How to know if Coder Insert malicious code into your script?
 

some kind of backdoor to hack your site? what to look for? thanks. I pay my programmers on time and on their bid. but why would they do such thing? or im just paranoid?

If you're not proficient in programming, you might consider finding someone who is, and having them look for you. The size of the site/script would determine what someone like that might charge, as well as their general experience level.

Sometimes, backdoors hide in unlikely places, like the user permissions in MySQL. You have to look under a lot of rocks.

In my experience, backdoors, etc, are generally pretty rare, and are often only inserted by Freelancer / Rent-a-Coder types.

If it is malware then your antivirus will tell you.

If you think something is getting injected into server, first thing I look for is a pattern of date changes.

And yeah... hire a programmer if you think you need it. Also, great to have a good host who can clean up any injections as well. That right there is worth tons. They can also run scans and look for vulnerabilities.

I didnt give him access to my sql databse.. only files. Am i safe from that sql permission you mentioned?

:2 cents::2 cents:

bigger the project, more chance there is a killswitch

Sometimes a disgruntled coder or someone trying to protect their work will do that but 100% of the "backdoor" type stuff we've encountered over the years with coding staff has been accidental or unintentional and often due to lack of care or lack of experience. More often they don't know enough about security and overlook something or they're in a hurry and as a result they write fast and sloppy code that leaves a vulnerability we end up fixing later.

Unless you have reason to believe they're inserting malicious code I wouldn't worry about it too much.

bologna! Although a sloppy programmer may leave backdoors open by mistake you should always assume the possibility they have left some sort of "killswitch" or a way for them to access your server in case he dosent get paid, especially if you hire them from an e-lance type of site. The only way to truly know is to have someone competent go through everything he has done on your server.

This is why the very first line of my response says "Sometimes a disgruntled coder or someone trying to protect their work will do that" :winkwink:

IMO the only way to really know is to run penetration tests and use the same methods that hackers use to find exploits and breaches in software. Even someone "competent" is likely to miss something and no coder out there knows everything or will be able to identify every possible exploit. :2 cents:

Very true... I said bologna because you should always assume the worst. And yeah.. Since all coders work on very different skill levels it would be very difficult to find anything or everything all the time. Basically you would have to work on someones "word" that they dident do shit like that. But in business you cant trust anyone.

That's a good point. Always better to err on the side of caution and anytime you hire someone to code anything you're putting a lot of trust in them. At least on a site like guru or elance you can read reviews from other customers and if the coder has been around a long time chances are if they did stuff like put in backdoors someone would have noticed and called them out on it.

With all respect this is false. A "competent" person will find faulty code and logic better than any scanner, and that is how vulnerabilities are discovered. The trouble is most people who think they are competent actually aren't, and the scanners people rely on often times miss many things.

There's a big difference between just a developer and someone specializing in security, and the big problem is few realize there's a difference.

I would do both. We use scanners and human beings and try to pour over code as well as cover similar scenarios to what we've seen in the numerous hackings we've encountered and continue to encounter over time. Nothing is 100%. Scanners will miss things and so do experts. I would never hire a security expert who was naive enough or enough of an egomaniac to tell me otherwise but I totally agree with you that if someone can afford it they're far far better off hiring someone who specializes in security than relying on a developer for this.

Naturally nothing is 100%, and I'm not sure if you were calling my statement naive, but my main point was that the majority rely on them.

No, not referring to you and yes, the majority do or are not doing anything at all.

it should always just be assumed that your software/servers/etc are insecure because if someone wants to get in hard enough eventually they'll definitely get in. keep backup and have a plan on what to do when shit hits the fan

the scam i heard was the freelance is hired, does the work, gets paid, and extorts for more

http://geektnt.com/static/2013/03/is...ofessional.png

if you're not better coder than him - you can't check it...
so trust is something that's crucial...

Unfortunately, if he had access to a database settings file he might be able to dump the database or alter something by uploading his own version of say phpmyadmin or some other db tool and plugin those settings. It's pretty unlikely that he'd go thru that much trouble, though.

1. I didnt give him access to SQL/PHP admin database
2. main site is located on a different server with different passwords and username.
3. He was working on a demo site..and I didn't include all the files in the demo site.

he has no idea where my main site is.. he doesnt know the domain name.

Perfectly stated, just because someone can code by no means they know shit about security. Always assume the worst has happened cause feedback means shit. It just means they probably haven't been caught yet.

Funny you mentioned this.. I've been in the business for 15 years now. Both Whitehat and blackhat. It was fucking hilarious when NATS denied their hack to try and save face. While the people who did it were messaging me daily asking if I wanted to buy NATS email dumps.

One thing for sure; it's not good to have this feeling eating at you.

I think you are probably safe but for some reason the programmer is not making
you feel confident.


:thumbsup

QFT :thumbsup

.

Even on a public site with reviews? I would think anyone who hired them would go back after the fact and post about it if they were being scammed.

i was speaking generally.. who knows if the person goes backs and 'reports it'

generally cost of doing business, no?

Many people have resorted to putting kill switches into their code. I've done it a few times, but only on clients who seem to be problematic and sketchy on paying... Once full payment is made, the kill switch is removed completely.

Most programmers who do this do it because the code is on the clients servers and could risk being shut out without pay when the work is done. It's a security measure.

If you had paid all agreed prices and feel a kill switch is still in place, I suggest getting a programmer to check it out for you.

If you want, I can look at the code for you, free of charge.