How to know if Coder Insert malicious code into your script?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • lakerslive
    Confirmed User
    • Aug 2012
    • 929

    #1

    How to know if Coder Insert malicious code into your script?

    some kind of backdoor to hack your site? what to look for? thanks. I pay my programmers on time and on their bid. but why would they do such thing? or im just paranoid?
  • edgeprod
    Permanently Gone
    • Mar 2004
    • 10019

    #2
    If you're not proficient in programming, you might consider finding someone who is, and having them look for you. The size of the site/script would determine what someone like that might charge, as well as their general experience level.

    Sometimes, backdoors hide in unlikely places, like the user permissions in MySQL. You have to look under a lot of rocks.

    In my experience, backdoors, etc, are generally pretty rare, and are often only inserted by Freelancer / Rent-a-Coder types.

    Comment

    • bean-aid
      So Fucking Banned
      • Jun 2011
      • 16493

      #3
      If it is malware then your antivirus will tell you.

      If you think something is getting injected into server, first thing I look for is a pattern of date changes.

      And yeah... hire a programmer if you think you need it. Also, great to have a good host who can clean up any injections as well. That right there is worth tons. They can also run scans and look for vulnerabilities.

      Comment

      • lakerslive
        Confirmed User
        • Aug 2012
        • 929

        #4
        I didnt give him access to my sql databse.. only files. Am i safe from that sql permission you mentioned?

        Comment

        • _Richard_
          Too lazy to set a custom title
          • Oct 2006
          • 30991

          #5
          Originally posted by edgeprod
          often only inserted by Freelancer / Rent-a-Coder types.


          bigger the project, more chance there is a killswitch

          Comment

          • AJHall
            Confirmed User
            • Nov 2002
            • 1306

            #6
            Sometimes a disgruntled coder or someone trying to protect their work will do that but 100% of the "backdoor" type stuff we've encountered over the years with coding staff has been accidental or unintentional and often due to lack of care or lack of experience. More often they don't know enough about security and overlook something or they're in a hurry and as a result they write fast and sloppy code that leaves a vulnerability we end up fixing later.

            Unless you have reason to believe they're inserting malicious code I wouldn't worry about it too much.
            Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.

            Comment

            • adulttraffic
              Confirmed User
              • Mar 2006
              • 797

              #7
              Originally posted by AJHall
              Sometimes a disgruntled coder or someone trying to protect their work will do that but 100% of the "backdoor" type stuff we've encountered over the years with coding staff has been accidental or unintentional and often due to lack of care or lack of experience. More often they don't know enough about security and overlook something or they're in a hurry and as a result they write fast and sloppy code that leaves a vulnerability we end up fixing later.

              Unless you have reason to believe they're inserting malicious code I wouldn't worry about it too much.
              bologna! Although a sloppy programmer may leave backdoors open by mistake you should always assume the possibility they have left some sort of "killswitch" or a way for them to access your server in case he dosent get paid, especially if you hire them from an e-lance type of site. The only way to truly know is to have someone competent go through everything he has done on your server.
              Respect My Authoritah!

              Comment

              • AJHall
                Confirmed User
                • Nov 2002
                • 1306

                #8
                Originally posted by adulttraffic
                bologna! Although a sloppy programmer may leave backdoors open by mistake you should always assume the possibility they have left some sort of "killswitch" or a way for them to access your server in case he dosent get paid, especially if you hire them from an e-lance type of site. The only way to truly know is to have someone competent go through everything he has done on your server.
                This is why the very first line of my response says "Sometimes a disgruntled coder or someone trying to protect their work will do that"

                IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit.
                Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.

                Comment

                • adulttraffic
                  Confirmed User
                  • Mar 2006
                  • 797

                  #9
                  Originally posted by AJHall
                  This is why the very first line of my response says "Sometimes a disgruntled coder or someone trying to protect their work will do that"

                  IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit.
                  Very true... I said bologna because you should always assume the worst. And yeah.. Since all coders work on very different skill levels it would be very difficult to find anything or everything all the time. Basically you would have to work on someones "word" that they dident do shit like that. But in business you cant trust anyone.
                  Respect My Authoritah!

                  Comment

                  • AJHall
                    Confirmed User
                    • Nov 2002
                    • 1306

                    #10
                    Originally posted by adulttraffic
                    Very true... I said bologna because you should always assume the worst. And yeah.. Since all coders work on very different skill levels it would be very difficult to find anything or everything all the time. Basically you would have to work on someones "word" that they dident do shit like that. But in business you cant trust anyone.
                    That's a good point. Always better to err on the side of caution and anytime you hire someone to code anything you're putting a lot of trust in them. At least on a site like guru or elance you can read reviews from other customers and if the coder has been around a long time chances are if they did stuff like put in backdoors someone would have noticed and called them out on it.
                    Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.

                    Comment

                    • alcstrategy
                      Confirmed User
                      • May 2012
                      • 124

                      #11
                      Originally posted by AJHall
                      IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit.
                      With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.

                      There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.

                      Comment

                      • AJHall
                        Confirmed User
                        • Nov 2002
                        • 1306

                        #12
                        Originally posted by alcstrategy
                        With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.

                        There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.
                        I would do both. We use scanners and human beings and try to pour over code as well as cover similar scenarios to what we've seen in the numerous hackings we've encountered and continue to encounter over time. Nothing is 100%. Scanners will miss things and so do experts. I would never hire a security expert who was naive enough or enough of an egomaniac to tell me otherwise but I totally agree with you that if someone can afford it they're far far better off hiring someone who specializes in security than relying on a developer for this.
                        Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.

                        Comment

                        • alcstrategy
                          Confirmed User
                          • May 2012
                          • 124

                          #13
                          Originally posted by AJHall
                          I would do both. We use scanners and human beings and try to pour over code as well as cover similar scenarios to what we've seen in the numerous hackings we've encountered and continue to encounter over time. Nothing is 100%. Scanners will miss things and so do experts. I would never hire a security expert who was naive enough or enough of an egomaniac to tell me otherwise but I totally agree with you that if someone can afford it they're far far better off hiring someone who specializes in security than relying on a developer for this.
                          Naturally nothing is 100%, and I'm not sure if you were calling my statement naive, but my main point was that the majority rely on them.

                          Comment

                          • AJHall
                            Confirmed User
                            • Nov 2002
                            • 1306

                            #14
                            Originally posted by alcstrategy
                            Naturally nothing is 100%, and I'm not sure if you were calling my statement naive, but my main point was that the majority rely on them.
                            No, not referring to you and yes, the majority do or are not doing anything at all.
                            Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.

                            Comment

                            • pstation
                              Confirmed User
                              • Jul 2003
                              • 1135

                              #15
                              it should always just be assumed that your software/servers/etc are insecure because if someone wants to get in hard enough eventually they'll definitely get in. keep backup and have a plan on what to do when shit hits the fan

                              Comment

                              • _Richard_
                                Too lazy to set a custom title
                                • Oct 2006
                                • 30991

                                #16
                                Originally posted by AJHall
                                That's a good point. Always better to err on the side of caution and anytime you hire someone to code anything you're putting a lot of trust in them. At least on a site like guru or elance you can read reviews from other customers and if the coder has been around a long time chances are if they did stuff like put in backdoors someone would have noticed and called them out on it.
                                the scam i heard was the freelance is hired, does the work, gets paid, and extorts for more

                                Comment

                                • HomerSimpson
                                  Too lazy to set a custom title
                                  • Sep 2005
                                  • 13826

                                  #17


                                  if you're not better coder than him - you can't check it...
                                  so trust is something that's crucial...
                                  Make a bank with Chaturbate - the best selling webcam program
                                  Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!!

                                  PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 | Email:

                                  Comment

                                  • jwerd
                                    Confirmed User
                                    • Jun 2003
                                    • 1953

                                    #18
                                    Originally posted by lakerslive
                                    I didnt give him access to my sql databse.. only files. Am i safe from that sql permission you mentioned?
                                    Unfortunately, if he had access to a database settings file he might be able to dump the database or alter something by uploading his own version of say phpmyadmin or some other db tool and plugin those settings. It's pretty unlikely that he'd go thru that much trouble, though.
                                    Yii Framework Guru - Seasoned PHP vet - Partner @ XXXCoupon.com

                                    Comment

                                    • lakerslive
                                      Confirmed User
                                      • Aug 2012
                                      • 929

                                      #19
                                      Originally posted by jwerd
                                      Unfortunately, if he had access to a database settings file he might be able to dump the database or alter something by uploading his own version of say phpmyadmin or some other db tool and plugin those settings. It's pretty unlikely that he'd go thru that much trouble, though.
                                      1. I didnt give him access to SQL/PHP admin database
                                      2. main site is located on a different server with different passwords and username.
                                      3. He was working on a demo site..and I didn't include all the files in the demo site.

                                      he has no idea where my main site is.. he doesnt know the domain name.

                                      Comment

                                      • adulttraffic
                                        Confirmed User
                                        • Mar 2006
                                        • 797

                                        #20
                                        Originally posted by alcstrategy
                                        With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.

                                        There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.
                                        Perfectly stated, just because someone can code by no means they know shit about security. Always assume the worst has happened cause feedback means shit. It just means they probably haven't been caught yet.
                                        Respect My Authoritah!

                                        Comment

                                        • adulttraffic
                                          Confirmed User
                                          • Mar 2006
                                          • 797

                                          #21
                                          Originally posted by pstation
                                          it should always just be assumed that your software/servers/etc are insecure because if someone wants to get in hard enough eventually they'll definitely get in. keep backup and have a plan on what to do when shit hits the fan
                                          Funny you mentioned this.. I've been in the business for 15 years now. Both Whitehat and blackhat. It was fucking hilarious when NATS denied their hack to try and save face. While the people who did it were messaging me daily asking if I wanted to buy NATS email dumps.
                                          Last edited by adulttraffic; 03-12-2013, 05:58 PM.
                                          Respect My Authoritah!

                                          Comment

                                          • blackmonsters
                                            Making PHP work
                                            • Nov 2002
                                            • 20966

                                            #22
                                            Originally posted by lakerslive
                                            1. I didnt give him access to SQL/PHP admin database
                                            2. main site is located on a different server with different passwords and username.
                                            3. He was working on a demo site..and I didn't include all the files in the demo site.

                                            he has no idea where my main site is.. he doesnt know the domain name.
                                            One thing for sure; it's not good to have this feeling eating at you.

                                            I think you are probably safe but for some reason the programmer is not making
                                            you feel confident.


                                            Free Open Source Live Aggregated Cams Script (FOSLACS)

                                            Comment

                                            • sarettah
                                              see you later, I'm gone
                                              • Oct 2002
                                              • 14298

                                              #23
                                              Originally posted by alcstrategy
                                              There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.
                                              QFT

                                              .
                                              All cookies cleared!

                                              Comment

                                              • AJHall
                                                Confirmed User
                                                • Nov 2002
                                                • 1306

                                                #24
                                                Originally posted by _Richard_
                                                the scam i heard was the freelance is hired, does the work, gets paid, and extorts for more
                                                Even on a public site with reviews? I would think anyone who hired them would go back after the fact and post about it if they were being scammed.
                                                Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.

                                                Comment

                                                • _Richard_
                                                  Too lazy to set a custom title
                                                  • Oct 2006
                                                  • 30991

                                                  #25
                                                  Originally posted by AJHall
                                                  Even on a public site with reviews? I would think anyone who hired them would go back after the fact and post about it if they were being scammed.
                                                  i was speaking generally.. who knows if the person goes backs and 'reports it'

                                                  generally cost of doing business, no?

                                                  Comment

                                                  • My Fucking Traffic
                                                    So Fucking Banned
                                                    • Jun 2004
                                                    • 996

                                                    #26
                                                    Many people have resorted to putting kill switches into their code. I've done it a few times, but only on clients who seem to be problematic and sketchy on paying... Once full payment is made, the kill switch is removed completely.

                                                    Most programmers who do this do it because the code is on the clients servers and could risk being shut out without pay when the work is done. It's a security measure.

                                                    If you had paid all agreed prices and feel a kill switch is still in place, I suggest getting a programmer to check it out for you.

                                                    If you want, I can look at the code for you, free of charge.

                                                    Comment

                                                    Working...