how do I check our web site structure PHPMyadmin code for any bugs?

mallony
mallony used Ask the Experts™
on
I have this advice from a PHP web designer saying that we have a Security issue. Please read his message below and advice:

Unfortunately, I have also noticed a number of other issues, which I have listed below:
 
- My Anti-Virus programme found a trojan when I downloaded the website (it’s the file /scripts/upload/upload/tmp.php, you can find more information provided by my anti-virus programme on https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~PhpShel-R.aspx)
I am not a specialist in terms of security issues like this, but I would recommend deleting this file as soon as possible and check if any damage has been done.
 
- You provide the option to deposit resumes, but it seems that the uploaded files are not checked for possible harmfulness (caused the issue above)
 
- The uploaded resumes are public for everyone with access (eg. http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf). This can be seen as a quite considerable privacy issue for your applicants.
 
- Other parts of the code are also not checking the quality of the requests by the users. The code that is used there is, in my opinion, a bit of a mess, and probably not sufficient for your company’s future needs.
 
These points just briefly sum up the main issues I noticed when looking at your homepage.
 
I would highly recommend bringing your website to the “up-to-date” web and security standards, which both you and the visitors of the website would benefit from.
 
If you have any further questions, please feel free to contact me.


Please let me know what should I do in this case to check our web site for any malware, virus or bugs.

kind regards,
Eduardo.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Marco GasiFreelancer
Top Expert 2010
Commented:
A question: how did Eduardo download your site without your permission? The email seems to be a trying to get some new client alerting about security issues (which we can't never ignore, of course). If this is the case, that is if Mr. Eduardo has not bee hired by you to check your site, then it's AFAIK impossible he downloaded your php scripts

Here my 2 cents about:
- if you didn't hire Eduardo to check your website, then this email is just spam
- any Antivirus program can give you false positive scanning scripts which can look like viruses but they aren't
- without login credentials, nobody can download your php files: software loke HTTrack which download whole websites to your computer download just published files, like html, files, javascript, images, stylsheets... that is everything is accessible by any browser. Your server-side scripts are not downloadable at all.

So, if you are sure that you do some security check on uploaded resumes and that uploaded resumes be accessible just to authorized persons (the author and the site asmin), I think you can just put that email in the sspam folder.
Marco GasiFreelancer
Top Expert 2010
Commented:
Oh, I forgot.
PhpMyAdmin is just a software (a wonderful one) that you can use to admin your database. I don't know anything about your database, but the issues mentioned in the email don't refer to database but the way you manage uploaded files and the way you allow users to see those files.
But I don't find the page to upload resumes: i just see an email link. Where the link http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf comes from? Have you a script which manages uploads?
Most Valuable Expert 2011
Top Expert 2016
Commented:
If this is an unsolicited message from Eduardo, delete it and do not reply.  If you don't know what it means and implies, you've got a lot of learning ahead of you.  Information Technology Security is full-time, four year college major at the University of Maryland, and as we have seen from the recent government data breaches, it's knowledge that is unevenly applied.  

You might want to join OWASP and become involved in their learning programs.
https://www.owasp.org/index.php/Main_Page

PHP has security guidance right in the PHP.net web site.
http://php.net/manual/en/security.php

Make sure your version of PHP is up-to-date.  PHP 5.5 is obsolete.  You want to be at PHP 5.6+ even if means programming changes to get up-to-date.
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

mallonyIT Specialist

Author

Commented:
In this case Eduardo has my credentials and he said that i have some Trojans on the site. i think he want me to pay more hours for him to work on it.

But is this possible that I have a trojan in my website?

Please advice.
Marco GasiFreelancer
Top Expert 2010

Commented:
Yes, it is possible for ure.
The problem here seems to be that you don't trust your web developer, and you should think about this: you need to work with someone you can trust or just trust who you're working with. :-)
Most Valuable Expert 2011
Top Expert 2016
Commented:
... is this possible that I have a trojan in my website?
Yes.  Have you joined OWASP yet?  If not, what's stopping you?  That is where you will find the security experts whose help you might need.
There have been many , many , many changes in the Linux, Apache, PHP, MySql and others, over the years to help in maintaining a functional and secure web site, but all of these additions for security, have made security considerations and knowledge very difficult, and usually complex, even if you only consider ONE part of your server set up, such as - "uploaded files are not checked for possible harmfulness". You may want to get knowledgeable and experienced  assistance wit your site's overall setup and security?
mallonyIT Specialist

Author

Commented:
excellent!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial