Security risk advice needed.
I have just recently purchased a new website from ebay, and the seller successfully installed it for me by the following.
I created a ftp account which pointed to a directory on my server, it is a sub domain. I then gave him a tempary username and password for the database.
He sent me the dump file for the database which i imported mysef in phpmyadmin, everything works then i deleted his ftp account and changed the username and password for the database.
Do you think that he could somehow infutrate my account on the server through ftp? It might all seem stupid by i was unsure and took a chance - perhaps something in the code that will do something in the background?
Also, he installed a modified version of phppro auction. He is passing it off as his own, claiming that it is his script. I know it is not his because the original phppro script has alot of parts that are exactly the same.
It just doesnt fill me with confidence that he is lying about the software, perhaps he is bad news - but what advantages could he have?
Any ideas.
Busy posted this at 10:15 — 11th August 2006.
He has: 6,151 posts
Joined: May 2001
Probably not via ftp but look in the database (with phpmyadmin) and see how many users and/or admin accounts there are, ideally as it's new there should only be one - you, remove any others.
As you got someone else to upload the site for you, ideally you should download (ftp) the complete site (and do database copy too) and this is your backup if anything goes wrong (and it often can from no fault of your own). Once you have downloaded all the files you can run a virus checker through everything and confirm there are no trojans etc.
You should get in the habit of downloading the site if the content changes often and especially the databases contents on a regular basis. As it's a auction site you really need to backup your database contents daily, your host maybe able to help with this.
Greg K posted this at 11:40 — 11th August 2006.
He has: 2,145 posts
Joined: Nov 2003
lets not forget that he could hard code back doors into the system, specific URL's to files that do what he wants. You never know, best to go through all the code yourself.
How was the users rating o ebay? Not to say that means much, but did you do any checking before giving out a password?
-Greg
benf posted this at 22:33 — 13th August 2006.
They have: 426 posts
Joined: Feb 2005
Yes, virus check is a good idea. His feed back was good and seemed like a genuine seller. But i cant think of any advantage of sabotarging the auction site?
Good Value Professional VPS Hosting
Busy posted this at 10:24 — 14th August 2006.
He has: 6,151 posts
Joined: May 2001
I can name heaps, but I'll just give you a real life example.
Member A signs up to the site and sells sea shells they found on the sea shore (should of called her shelly), Member A builds up a bit of feedback (all good) from selling their sea shells. Designer A comes along and takes over Member A account and sells plasma screens and fake rolexs, Designer A sells 100's of these as they are only a couple of thousand dollars each, Joe Blogs A thru Z who brought this stuff sends cash to Designer A who they think is Member A who has all good feedback. Member A soon gets lots of bad feedback as Joe Bloggs A thru Z don't get their goods. Police and FBI get involved and if happens enough site can be shut down and if your TOS doesn't cover your butt then you could be liable to repay the money to Joe Bloggs A thru Z.
Designer A disappears into the sunset with loads of cash and can't really be traced while Member A is basically ruined and goes from selling seas shells found on the sea shore one day to an fire breathing animal hater that eats bugs and likes to eat things not made for human consumption, or worse becomes a parking warden or works for the IRS.
While the sea shells may be far fetched the rest is based on real happenings.
Ebay members gets heaps of phishing (fake) emails daily, am sure you must of gotten them. The low lifes try take over auction site accounts to do the above and it happens every day.
No animals were harmed in this reply. *stomp* except that one
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.