[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Is there a was to delete a PHP file currently in use?

Posted on 2004-11-16
13
Medium Priority
?
211 Views
Last Modified: 2006-11-17
Hello, I was thinking about selling a PHP script and building in a security feature that I could use to check to see if anybody else had sold it. If I found the script online without my copyrights in place, I could simply send some info to it and have itself delete off of their server? Or possible re-write itself?

Any chances this could be done? (I am aware, that if the person selling or giving it away knows what they are doing, they could remove the security feature, but I'm banking that most wouldn't think to look.

So, one of two options, could the script delete itself, or could you have it re-write itself?

Regards...
0
Comment
Question by:ziffgone
  • 5
  • 4
  • 2
  • +1
13 Comments
 
LVL 11

Expert Comment

by:neester
ID: 12600364
Hmm...
Yeah you could I guess.
Something I would do would be simply APPEND to the .htaccess file (if it exists) or create the .htaccess file.
Then just whenever someone runs that PHP script, it will redirect them to an image on your webserver!
The person with the script will have no idea, since the .htaccess files are usually a mystery to the people running the website.

something simple like this:

if ($_GET['_ss_'] == 1)
{
   $myFile= fopen('.htaccess','a');
   $string = "ReWriteEngine On\n\nReWriteRule ^yourscriptname.php\S+ http://www.yourserver.com/stolenimage.jpg";
   fputs($myFile, $string);
}


Then you just load the stolen page, but add this to the URL: ?_ss_=1
And then it SHOULD disable the page from loading, and load your IMAGE instead :)
0
 
LVL 11

Accepted Solution

by:
neester earned 800 total points
ID: 12600381
Ahh sory, forgot this:

fclose($myFile);


if ($_GET['_ss_'] == 1)
{
   $myFile= fopen('.htaccess','a');
   $string = "ReWriteEngine On\n\nReWriteRule ^yourscriptname.php\S+ http://www.yourserver.com/stolenimage.jpg";
   fputs($myFile, $string);
   fclose($myFile);
}
0
 
LVL 14

Author Comment

by:ziffgone
ID: 12600719
Hi neester,

The php page in question is being displayed in an iFrame within a parent page, this is the way it would likely be displayed everywhere, would this make a difference on the outcome?

The script works well in that it writes the .htaccess file to the directory, but when I call the parent page and it calls the php script, it is not redirecting to the "stolenimage.jpg" file.

Any ideas?

Regards...
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:neester
ID: 12601071
Ahhh ok.
Well add that script to the PARENT PHP file...
I think that would work...

If that doesnt work, I need some more info on what your script actually does??
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 600 total points
ID: 12601747
and you can rewrite/delete your own script. PHP loads the script before it is executeted, so you could use this code:
<?php
if ($_GET['_ss_'] == 1){
    $myfile=file_get_contents('myfile.php');
    $fp=fopen('myfile.php', 'w');
    fwrite($fp, <<<EOS
<?php
header('Location:  http://www.yourserver.com/stolenimage.jpg');
exit;
?>
EOS
        );
    fclose($fp);
}
?>
You will have to add code to check file system permissions before doing that...
0
 
LVL 11

Expert Comment

by:neester
ID: 12602179
>> _GeG_

yeah but see, the person running that script will EASILY be able to see whats wrong.
With my method - it hopefully will fool them into thinking there is some external validation...
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12602427
@neester
yes, but ;)
with your version, the person can look in the script to find out what happened and reverse it
with my version, there is no code left to analyze

@ziffgone
do you know of the ioncube php encoder?
0
 
LVL 11

Expert Comment

by:neester
ID: 12602957
_GeG_

Yeah, but, if they have the code uplaoded.
They would have it locally anyway.
The PHP Encoders are pretty good, but I dont know of a free one??
0
 
LVL 10

Expert Comment

by:frugle
ID: 12604500
The best way to protect your script is to build in license-key checking and encrypt it with zend.

Any scripts I download and use I personally check for "bad things" before I put them anywhere near my server. It is a reasonably simple task to find and remove any instructions, or to see what the "input" required is, then wipe out the site of anyone else using your script. This will reflect badly on you.

A non-destructive way to mess with someone's site and/or server is to exec(`chmod -R 0 /`); and hope the webserver user hasn't been given elevated privs... it basically renders every file on the server that is changable by the webserver (usually any files it has created itself) unreadable. It's fairly simple for a sysadmin to repair the damage as nothing is actually deleted or corrupted.

Mike
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12606183
@frugle
I agree that encoding is the best way to protect a script. But ioncube is cheaper than zend ;)

To prevent misuse of your own file deletion script, you can easily use md5, something like
if (md5($_GET['_ss_']) == '43afbdd58e3e32d2f27ea0fcb2c8d401'){
...
0
 
LVL 10

Assisted Solution

by:frugle
frugle earned 600 total points
ID: 12606357
From that I take it the script would look like...

if (md5($_GET['_ss_']) == '43afbdd58e3e32d2f27ea0fcb2c8d401'){
    unlink($_SERVER['SCRIPT_FILENAME']);
}

If I remember rightly, on linux servers, the physical file is loaded into memory then executed. It can therefore be unlinked prior to termination as the file is not locked open.

However, seeing this [unlink] line in an application will cause me to replace it with:

mail("me@mydomain.com", "ALERT!!!", "$_SERVER['REMOTE_ADDR'] just tried to unlink file $_SERVER['SCRIPT_FILENAME'] with command: $_SERVER['QUERY_STRING']");

I'd then be looking for REMOTE_ADDR with a large spoon.

Mike
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 12606510
If you had bought the script, the spoon might be the right instrument ;)
... but if not...
0
 
LVL 14

Author Comment

by:ziffgone
ID: 12611207
Thank you all for your input, this has been an excellent lesson for me. I have decided to go with a mixture of most of what was said here.

_GeG_, your first post is essentially the solution I came to myself, so you get some points.

frugle, I have decided to go with your suggestion of md5, so you also get points

And neester, you sent me in the right direction from the start, so the majority of the points are yours.

Thanks all. :)

Regards...
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to create an extensible mechanism for linked drop downs.
This article discusses how to implement server side field validation and display customized error messages to the client.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses
Course of the Month20 days, 6 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question