Fred Jones wrote: >> I take it back, they have hacked the file system ... >> > > I used to host with HostRocket. Then someone hacked into their servers > and edited our files, adding a virus for visitors. They corrected the > situation but I started hosting elsewhere. A colleague of mine > remained with them and his site was then hacked, the same way! > > Then another person I know on MaximumASP was hacked the same way. > > This is simply a sign of a bad host. The only thing which can be done > is to switch to a host with better security. > > Fred > Well perhaps a little more than that. * First thing I would do with a support request is try to find out how it happened. (hacked into their server here) * The other thing that would be really go to know which I can't imagine the hosting company sharing willingly is whether or not other accounts were hacked at either the same time or at all. -->> I would like to know if the root cause is poor security or bad bad me Your control panel password, shell access, ftp should not be stored in plain text anywhere that can be cruised. For programs that I create I keep mysql password above webroot (as php). CMS, eCommerce programs, etc. usually place it in a php config file within the directory structure. If this is deemed a risk you can always change the config file to reference an include file above webroot. It is slightly more work for you, but wise to make the passwords different. For that matter make it more difficult by using different passwords for your domain management provider. Also, depending on provider file permissions (at least with Linux, Apache) should be 644 for regular files and 755 for directories. -->> I'm no security expert and I'm sure there is more, but these are relatively painless simple steps to improve security. One other thing - unless you have inside information that your hosting provider has a very good, very regular, backup routine, don't rely on them. You can write a simple backup script, cron job that can be used to restore the database and file system in minutes as opposed to aggravating hours of hopeful anticipation. Your backup process should include not only yesterday but also the ability to retrieve backup files from a week, a month ago, etc. -- Bob Meetin www.dottedi.biz 303-926-0167 Hook up with me on Twitter, Facebook, LinkedIn, Plaxo Pulse and Bebo or catch my blog at www.dottedi.biz/blog.php Standards - you gotta love em - there are so many to choose from!