Index.php keeps getting hacked. Please help

I've just added the code:
if (isset($_REQUEST['dir']))
die ('Hacking attempt');
to the files Sammie suggested in another post. I'm hoping this will help some.

Is there anything else I should do?

Just to let you know, this is the hacker's name: Arianom De HackeR

This is the IP it came from: 193.67.33.2

You might want to block it.

Also, what's with the /ray/crossdomain.xml file? Could this be a potential security issue?

that fix will stop them, the crossdomain file is just a file to allow flash to be used from one domain to another, without it you cant see flash from other sites.

get hosted on more safer servers

Again and again: php_flag register_globals Off :-)
better if not just via .htaccess - at host level.
second - disable all possible script of flash includes (better any html).
Third, was good solution too:

#RewriteCond %{QUERY_STRING} ^http [OR]
#RewriteCond %{QUERY_STRING} ^.+www\. [OR]
#RewriteCond %{QUERY_STRING} ^.+https [OR]
#RewriteCond %{QUERY_STRING} ^.+ftp
#RewriteRule .* - [L,F]
#RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
#RewriteCond %{HTTP_USER_AGENT} ^Wget
#RewriteRule .* - [F]

#RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
#RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
#RewriteRule ^(.*) - [F]

and even php_value allow_url_fopen 0 :-)

Thanks for the feedback. I seem to have a lot of trouble with my hosting at the moment, which is bad seens it is linked to a number of other sites I own. Being evasive about what and why, but as nothing seems to be safe right now, it's best to say little.

I'm actually considering adding sites to an additional hosting company, even though the one we currently use is listed on the boonex server page here. I noticed today that a number of functions over all the websites are messed up from the cPanel access, and according to the company, it's a corruption their end.

Also, with :

php_flag register_globals Off

Where do I change this specifically?

This is my first major dabble with php and mysql, so I'm not sure. CSS/XHTML/XML, I'm fine...PHP...you've lost me:D

If you are on shared hosting and Register_globals are on by default at the server level. and your php is 4.3.2 or later,. then you hosting provider has broken php.net's recommended settings of register_globals off and has even changed the default setting to On.

this allows any site on that server to be exploited and gain full access to all sites and accounts on that server. this is your hosting companies fault, and their blatent abuse of their customers trust in not providing safe secure hosting by following php.net's recommended settings for Register_globals

Also wowhead, look in your cache and backup directories specifically. All this security you are setting up may be locking the door after the thief is already in the store. When my sites were hacked they did pretty much what you described, I guess to stop me from loking deeper. If they were in then they probably already have set up the scripts somewhere to let them keep coming back. Although DosDawg helped me lock the door on my old hosting, they already had a key to the backdoor. End solution, I had to completely move off my poor hosting environment, moved in with Dos, and Sammie, and they keep all the door to door salesmen away!

Hi both,

I've just looked at my cache and backup directories. Both of those are absolutely fine, from what I can see. They both seem to have the relevant files included and no abnormalities in there. That's one big relief.

Right now, I'm going through all the files and folders in my hosting and comparing them to the dolphin/ray/orc unzipped files. I'll post if I find something odd that I just can't figure out :).

With regards to my hosting, I actually have a reseller account with this company listed within the boonex site. I'll email them again today and ask them what the deal is with the Register_globals issue. I noticed that even though we're supposed to have access to a number of additional features with them to control our hosting plan, we actually don't.

as andreyp mentions these are good ideas, however the commands to add to .htaccess he specifies will do abosolutely no good because the are commented out with the #

Basically if you add a # to your .htaccess each line with the # means to ignore it and do no good. So I don't know why this was even posted or why it wasn't clarified that you need to remove the # to do any good and to take affect. Guess everyone is supposed to know that by default.

#RewriteCond %{QUERY_STRING} ^http [OR]
#RewriteCond %{QUERY_STRING} ^.+www\. [OR]
#RewriteCond %{QUERY_STRING} ^.+https [OR]
#RewriteCond %{QUERY_STRING} ^.+ftp
#RewriteRule .* - [L,F]
#RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
#RewriteCond %{HTTP_USER_AGENT} ^Wget
#RewriteRule .* - [F]

#RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
#RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
#RewriteRule ^(.*) - [F]

and even php_value allow_url_fopen 0 :-)

I haven't tested it fully you will havet to remove the:
and even php_value allow_url_fopen 0 :-)

And all #'s to work at all. If you were to use this command in .htaccess it would be more like:
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]

all your other dolphin .htaccess code would follow here!!

I wouldn't be surprised if some of this made certain thing not work specifically your share files in your media locations such as:
when you click on your share link in photo, music, and video gallery in the actions menu. The above code will block it. Is this all bad I don't know. But it will piss some off. Either that if you use the above code you will have to remove the share link to do away with it.

The code I use is similar to boonex guys except mine already has the #'s removed so they do work:
Options -MultiViews
Options -Indexes
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+\.txt [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]


I also block a number of things such as .htaccess, so you can't view my .htacess files, I also block certain countries. I do block peridic file, I also block file types that can be uploaded to audio video like php, txt, vbs, cgi, pl, etc. you name it. Anything that is out of the ordinary can't even be uploaded to dolphin/ray folders to begin with.

Good luck.
Gameutopia
I will post my boonex profile until I am told not too? Seem legit to me since it is hosted on boonex right?
http://www.boonex.com/unity/gameutopia

Sammie, you do realize that you can turn off register globals in the .htaccess file, right?