. I find the site uploaded and I'm going through a DMCA takedown with each hosting company his site is listed on.

He is not using the site the way I built it; he is basically uploading it to different domains and has a "Work For Us" scam page.

I doubt he is going to make any use of what the site does because he does not have the network I have to provide these services, but it just looks bad for my company if his sites start getting scam reviews and people notice that it looks exactly like my site. I'm actually thinking of having my programmer re-design the layout of the site (e.g. graphics, box layouts, design, etc.) so it looks different.

My issue now is how long will I have to keep up this cat and mouse game before this hacker gives up?

If I keep on getting his sites taken down through DMCA, I would think eventually he will just stop doing this; well, at least this is what I hope he does.

Thanks!

[edited by: incrediBILL at 11:19 pm (utc) on Oct 5, 2012]
[edit reason] removed URL, no links to harmful code please [/edit]

Does anyone know of a softwre that can do a bulk/batch process comparing code/files in the same directory layout?

WinDiff can compare directories.

I'd file a police report, especially since they're in the same state, and start the process of sending them to jail for this as it's beyond the pale of just copying your site.

Well finally got most of the sites taken down by using a DMCA take down letter. I guess I just have to monitor the internet now to see if this hacker continues to open new sites up...hopefully they give up soon.

At first I thought that the same state "whois" was real, but now that I see based on the other domains registered they are just using different locations for the domains (e.g. UK, US, Canada, etc...).