how do I check our web site structure PHPMyadmin code for any bugs?

I have this advice from a PHP web designer saying that we have a Security issue. Please read his message below and advice:

Unfortunately, I have also noticed a number of other issues, which I have listed below:
 
- My Anti-Virus programme found a trojan when I downloaded the website (it’s the file /scripts/upload/upload/tmp.php, you can find more information provided by my anti-virus programme on https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~PhpShel-R.aspx)
I am not a specialist in terms of security issues like this, but I would recommend deleting this file as soon as possible and check if any damage has been done.
 
- You provide the option to deposit resumes, but it seems that the uploaded files are not checked for possible harmfulness (caused the issue above)
 
- The uploaded resumes are public for everyone with access (eg. http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf). This can be seen as a quite considerable privacy issue for your applicants.
 
- Other parts of the code are also not checking the quality of the requests by the users. The code that is used there is, in my opinion, a bit of a mess, and probably not sufficient for your company’s future needs.
 
These points just briefly sum up the main issues I noticed when looking at your homepage.
 
I would highly recommend bringing your website to the “up-to-date” web and security standards, which both you and the visitors of the website would benefit from.
 
If you have any further questions, please feel free to contact me.


Please let me know what should I do in this case to check our web site for any malware, virus or bugs.

kind regards,
Eduardo.
mallonyIT TechnicianAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Marco GasiFreelancerCommented:
A question: how did Eduardo download your site without your permission? The email seems to be a trying to get some new client alerting about security issues (which we can't never ignore, of course). If this is the case, that is if Mr. Eduardo has not bee hired by you to check your site, then it's AFAIK impossible he downloaded your php scripts

Here my 2 cents about:
- if you didn't hire Eduardo to check your website, then this email is just spam
- any Antivirus program can give you false positive scanning scripts which can look like viruses but they aren't
- without login credentials, nobody can download your php files: software loke HTTrack which download whole websites to your computer download just published files, like html, files, javascript, images, stylsheets... that is everything is accessible by any browser. Your server-side scripts are not downloadable at all.

So, if you are sure that you do some security check on uploaded resumes and that uploaded resumes be accessible just to authorized persons (the author and the site asmin), I think you can just put that email in the sspam folder.
0
Marco GasiFreelancerCommented:
Oh, I forgot.
PhpMyAdmin is just a software (a wonderful one) that you can use to admin your database. I don't know anything about your database, but the issues mentioned in the email don't refer to database but the way you manage uploaded files and the way you allow users to see those files.
But I don't find the page to upload resumes: i just see an email link. Where the link http://www.risingtide.ch/scripts/upload/upload/NiranjanSambhus_CurriculumVitae.pdf comes from? Have you a script which manages uploads?
0
Ray PaseurCommented:
If this is an unsolicited message from Eduardo, delete it and do not reply.  If you don't know what it means and implies, you've got a lot of learning ahead of you.  Information Technology Security is full-time, four year college major at the University of Maryland, and as we have seen from the recent government data breaches, it's knowledge that is unevenly applied.  

You might want to join OWASP and become involved in their learning programs.
https://www.owasp.org/index.php/Main_Page

PHP has security guidance right in the PHP.net web site.
http://php.net/manual/en/security.php

Make sure your version of PHP is up-to-date.  PHP 5.5 is obsolete.  You want to be at PHP 5.6+ even if means programming changes to get up-to-date.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

mallonyIT TechnicianAuthor Commented:
In this case Eduardo has my credentials and he said that i have some Trojans on the site. i think he want me to pay more hours for him to work on it.

But is this possible that I have a trojan in my website?

Please advice.
0
Marco GasiFreelancerCommented:
Yes, it is possible for ure.
The problem here seems to be that you don't trust your web developer, and you should think about this: you need to work with someone you can trust or just trust who you're working with. :-)
0
Ray PaseurCommented:
... is this possible that I have a trojan in my website?
Yes.  Have you joined OWASP yet?  If not, what's stopping you?  That is where you will find the security experts whose help you might need.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Slick812Commented:
There have been many , many , many changes in the Linux, Apache, PHP, MySql and others, over the years to help in maintaining a functional and secure web site, but all of these additions for security, have made security considerations and knowledge very difficult, and usually complex, even if you only consider ONE part of your server set up, such as - "uploaded files are not checked for possible harmfulness". You may want to get knowledgeable and experienced  assistance wit your site's overall setup and security?
0
mallonyIT TechnicianAuthor Commented:
excellent!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.