A previous developer I have used has got upset and start compromising the files of my website on daily bases (such as changing the index of the site with weird messages, deleting the .htaccess, renaming folders, modifying DB tables). I suspect while he was working on the site, he placed some where in the files option to get remote access to the website's files?!

Because of this I have:

changed the FTP user/pass/DB pass
blocked the access from his country's IP range using .htaccess...
backed up the entire DB and the FTP files
the permissions of the files has been chmod to 644 & 755 (as required)*

This morning when I woke up and try to access my site, I was shocked that access to my site was denied...lol. When I checked the files I have discovered that he modified the .htaccess and placed "allow from" his IP and "deny from" my IP.

Any suggestions on how to solve this hassle would be gladly appreciated.

* I can search with grepwin for any malicious scripts/files/lines/words in the backup files I have, if I know what to look for.

3 Answers3


Sounds like he has a PHP backdoor as you suspected. There is very little you can do to be sure that you have completely removed all traces of the attacker's presence. He might have multiple backdoors, he might have scripts that email him new FTP passwords, he might even have a Windows rootkit installed. The only real solution is to reformat the machine and revert to a backup.

However, if we are working on the assumption that you do not have a backup, and that your attacker is lazy and is just relying on a PHP backdoor, then you would want to grep your entire docroot for things like;

system exec passthru shell_exec proc_open popen fopen fwrite

Of course, your attacker might be using a backdoor written in something other than PHP, which is yet another reason this whole process is fairly meaningless. Nevertheless, you might just be able to kick him out.

  • 10,636
  • 5
  • 29
  • 54
  • 2
    A more comprehensive list for PHP function blacklist (although in case of PHP you can never be sure): https://github.com/v-p-b/DangerousPHPFunctions/blob/master/php_dangerous.txt – buherator Aug 14 '13 at 13:35

File a complaint with the police and reinstall the site to start with. To find the files you will have to go through all files manually and find all custom files compared to a clean wordpress install ( check the md5 sums). Best would be to restart from scratch though.

Out of curiosity why is he upset?

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • He got upset because he couldn't do the WordPress migration on my kids store. He couldn't complete the task so I have to release the project to another FL from Ukraine, who completed the project and got paid. This is the main reason the Indian guy got upset and start compromising the files on daily bases, as stated above. – user2681779 Aug 14 '13 at 10:17

You have to find the backdoor otherwise you'll always be fighting a loosing battle.

If you're hosting the site on a VPS, please look into turning linux accounting features on to have the OS record everything that gets touched in your parent folder (acct, auditd, auditctl, ausearch)

Ensure that files haven't been tampered with to include a backdoor with file integrity checkers tools like "aide" (compare the non-compromised original backup version of the site with the existing one)

Filter your apache2 logs for any queries that has a lot of query parameters or with unusual file names.

Look for executable files (.php, other) that have very long strings of code. Standard php backdoors usually insert 1 very long line with obfuscated code. So looking for the file with the longest line can help you find the compromised file.

Look at "administrator accounts" on your hosting account, he might have added a new one for himself. Do the same for FTP, MySQL, and other doors into your account.

Or, try to use some political/social skills to pacify him. People become like this when you vex them, or when they get in "defensive" mode because of something you say. Try to backtrack, and turn him into an ally instead of an enemy. Remember that what you have on the other end is a non-professional developer that has lots of time to spare and apparently lots of emotions too. If you can do human damage control, might prove to be easier for you.

Otherwise, I'd suggest to look into hiring a security expert from that same website you hired the 2 others.

Good luck...

Wadih M.
  • 1,102
  • 6
  • 20