My web developer keeps messing with my site..advice please

[theBiz]

So i hired a cheap guy to do some small project for me. He now keeps trying to scam me and tell me i owe him money, i guess this is a new trick theyre doing. This morning the site was all messed up. He does not have access to the server but to the admin section which he developed. I changed the admin section password but he somehow got into it.

I told him put things back and i will pay tomorrow, which i obviously will not. In the meantime everything is on the server operating correctly.

What should i do? Is there a way to copy everything in working order? How can i block him out of the admin section that he developed?

I never dealt with this before but i should have known better when outsourcing it seemed to cheap to be true. I would really appreciate help i know little of security.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Russ H]

So i hired a cheap guy to do some small project for me. He now keeps trying to scam me and tell me i owe him money, i guess this is a new trick theyre doing. This morning the site was all messed up. He does not have access to the server but to the admin section which he developed. I changed the admin section password but he somehow got into it.

I told him put things back and i will pay tomorrow, which i obviously will not. In the meantime everything is on the server operating correctly.

What should i do? Is there a way to copy everything in working order? How can i block him out of the admin section that he developed?

I never dealt with this before but i should have known better when outsourcing it seemed to cheap to be true. I would really appreciate help i know little of security.

Like any good developer, he made a back door.

He says you owe him money-- and you've just agreed to pay.

Either pay him the money or plan on getting a new website.

Next time, don't promise to pay if you don't intend to. VERY BAD. Your word needs to be good. On a purely mercurial scale, you will get hammered on this in court (promising to pay and then not paying).

-Russ H.

 

[MJ DeMarco]

Control, control, control ... those with the keys to your car can drive you into a wall. This is an experience you need to learn from...

As for advice, if the amount is marginal, pay it and then begin to IMMEDIATELY move your site into a structure that YOU CONTROL.

 

[theBiz]

i did not agree to pay, he was paid in full, this is 5 months later, its a scam.


" pay it and then begin to IMMEDIATELY move your site into a structure that YOU CONTROL. "

I am going to research but again im not sure how i would be able to move a website that was designed by someone else into a structure i control.

They are locked out of the server but this does not matter, they can get in the admin section on whatever server, which they did.

I feel so scammed, a developer should not have access once paid IMO, its my fault for not educating myself on it, i am just not sure where to go from here.

Everything is back on the server for now but again i have no idea how he gets in so for me to block it is so foreign to me. thank you everyone this is obviously a bad situation im in.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Russ H]

i did not agree to pay, he was paid in full, this is 5 months later, its a scam.

I understand that. He's blackmailing you (must be some spiffy net word for what he's doing)

But you originally said:

I told him put things back and i will pay tomorrow, which i obviously will not. In the meantime everything is on the server operating correctly.

So you bought yourself a day by lying to him.

This just means you're hosed tomorrow, or the day after.

But it also means you said you would pay him-- unless I misread your post.

THAT was my point. Doesn't make any difference if he is due the money or not. HE THINKS YOU OWE HIM THE MONEY.

You don't think you do, but you told him you would pay.

Are you sure you didn't sign some boilerplate at the beginning of the job that had hidden maintenance fees?

Why is he claiming you owe him?

-Russ H.

 

[Alexishost]

You may have to be honest, to tell the situation and what tell him what you really want him to do.

Furhter more, you can ask your host about about password and everthing that you might wnt to know about.


Cheers.

i did not agree to pay, he was paid in full, this is 5 months later, its a scam.


" pay it and then begin to IMMEDIATELY move your site into a structure that YOU CONTROL. "

I am going to research but again im not sure how i would be able to move a website that was designed by someone else into a structure i control.

They are locked out of the server but this does not matter, they can get in the admin section on whatever server, which they did.

I feel so scammed, a developer should not have access once paid IMO, its my fault for not educating myself on it, i am just not sure where to go from here.

Everything is back on the server for now but again i have no idea how he gets in so for me to block it is so foreign to me. thank you everyone this is obviously a bad situation im in.

 

[FDJustin]

Always have a reasonably recent backup, huh?

I guess you could get server logs and present them to someone who knows a thing or two about website security so they can find the hole for you. It'll cost, but it's better than being extorted every XYZ timeframe.

You probably can move it, but you might just have to pay someone else to accomplish that in a reasonable timeframe depending on the complexity of your site. (I'm going to assume it's more than a css template and information site?)

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[biophase]

He is getting to the admin section which is browser based on the site? If it's browser based through the admin, moving to a new server wouldn't help because all the code is the same, the backdoor would still be there. I think you need someone to look at the code and logs to figure out how he's getting in there.

I had this same worry with my ebiz software a year ago. Things went bad with my developer from India and I always thought one day he could screw up my store some how. I eventually migrated my store to completely different software, but not just because of that reason.

 

[Russ H]

If it's browser based through the admin, moving to a new server wouldn't help because all the code is the same, the backdoor would still be there. I think you need someone to look at the code and logs to figure out how he's getting in there..

Yes-- perhaps I didn't say that correctly.

When I said "plan on getting a new website", I meant, literally, start from scratch-- new code/new design.

Not just move the site.

This is one of those things you will laugh about years from now-- and will consider a great learning experience.

I realize it sucks right now. What has he said to justify the extra $$ he's asking?

-Russ H.

 

[CoMp1eX]

Sorry you have to go through this.

I'm looking to hire someone to redesign a blog to test out a new product, but I also have no idea how to keep all my sites safe. Plus, they're all on the same hosting account. Would be a good thread topic in near future...

Anyway, I agree with others, I'd take the loss, scrap the site, and hire someone with great feedback. BTW, did you hire the developer off a site like elance?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[theBiz]

yes the admin section is browser based so even if i move it wont help. This sucks, ill just deal with the $ for now, but what am i supposed to do next time i hire someone? I mean is a developer always going to have some back entry to my site i paid them to do? This seems misleading, how can i secure myself that i am the only one with access? thank you

 

[longview]

As as has been said above, the effort of looking through all the code would be best spent starting with a new developer. You can save a lot of time given you already have the site built, so design/workflow docs can be easily passed on to the new dev.
Without the ability to review the code yourself, you will need to place your trust in them (again). See if you can get a referral or something.

Regarding your current site, to give you some appreciation of the problem, if it uses a back end database, they could be updating that directly, and bypassing the admin web page altogether. There could be many deliberate things the developer has done, they may have even deliberately exposed a bug in the software to gain entry (eg: sql injection attacks in input fields)

To secure the site (aside from the hosting company, eg: backups/support) you would need to review the code and the installation on the server (regarding open ports etc), and without the technical knowledge it would be easy to miss something. Developers can also obfuscate the code or make it overly complex to hide the real function.

That all may sound pretty horrible, but a developer may always have a way in. If your current one wasn't vandalizing your site, you would never have known about your potential (customer?) data loss.

The other thing, is to see if there is already a site software out there that can be easily customized to your needs.

All the best.

 

[FDJustin]

Relevant link > Maybe I Needing Later - The Daily WTF

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Russ H]

Relevant link > Maybe I Needing Later - The Daily WTF

Great story/link FDJustin-- fortunate indeed they found one of the back doors and were able to delete it!!!

And rep speed for all the great info in your post, longview.

-Russ H.

 

[Davidla]

What happend in the end?

A programmer I interviewed actually granted me access to 4 of his former clients websites controll panels because I asked to get a feel of the CMS he was suggesting :smxF:

It made me feel very confident about his integrity.

I should probably contact his clients to let them know about him, and that they should change their passwords (3 out of 4 were still admin)
This was some sort of custome CMS.

Do WP, Joomla etc contain the same potential back-doors?

 

[Darkside]

What happend in the end?

A programmer I interviewed actually granted me access to 4 of his former clients websites controll panels because I asked to get a feel of the CMS he was suggesting :smxF:

It made me feel very confident about his integrity.

I should probably contact his clients to let them know about him, and that they should change their passwords (3 out of 4 were still admin)
This was some sort of custome CMS.

Do WP, Joomla etc contain the same potential back-doors?

Those aren't backdoors but rather the standard admin login. Those clients of his just never changed the password once he handed control over their sites to them.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Davidla]

Those aren't backdoors but rather the standard admin login. Those clients of his just never changed the password once he handed control over their sites to them.

I didn't explain myself correctly :smx6:

TheBiz mentioned his platform was some kind of custome CMS - and when a developer builds a new CMS I'm sure its not hard for him to leave backdoors.

But if a developer is using WP or Joomla - I wonder if it is still risky.
I'm sure its possible - but I guess its much harder?

 

[Darkside]

I didn't explain myself correctly :smx6:

TheBiz mentioned his platform was some kind of custome CMS - and when a developer builds a new CMS I'm sure its not hard for him to leave backdoors.

But if a developer is using WP or Joomla - I wonder if it is still risky.
I'm sure its possible - but I guess its much harder?

Yea, it's still possible to create a backdoor with joomla and other open source CMS. The solution in my opinion is to never allow them access in the first place. Everything that they need to test out can be done on their own using their own joomla site; then when they are done, they can send you the files and you can upload them yourself.