Evil client = Evil code

planetney's picture

So it has been a year almost and this client will NOT PAY ME!

SO, he changed the FTP accounts and now is ignoring my calls and probably making money off the site, BUT he left the USER1 acct unchanged...

Any ideas???

ps- Keep in mind he can always ask the hosting company for a copy of the previous day mysql, but I think they only back up for up to 5 days.


If you want to toy with him

jessehs's picture

Try installing this Misery: https://drupal.org/project/misery

See how long it will take him to figure out why the site periodically messing things up… :-)


planetney's picture

Thank you!

If you can get in to user 1,

Garrett Albright's picture

If you can get in to user 1, you can execute PHP. If you can execute PHP, you still pwn the server.

The host backs up the database, but do they back up the files? Is there a repo elsewhere the client has access to?

Don't joke with a client that won't pay. Ruin their site to the greatest extent possible and ransom it back to them. Your contract did say that you own the code until it's paid off, right?


planetney's picture

The guy owns a mining company so he definitely has the money. We never signed a contract because I actually meet the guy and we just shook on it, never thought he would do me like this.
I have all the emails from him and his staff though, I even had to pay a guy to help me with openlayers and google maps integration. They are based in PERU. What could I do in terms of PHP? I do have access to user 1. Hosting company probably backs up data as well. I do not have ftp access anymore. Thank you guys!

Berne Convention

As If's picture

Actually, in the US and in any other country party to the Berne Convention, your original work remains your own until you have explicitly transferred copyright ownership to another party. In this sense, getting a signed contract is more important for the client than it is for the developer.

The right way

fuzzy76's picture

Contact their hosting provider and notify them that the website is considered stolen code. Some providers (if given reasonable proof) might close the site down.

Hypothetically speaking...

griz's picture

I think the first thing you should could do is create several backup users with the permission to administer permissions. Then when you are inevitably hypothetically locked out you can get back in. You might want to let the users sit unused for the five days it takes to get them into every last backup they have.

use the power of the php module!

bircher's picture

Hello, so basically if you are still in control of uid 1 you can be evil and take the site offline so that only hacking the db will get it back. That will either mean to pay you or to hire someone with enough knowledge to fix it.

steps to site domination:

  • enable php.
  • create a new block or edit an existing one.
  • set the input filter to php
  • write:
    if (time() >= 6daysfromnow) {
    "beware! the developer was not paid for creating this site!");
  • place the block somewhere
  • wait for the backups to incorporate the block of doom

of course you could add
&& $_GET['allow'] != "thesecretkey"
so that you will have easy access to the page to disable the block once you get your money...

this does not take a lot of creativity, but you see the general line of thoughts.
oh and yes I am happy php is not part of Drupal 8 any more...