Kill Switch for Websites? Is it possible?

[TripleXPrint]

A guy who designed a couple websites for me is having some health issues so he provided all my website files and databases. I uploaded them perfectly fine with the help of a a new developer. The new developer pointed out a file buried deep in a folder called self_destruct.php. We can't open or delete it, says we don't have permission. When you visit the link directly, you're prompted for a user/pass.

I called the original developer and he said it's a kill switch he puts into every one of his websites. If the client doesn't pay or they try to resell the website, he runs that script and it deletes the database and some key config files. WTF!?!? I mean he's cool, we never had a problem. But knowing some dude could have gotten fucked up one night and totally destroy my website was pretty scary.

GFY webheads...is this even possible or is he bullshitting me? Is it a common practice? It makes sense.

[DVTimes]

it sounds like it could be done.

mabe its an off the shelf thing all programers use.

[KickAssJesse]

Sounds like a real developer to me

[DangerX !!!]

I would never host any shit I don't know. You do? LOL

[signupdamnit]

It's possible but the client would have to be either stupid or not very technically inclined to be sure it would work. Depending on how he coded things it would be trivial to remove or block access to it so it could not be executed. Regardless, I don't think I'd allow someone to do that. It's dangerous.

[DangerX !!!]

BTW it sounds kinda noobish solution to me I think I could defuse this mine in various ways, the question is what else he has hidden there that you don't know about it.

[Klen]

Bullshit how it cant be deleted,maybe over ftp cant but over ssh with root access you can.

[signupdamnit]

One other thing. You'd think he would have more sense than to name it self_destruct.php.

[CaptainWolfy]

lool interesting thing to screw the costumers :D he can blackmail you now!

your webhost could remove it.
But yeah, very possible, we used to call them "theif bombs" if someone tried to not pay, activate it and booom, site is corrupt!!
Never heard of anyone having to use one though and i dont use them myself!!

[signupdamnit]

Quote:

Originally Posted by Altwebdesign

Never heard of anyone having to use one though and i dont use them myself!!

I bet they are more common than people think. Here's a recent case of a guy doing something somewhat similar in arcade games in order to ensure he kept getting business. http://www.wftv.com/news/26986709/detail.html After so many power cycles the games were programmed to fail.

[brassmonkey]

hahahaha!!!! sorry 4 laughing thats funny

[machinegunkelly]

I've never used one, but know of programmers that use measures like this.

[georgeyw]

you will be able to delete the file or chmod the file etc - easy enough to put an end to that one.

[BJ]

had a programmer once who put quotes from the bible in the comment tags

[yabate]

Quote:

Originally Posted by BJ

had a programmer once who put quotes from the bible in the comment tags

LOL

@TripleXPrint,
get a new developer and make completely new site.
You don't know when he (or any other experienced user) will use script.

[plsureking]

Quote:

Originally Posted by signupdamnit

It's possible but the client would have to be either stupid or not very technically inclined to be sure it would work. Depending on how he coded things it would be trivial to remove or block access to it so it could not be executed. Regardless, I don't think I'd allow someone to do that. It's dangerous.

its definitely possible and i've added kill files myself. there's a lot of shady scumbags in online adult. mine dont delete everything - as that is stupid - it just puts the site into maintenance mode.

ya as signupdamnit said, just block access to the file thru htaccess if u cant delete it. and if u cant delete it you should figure out why you dont have root access to your own servers.

[Trend]

What does your agreement with him/them state?

If this is not disclosed or if there is no contract then you have the federal courts on your side. In 2004, on a mainstream project we had this happen. The developer used this "feature" to demand additional payment.

Our attorney went to the federal court and asked for an emergency hearing which was granted. He was found to be in violation of numerous federal codes. The judge additionally considered this to be a potential extortion scheme and a cyber terrorism threat. I accompanied the federal marshals to his place of business and his home ( on the same day as the hearing). He was arrested and everything he owned that could have potentially been used to create or store code was confiscated. I mean everything down to Zip drives ( remember those? )

Ultimately he was forced by the federal courts to provide us a clean copy of the code and pay for an independent examination of the code to ensure there were no other instances of this or any other back doors or nefarious code.

[martinsc]

Quote:

Originally Posted by signupdamnit

One other thing. You'd think he would have more sense than to name it self_destruct.php.

[Jakez]

Doesn't sound too fucked up IMO, as long as it is removed after payment is sent?

Speaking of hidden things in scripts, if anyone is using babelogger trying going to yoursite.com/msgs.php?msg=beatles (in IE)

http://www.13scripts.com/demos/babel...hp?msg=beatles

[adp]

Try uploading everything onto a different server without the self destruct file to make sure it all functions right. If it were me I'd probably pay another developer to go through everything else to ensure that "self_destruct.php" isn't just a decoy and the real one is still there hidden under a different name. Sounds like some shady shit and I don't understand why you wouldn't have looked at the files in the first place and already seen it?

[k0nr4d]

there is so much wrong with that I don't know where to start. Another big concern is the fact there is now a huge backdoor that ANYONE can use to crash your whole site, and most people have at least weekly backups anyways so what the hell good does it do him when people will just restore from backup and still have the site anyways?

[plsureking]

Quote:

Originally Posted by k0nr4d

there is so much wrong with that I don't know where to start. Another big concern is the fact there is now a huge backdoor that ANYONE can use to crash your whole site, and most people have at least weekly backups anyways so what the hell good does it do him when people will just restore from backup and still have the site anyways?

thats why i use encrypted license files. expired is expired even from the backup

[icymelon]

good thing you have files to upload. and the site should be transferable

[vdbucks]

Quote:

Originally Posted by TripleXPrint

A guy who designed a couple websites for me is having some health issues so he provided all my website files and databases. I uploaded them perfectly fine with the help of a a new developer. The new developer pointed out a file buried deep in a folder called self_destruct.php. We can't open or delete it, says we don't have permission. When you visit the link directly, you're prompted for a user/pass.

I called the original developer and he said it's a kill switch he puts into every one of his websites. If the client doesn't pay or they try to resell the website, he runs that script and it deletes the database and some key config files. WTF!?!? I mean he's cool, we never had a problem. But knowing some dude could have gotten fucked up one night and totally destroy my website was pretty scary.

GFY webheads...is this even possible or is he bullshitting me? Is it a common practice? It makes sense.

It's called insurance. If this guy is a real developer then chances are he wants to be paid... and chances are he's gotten screwed over enough times, which led him to such measures.

Quote:

Originally Posted by KlenTelaris

Bullshit how it cant be deleted,maybe over ftp cant but over ssh with root access you can.

This. root trumps all

Quote:

Originally Posted by plsureking

its definitely possible and i've added kill files myself. there's a lot of shady scumbags in online adult. mine dont delete everything - as that is stupid - it just puts the site into maintenance mode.

ya as signupdamnit said, just block access to the file thru htaccess if u cant delete it. and if u cant delete it you should figure out why you dont have root access to your own servers.

exactly.

Quote:

Originally Posted by adp

Try uploading everything onto a different server without the self destruct file to make sure it all functions right. If it were me I'd probably pay another developer to go through everything else to ensure that "self_destruct.php" isn't just a decoy and the real one is still there hidden under a different name. Sounds like some shady shit and I don't understand why you wouldn't have looked at the files in the first place and already seen it?

Quote:

Originally Posted by k0nr4d

there is so much wrong with that I don't know where to start. Another big concern is the fact there is now a huge backdoor that ANYONE can use to crash your whole site, and most people have at least weekly backups anyways so what the hell good does it do him when people will just restore from backup and still have the site anyways?

He's probably not expecting his average customers to go through and inspect all of the files. I'm pretty sure 99% of them don't. It's an easy to remember file for him to wreck havoc on scumbags.

And, what is wrong with this exactly? If he has a reputation and wants to keep it, he'd never do something to intentionally harm a client. And instead of blaming the developer, why not blame all the scumbag fucking crooks out there that make such measures necessary?

Personally, when I take on a 3rd party client, I find it easier to keep all work hosted and in my control until completed. Show the client a fully working demo and let him play around inside the backend with a non super user account. Then once in agreement regarding the end product, I receive payment first then transfer files. I also tell clients this up front so as not to give some loser a way to try and sue me because he's a dirtbag.

Anyway, don't blame the dev, especially if he's legit and has a good reputation in his field. Blame your scum peers in this industry (and others) for making such things necessary.

[cooldude7]

i would decode that php and/delete it, i dont like the idea of hosting something which isnt in my control.

or u could try brute-forcing that self-destruct.php after making backup, then ask him for his client list and boom, u delete every others site.,,

[SimonScans]

Quote:

Originally Posted by plsureking

thats why i use encrypted license files. expired is expired even from the backup

And you wonder why I never went with your CMS.

Beer in one hand, excitable lady in the other and location setting under your avatar set to "beyond reach"

You aren't exactly inspiring confidence or exuding professionalism with that look.

As a client, encrypted code and/or kill switches are a deal breaker. I'll tolerate it from billers and TMM, because they come under their own category - when I use their products I'm buying their reputation to pass on to third parties - surfers and affiliates. - Surfers and affs hopefully get it that for better or for worse, I can't fuck with those systems, so they can trust them, even if they think I might be a scumbag.

[plsureking]

Quote:

Originally Posted by SimonScans

And you wonder why I never went with your CMS.

Beer in one hand, excitable lady in the other and location setting under your avatar set to "beyond reach"

You aren't exactly inspiring confidence or exuding professionalism with that look.

As a client, encrypted code and/or kill switches are a deal breaker. I'll tolerate it from billers and TMM, because they come under their own category - when I use their products I'm buying their reputation to pass on to third parties - surfers and affiliates. - Surfers and affs hopefully get it that for better or for worse, I can't fuck with those systems, so they can trust them, even if they think I might be a scumbag.

do you want me to quote the emails of why you didn't go with my cms? it wasn't my gfy avatar or that i PROTECT my software from thiefs and non-payers with an encrypted license file. your reasons were ridiculous and rare. you wanted a VISUAL cms navigation. words were too confusing to follow while managing your website. i let it go and didn't pursue you because my software didn't fit your needs and/or personality. so why attack me here? you have a lack of self-confidence?

there's no reason to attack my avatar here either. this is gfy and i get plenty of sales regardless of my avatar. your one sale was not needed last year, and you were a pain in the ass during PRESALE. we even had a ridiculous phone convo about how my cms was all wrong and you wanted it completely customized. thanks but no thanks..

by the way, does your brand new tour using your brand new cms still take 10 seconds to load?? it must be so much better than my fast, cheap and easy to use cms (-easy for hundreds of normal people-).

note - a new cms sale just came in as i was typing this plus 2 sales for one of the sites i manage. thanks for playing tho Simon.


^^ simon's "professional" avatar ^^

[pornguy]

First thing I would do is out his name and any URLs that he uses so no one else gets this shit.

[Klen]

Quote:

Originally Posted by Jakez

Doesn't sound too fucked up IMO, as long as it is removed after payment is sent?

Speaking of hidden things in scripts, if anyone is using babelogger trying going to yoursite.com/msgs.php?msg=beatles (in IE)

http://www.13scripts.com/demos/babel...hp?msg=beatles

It loaded beatles image and tried to open windows media player.

[Chris]

Ive seent his done in software programs
but i think they need to let you know ahead of time they are putting stuff like this in

[fatfoo]

Quote:

Originally Posted by TripleXPrint

If the client doesn't pay

I think that's fair. If the client doesn't pay, he/she doesn't get the product. The self destruct file is interesting. It's like saying, "you have 5 seconds to terminate this tape."

[acctman]

I have a back door file I install on sites when I take side jobs (i.e. craigslist admin jobs) till the client pays then I remove it. I've only had to use it once. Was setting up a webhosting WHM server for a client and the guy was a total a-hole and kept delaying payment so I went back in and removed everything and crippled his server. needless to say the next day he was willing to pay. i alway remove the extra password or script once paid. i have zero desire to go back into someone's system once my job is complete.

anyway personally i wouldn't name the file self_destruct.php probably something like site_function.inc and the have anything site_proc.php reference that file. But anyway all dev's should have a way back in. its nothing personal, its just that a lot of people are a-holes and look to rip people off.

Quote:

Originally Posted by fatfoo

I think that's fair. If the client doesn't pay, he/she doesn't get the product. The self destruct file is interesting. It's like saying, "you have 5 seconds to terminate this tape."

Developers generally take a percentage upfront. what some people forget is that as a freelance developer if your client doesnt pay, you dont get paid, it's not like working for a company where you generally get paid no matter what.
A developer can spend, hours, weeks, hell even months programming and for someone to recieve the work and not pay is a huge kick in the teeth, i guess it's this guys way of saying, ok you screwed me, now i screw you and getting satisfaction that the site isnt online. It's awful when this happens as nobody will pay the freelancer for all his hours spent on that paticular project.

[Barry-xlovecam]

Quote:

Originally Posted by KlenTelaris

Bullshit how it cant be deleted,maybe over ftp cant but over ssh with root access you can.

Quoted for truth ... server@root POOF!

.

[SimonScans]

Quote:

Originally Posted by plsureking

do you want me to quote the emails of why you didn't go with my cms? it wasn't my gfy avatar or that i PROTECT my software from thiefs and non-payers with an encrypted license file. your reasons were ridiculous and rare. you wanted a VISUAL cms navigation. words were too confusing to follow while managing your website. i let it go and didn't pursue you because my software didn't fit your needs and/or personality. so why attack me here? you have a lack of self-confidence?

there's no reason to attack my avatar here either. this is gfy and i get plenty of sales regardless of my avatar. your one sale was not needed last year, and you were a pain in the ass during PRESALE. we even had a ridiculous phone convo about how my cms was all wrong and you wanted it completely customized. thanks but no thanks..

by the way, does your brand new tour using your brand new cms still take 10 seconds to load?? it must be so much better than my fast, cheap and easy to use cms (-easy for hundreds of normal people-).

note - a new cms sale just came in as i was typing this plus 2 sales for one of the sites i manage. thanks for playing tho Simon.


^^ simon's "professional" avatar ^^

Lets take this down a notch or two. I am a total pain in the ass, I try my very hardest at that, but sadly that's just how it is, and it won't be changing any time soon. Given that that is who am I and how fast I got the ranty response from you, would you, in my shoes, be happy with leaving anyone with a kill switch?

My CMS is old, broken and nasty, but yes, I like images - I have somewhere in the region of 800 models, but because I shot them they all have both real names and model names. So I think in pictures. That's just how it is. I'm not a webmaster, I'm a photographer who shoots porn.

Funnily enough I recommended pornCMS yesterday as one to look at. You might have thought my pre-sale questions were annoying, but you hid it well at the time. Moving from an existing platform to another when you have shitloads of stuff is a big commitment and the time to work stuff out is before the sale. No point buying a car when you need a truck.

I am not attacking you, I am pointing out if you want people to put their entire business in your hands you have to realise you are in the big league and how you look online matters.

FYI, my Avatar is Randy from "My name is Earl", chosen entirely because he's an idiot, just scrapping by in life, but then I don't have my finger on anyone's kill switch.

[plsureking]

Quote:

Originally Posted by SimonScans

Lets take this down a notch or two. I am a total pain in the ass, I try my very hardest at that, but sadly that's just how it is, and it won't be changing any time soon. Given that that is who am I and how fast I got the ranty response from you, would you, in my shoes, be happy with leaving anyone with a kill switch?

My CMS is old, broken and nasty, but yes, I like images - I have somewhere in the region of 800 models, but because I shot them they all have both real names and model names. So I think in pictures. That's just how it is. I'm not a webmaster, I'm a photographer who shoots porn.

Funnily enough I recommended pornCMS yesterday as one to look at. You might have thought my pre-sale questions were annoying, but you hid it well at the time. Moving from an existing platform to another when you have shitloads of stuff is a big commitment and the time to work stuff out is before the sale. No point buying a car when you need a truck.

I am not attacking you, I am pointing out if you want people to put their entire business in your hands you have to realise you are in the big league and how you look online matters.

FYI, my Avatar is Randy from "My name is Earl", chosen entirely because he's an idiot, just scrapping by in life, but then I don't have my finger on anyone's kill switch.

I've been in the big leagues for a decade since being a webmaster for Ford Motor Company and then Hegre. Both are higher up the food chain than SimonScans. There is nothing amateur about my work or my image. This is gfy and my avatar and signature is good marketing for this platform. I receive inquiries every day from this board to prove it.

Porn CMS does not have a "kill switch" similar to the one posted by the OP and I never claimed it did. You don't like to read so I will forgive you for misquoting me. There is no file on Porn CMS that will erase an entire website. In fact, when I remove a site I do it manually using the command line. I have a 20-second install script but I am overly cautious on removal.

What I DID say is that Porn CMS has an encrypted license file, which is similar to every other reputable software on the market -- including NATS. The only people afraid of that are the ones that don't pay their bills.