PHP Help

[Drakkon]

I created a site using PHP and somehow it came under the radar of a hacking group. So far they havent done anything too malicious just taken down my index page and replaced it with one of their own. I cant figure out how they are getting in though and this is now the third time it has happend.

Heres what they do:
Replace my index.php page with their own modified index.htm page (just 1 line of text)
Upload 1-2 htm files that have the same line in them

I'm assuming it must be some sort of injection attack? I do session and POST/GET but every time i either parse them through an sprintf or match them to a specified variable.
I have the login times for logins on my server so i know they dont have the password - unless they are bypassing that somehow. any ideas would be greatly appreciated.

 

[fs5]

probably not through your .php code but elsewhere on the server.

 

[troytime]

index.php is getting deleted and they're creating an index.htm?

what are the permissions set to on index.php?

 

[Drakkon]

yes index.php deleted...index.htm created

directory permission is set at 644, index.php set at 644

 

[Reel]

Can you link the page publicly or via PM?

 

[LeetestUnleet]

If it's not showing up in server logins, my guess would be that SOMEWHERE you're not sanitizing a user-input field or your sanitizing doesn't catch the exploit they're using.

How large-scale of a PHP project is your site? PM me the link and/or code (if possible) and I'll take a look to see if I can find where they might be getting in.