Results 1 to 7 of 7
  1. #1

    Babe in the woods needs security

    I own / administer a PHP based dating site, and am moving to a new server soon, which is bringing up all kinds of questions in my mind as to what is potentially possible in the way of someone (a future server operator, or hired-out code developers) compromising my site in some way. Questions like "Could someone do something to the Paypal code or pay buttons that I should worry about", or "is it possible to insert momentary commands in the code or on the server to divert traffic (or payments) somewhere else", "can a backdoor be installed", and a veritable plethora of paranoid postulations poised to pervade my peaceful night's repose.

    I know the first thing I might hear in an answer is "find people you trust to host and work on your site" ... problem is, I don't trust anyone ... what now?

    At least there is no credit card information on the site to worry about being hacked. All is handled with single and recurring subscription Paypal IPN payments - the code of which works, but I know nothing about. My major paranoia is about the money (go figure - lol), potential diverting of traffic to competitors, or even to a hidden mirrored site set up on the same server? I guess what I'm asking here is:

    A. What could a creative future server operator do to further his or her own ends with my code, and the server the site is on, without me knowing.

    B. Are there ways to find it if it happens, stop it, prevent it, monitor it? I noticed in another thread someone mentioned Tripwire - is this a potential solution?

    C. I don't do programming, so I feel very much like the title of this query.

    Thanks in advance for any insights or advice!!


  2. #2
    Join Date
    May 2001
    Prince Edward Island
    Perhaps you should consider a managed dedicated server.

    Most Reputable hosts will have some sort of Bond that protects you against theft. While it won't stop code vulnerability, you should be ok as far as other users having access to your data.
    [url]I got nothing/url]

    For clarity's sake, don't use "<ip address of hostname>" use the ACTUAL 32-bit numeric IP address of the machine.

  3. #3
    Join Date
    Apr 2005
    If you have no grip on what's going on with your server of course anyone of those things can happen... It's best to limit access to only you or a select few... Then evalute code being submitted... You could setup some sort of tripwire by writing a script to parse important files like the ones that handle payment for malicious code... But of course you would have to protect your script from being compromised

    So the most important thing is to maintain server security (root access)... To be able to watch others you have to have a secure pole to stand on first...

  4. #4
    Join Date
    Apr 2005
    Tripwire can be used to monitor files for (unexpected) changes. Typically, if a system is compromised a hacker will modify files here and there and this can be detected because the files checksums does not match the ones stored before. There is more to it than that, but thats the basics.

    It's only a tiny part of a secure system though, you need a lot more than that to justify feeling safe There are lots of ways to compromise an application without triggering a checksumming IDS like tripwire. I'm always kinda over-paranoid about these things though. Like, even if tripwire is installed, if the binary and policy files are not on read only media (like a ro floppy etc), you can get around tripwire too. And even if they are on ro media, a custom made kernel module can maybe fool a sysadmin doing a check..

    But i guess it doesn't hurt to install it.

  5. #5
    Join Date
    Jan 2002
    My suggestion would be to drop the idea of managing the server yourself and get someone to manage it for you.

    You can go to a DC that offers full managed server or get an unmanaged box a little cheaper and pay someone to have it managed for you.

  6. #6
    Join Date
    Feb 2003
    If you get an unmanaged server I would recommend hiring one of the many companies that offer server management here on WHT. Most let you pay on a monthly basis, so if after a time you feel like you've learned enough to go it on your own you can do so.

  7. #7
    Thank you for your replies

    I realize my question was too general, and I might be better off asking specific questions about specific possibilities.

    Would it be helpful to keep the Paypal .configuration page on a separate server from the date site?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts