The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!
how do I check our web site structure PHPMyadmin code for any bugs?
I have this advice from a PHP web designer saying that we have a Security issue. Please read his message below and advice:
Unfortunately, I have also noticed a number of other issues, which I have listed below:
- My Anti-Virus programme found a trojan when I downloaded the website (it’s the file /scripts/upload/upload/tmp
I am not a specialist in terms of security issues like this, but I would recommend deleting this file as soon as possible and check if any damage has been done.
- You provide the option to deposit resumes, but it seems that the uploaded files are not checked for possible harmfulness (caused the issue above)
- The uploaded resumes are public for everyone with access (eg. http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf). This can be seen as a quite considerable privacy issue for your applicants.
- Other parts of the code are also not checking the quality of the requests by the users. The code that is used there is, in my opinion, a bit of a mess, and probably not sufficient for your company’s future needs.
These points just briefly sum up the main issues I noticed when looking at your homepage.
I would highly recommend bringing your website to the “up-to-date” web and security standards, which both you and the visitors of the website would benefit from.
If you have any further questions, please feel free to contact me.
Please let me know what should I do in this case to check our web site for any malware, virus or bugs.
kind regards,
Eduardo.
Unfortunately, I have also noticed a number of other issues, which I have listed below:
- My Anti-Virus programme found a trojan when I downloaded the website (it’s the file /scripts/upload/upload/tmp
I am not a specialist in terms of security issues like this, but I would recommend deleting this file as soon as possible and check if any damage has been done.
- You provide the option to deposit resumes, but it seems that the uploaded files are not checked for possible harmfulness (caused the issue above)
- The uploaded resumes are public for everyone with access (eg. http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf). This can be seen as a quite considerable privacy issue for your applicants.
- Other parts of the code are also not checking the quality of the requests by the users. The code that is used there is, in my opinion, a bit of a mess, and probably not sufficient for your company’s future needs.
These points just briefly sum up the main issues I noticed when looking at your homepage.
I would highly recommend bringing your website to the “up-to-date” web and security standards, which both you and the visitors of the website would benefit from.
If you have any further questions, please feel free to contact me.
Please let me know what should I do in this case to check our web site for any malware, virus or bugs.
kind regards,
Eduardo.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Oh, I forgot.
PhpMyAdmin is just a software (a wonderful one) that you can use to admin your database. I don't know anything about your database, but the issues mentioned in the email don't refer to database but the way you manage uploaded files and the way you allow users to see those files.
But I don't find the page to upload resumes: i just see an email link. Where the link http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf comes from? Have you a script which manages uploads?
PhpMyAdmin is just a software (a wonderful one) that you can use to admin your database. I don't know anything about your database, but the issues mentioned in the email don't refer to database but the way you manage uploaded files and the way you allow users to see those files.
But I don't find the page to upload resumes: i just see an email link. Where the link http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf comes from? Have you a script which manages uploads?
If this is an unsolicited message from Eduardo, delete it and do not reply. If you don't know what it means and implies, you've got a lot of learning ahead of you. Information Technology Security is full-time, four year college major at the University of Maryland, and as we have seen from the recent government data breaches, it's knowledge that is unevenly applied.
You might want to join OWASP and become involved in their learning programs.
https://www.owasp.org/index.php/Main_Page
PHP has security guidance right in the PHP.net web site.
http://php.net/manual/en/security.php
Make sure your version of PHP is up-to-date. PHP 5.5 is obsolete. You want to be at PHP 5.6+ even if means programming changes to get up-to-date.
You might want to join OWASP and become involved in their learning programs.
https://www.owasp.org/index.php/Main_Page
PHP has security guidance right in the PHP.net web site.
http://php.net/manual/en/security.php
Make sure your version of PHP is up-to-date. PHP 5.5 is obsolete. You want to be at PHP 5.6+ even if means programming changes to get up-to-date.
In this case Eduardo has my credentials and he said that i have some Trojans on the site. i think he want me to pay more hours for him to work on it.
But is this possible that I have a trojan in my website?
Please advice.
But is this possible that I have a trojan in my website?
Please advice.
Yes, it is possible for ure.
The problem here seems to be that you don't trust your web developer, and you should think about this: you need to work with someone you can trust or just trust who you're working with. :-)
The problem here seems to be that you don't trust your web developer, and you should think about this: you need to work with someone you can trust or just trust who you're working with. :-)
... is this possible that I have a trojan in my website?Yes. Have you joined OWASP yet? If not, what's stopping you? That is where you will find the security experts whose help you might need.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
There have been many , many , many changes in the Linux, Apache, PHP, MySql and others, over the years to help in maintaining a functional and secure web site, but all of these additions for security, have made security considerations and knowledge very difficult, and usually complex, even if you only consider ONE part of your server set up, such as - "uploaded files are not checked for possible harmfulness". You may want to get knowledgeable and experienced assistance wit your site's overall setup and security?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Here my 2 cents about:
- if you didn't hire Eduardo to check your website, then this email is just spam
- any Antivirus program can give you false positive scanning scripts which can look like viruses but they aren't
- without login credentials, nobody can download your php files: software loke HTTrack which download whole websites to your computer download just published files, like html, files, javascript, images, stylsheets... that is everything is accessible by any browser. Your server-side scripts are not downloadable at all.
So, if you are sure that you do some security check on uploaded resumes and that uploaded resumes be accessible just to authorized persons (the author and the site asmin), I think you can just put that email in the sspam folder.