Is there any danger in installing a 'hacked' version of some PHP software?

[OM2]

Someone has given me some 'hacked' PHP software they want to have installed on their domain.

 

Is there any danger in installing??

 

Could there be some malicious code that takes over my server!!?

 

I can't think of what or how: but I would imagine not impossible to do!!

 

Any replies would be appreciated.

 

Thanks.

 

 

OM

 

 

[trq]

Of course there is a danger. Any software you install represents a danger, you simply need to establish a balance between the risks and the benefits.

 

Can you confirm where the software is from and what changes have been made to it exactly?

[OM2]

i aint going to endanger my server for anyone!

so: i aint going to use!

 

the file was downloaded from a rapidshare download that originated from a bulletin board post.

 

thanks for the reply.

[XtacY]

LMAO that means that a hacking team (like SCRiPTMAFiA) NULLED the script making it impossible for the script to 'phone home' and report it's wearabouts to it's creator, such as, being on an unlicensed server. Also this usually makes it possible to use a script without entering a serial/registration number...

 

However, there always is the chance that a crooked hacking team nulled the script and put a back door into it. I've seen that as well. :-\

 

Either way, not a good idea if you wish to live a fruitful life.

[OM2]

hmmm... thanks for the reply: that was really useful.

just out of interest:

 

- is there virus/spamming checks for such code online?

something like virustotal.com would be great.

 

- how do they do it?  it's only php after all??  the actual software itself has a small encrypted part (that must be where they phone him).  how hard is it to break apart?  not an expert myself, but they use some server side software to protect - i'm sure u guys know better than me: zend optimiser or ........ i forget the name of the other one!

 

[XtacY]

Well, most developers who wish to keep 'trade secrets' SECRET use ZEND or IONCUBE to encode their php files. However, it is fairly easy to un-encode them, granted you know where to look for the tools to do so.

 

As far as the legality check with the home servers and negating the requirement of serial numbers, etc. I have no idea how they are implemented, nor how they are bypassed. To share that knowledge would be breaking some law I'd assume. :-\

 

I would share with whome ever is your web hosting client is that they should consider buying the script so that you don't have to report them to the FBI for piracy violations.

 

 

As far as being able to check if a script has malicious content, I would say, if you're worried that it has such content, you probably didn't buy it from the creator and shouldn't use it for a score of other reasons...