some kind of backdoor to hack your site? what to look for? thanks. I pay my programmers on time and on their bid. but why would they do such thing? or im just paranoid?
How to know if Coder Insert malicious code into your script?
Collapse
X
-
Tags: None
-
If you're not proficient in programming, you might consider finding someone who is, and having them look for you. The size of the site/script would determine what someone like that might charge, as well as their general experience level.
Sometimes, backdoors hide in unlikely places, like the user permissions in MySQL. You have to look under a lot of rocks.
In my experience, backdoors, etc, are generally pretty rare, and are often only inserted by Freelancer / Rent-a-Coder types. -
If it is malware then your antivirus will tell you.
If you think something is getting injected into server, first thing I look for is a pattern of date changes.
And yeah... hire a programmer if you think you need it. Also, great to have a good host who can clean up any injections as well. That right there is worth tons. They can also run scans and look for vulnerabilities.Comment
-
I didnt give him access to my sql databse.. only files. Am i safe from that sql permission you mentioned?Comment
-
Sometimes a disgruntled coder or someone trying to protect their work will do that but 100% of the "backdoor" type stuff we've encountered over the years with coding staff has been accidental or unintentional and often due to lack of care or lack of experience. More often they don't know enough about security and overlook something or they're in a hurry and as a result they write fast and sloppy code that leaves a vulnerability we end up fixing later.
Unless you have reason to believe they're inserting malicious code I wouldn't worry about it too much.Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.Comment
-
bologna! Although a sloppy programmer may leave backdoors open by mistake you should always assume the possibility they have left some sort of "killswitch" or a way for them to access your server in case he dosent get paid, especially if you hire them from an e-lance type of site. The only way to truly know is to have someone competent go through everything he has done on your server.Sometimes a disgruntled coder or someone trying to protect their work will do that but 100% of the "backdoor" type stuff we've encountered over the years with coding staff has been accidental or unintentional and often due to lack of care or lack of experience. More often they don't know enough about security and overlook something or they're in a hurry and as a result they write fast and sloppy code that leaves a vulnerability we end up fixing later.
Unless you have reason to believe they're inserting malicious code I wouldn't worry about it too much.Respect My Authoritah!Comment
-
This is why the very first line of my response says "Sometimes a disgruntled coder or someone trying to protect their work will do that"bologna! Although a sloppy programmer may leave backdoors open by mistake you should always assume the possibility they have left some sort of "killswitch" or a way for them to access your server in case he dosent get paid, especially if you hire them from an e-lance type of site. The only way to truly know is to have someone competent go through everything he has done on your server.
IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit.
Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.Comment
-
Very true... I said bologna because you should always assume the worst. And yeah.. Since all coders work on very different skill levels it would be very difficult to find anything or everything all the time. Basically you would have to work on someones "word" that they dident do shit like that. But in business you cant trust anyone.This is why the very first line of my response says "Sometimes a disgruntled coder or someone trying to protect their work will do that"
IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit.
Respect My Authoritah!Comment
-
That's a good point. Always better to err on the side of caution and anytime you hire someone to code anything you're putting a lot of trust in them. At least on a site like guru or elance you can read reviews from other customers and if the coder has been around a long time chances are if they did stuff like put in backdoors someone would have noticed and called them out on it.Very true... I said bologna because you should always assume the worst. And yeah.. Since all coders work on very different skill levels it would be very difficult to find anything or everything all the time. Basically you would have to work on someones "word" that they dident do shit like that. But in business you cant trust anyone.Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.Comment
-
With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit.
There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.Comment
-
I would do both. We use scanners and human beings and try to pour over code as well as cover similar scenarios to what we've seen in the numerous hackings we've encountered and continue to encounter over time. Nothing is 100%. Scanners will miss things and so do experts. I would never hire a security expert who was naive enough or enough of an egomaniac to tell me otherwise but I totally agree with you that if someone can afford it they're far far better off hiring someone who specializes in security than relying on a developer for this.With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.
There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.Comment
-
Naturally nothing is 100%, and I'm not sure if you were calling my statement naive, but my main point was that the majority rely on them.I would do both. We use scanners and human beings and try to pour over code as well as cover similar scenarios to what we've seen in the numerous hackings we've encountered and continue to encounter over time. Nothing is 100%. Scanners will miss things and so do experts. I would never hire a security expert who was naive enough or enough of an egomaniac to tell me otherwise but I totally agree with you that if someone can afford it they're far far better off hiring someone who specializes in security than relying on a developer for this.Comment
-
Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.Comment
-
the scam i heard was the freelance is hired, does the work, gets paid, and extorts for moreThat's a good point. Always better to err on the side of caution and anytime you hire someone to code anything you're putting a lot of trust in them. At least on a site like guru or elance you can read reviews from other customers and if the coder has been around a long time chances are if they did stuff like put in backdoors someone would have noticed and called them out on it.Comment
-

if you're not better coder than him - you can't check it...
so trust is something that's crucial...Make a bank with Chaturbate - the best selling webcam program
Ads that can't be block with AdBlockers !!! /// Best paying popup program (Bitcoin payouts) !!!
PHP, MySql, Smarty, CodeIgniter, Laravel, WordPress, NATS... fixing stuff, server migrations & optimizations... My ICQ: 27429884 | Email:
Comment
-
Unfortunately, if he had access to a database settings file he might be able to dump the database or alter something by uploading his own version of say phpmyadmin or some other db tool and plugin those settings. It's pretty unlikely that he'd go thru that much trouble, though.Yii Framework Guru - Seasoned PHP vet - Partner @ XXXCoupon.comComment
-
1. I didnt give him access to SQL/PHP admin databaseUnfortunately, if he had access to a database settings file he might be able to dump the database or alter something by uploading his own version of say phpmyadmin or some other db tool and plugin those settings. It's pretty unlikely that he'd go thru that much trouble, though.
2. main site is located on a different server with different passwords and username.
3. He was working on a demo site..and I didn't include all the files in the demo site.
he has no idea where my main site is.. he doesnt know the domain name.Comment
-
Perfectly stated, just because someone can code by no means they know shit about security. Always assume the worst has happened cause feedback means shit. It just means they probably haven't been caught yet.With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.
There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.Respect My Authoritah!Comment
-
Funny you mentioned this.. I've been in the business for 15 years now. Both Whitehat and blackhat. It was fucking hilarious when NATS denied their hack to try and save face. While the people who did it were messaging me daily asking if I wanted to buy NATS email dumps.Last edited by adulttraffic; 03-12-2013, 05:58 PM.Respect My Authoritah!Comment
-
One thing for sure; it's not good to have this feeling eating at you.1. I didnt give him access to SQL/PHP admin database
2. main site is located on a different server with different passwords and username.
3. He was working on a demo site..and I didn't include all the files in the demo site.
he has no idea where my main site is.. he doesnt know the domain name.
I think you are probably safe but for some reason the programmer is not making
you feel confident.
Comment
-
Owner, Elevated X - The 4 Time Award Winning Adult CMS Software Company Used by More Than 2000 Adult Sites.Comment
-
Comment
-
Many people have resorted to putting kill switches into their code. I've done it a few times, but only on clients who seem to be problematic and sketchy on paying... Once full payment is made, the kill switch is removed completely.
Most programmers who do this do it because the code is on the clients servers and could risk being shut out without pay when the work is done. It's a security measure.
If you had paid all agreed prices and feel a kill switch is still in place, I suggest getting a programmer to check it out for you.
If you want, I can look at the code for you, free of charge.Comment

Comment