Jump to content

How do I stop encrypted PHP scripts calling home?

OM2

By OM2
in PHP Coding Help

 Share

Recommended Posts

OM2 Regular Member

OM2

Posted
Posted

I've purchased a plugin for Wordpress (outside of Wordpress, you can't download from the main Wordpress site)

 

A lot of the code is encrypted

 

OK, no problem if the user wants to hide his code - no problem with that

BUT, what I don't want is for it to call home - and report back

+ If encrypted, it could b doing ANYTHING! Like sending spam!

 

How can you control php code from calling home?

On a PC you have a Firewall - does something like this exist for servers as well?

 

ALSO, how do I find out what the code was encrypted with? I assume there are several  apps that do this?

 

Thanks

 

 

OM

 

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Yes firewalls exist on servers, but unless you have control over the server you can't modify the firewall (or host) settings. If you do, then you need to find out what port, protocol and location the script is making to determine what you would need to configure in your firewall. But, I suspect that this was the author's attempt at copy protection. So, the "call" is probably sending a piece of information to the author's site (e.g. a confirmation number tied to your purchase) then sending back a response so the script knows whether or not to perform the functions of the script. If there is no corresponding confirmation number in the author's database the script will not work. There might also be some handling to validate that the script isn't being run from multiple servers. So blocking/redirecting the call will likely break the script.

 

So, what can you do? That's tricky and depends on many legal issues and the country you reside. Because PHP is built on Open source technology I think that (for most countries) content authors are limited in what they can demand in the Terms of Use. For example, I don't know if he can prevent you, in the TOS, from unencrypting the code. Even if you are within your right to unencrypt the code, you may or may not be entitled to modify that code. Again, this will be determined by the TOS and what is allowed. Just because someone states something in the TOS - it doesn't mean it is valid.

 

So, you should start by reading the TOS then determine what it allows you to do. If there is something the TOS prevents you from doing that you want to do,then you can research whether that clause in the TOS is valid or not. This isn't so much an issue of what you can technically do as much as it is what you can legally do.

Link to comment
Share on other sites
OM2 Regular Member

OM2

Posted
  • Author
Posted

Yes firewalls exist on servers, but unless you have control over the server you can't modify the firewall (or host) settings. If you do, then you need to find out what port, protocol and location the script is making to determine what you would need to configure in your firewall. But, I suspect that this was the author's attempt at copy protection. So, the "call" is probably sending a piece of information to the author's site (e.g. a confirmation number tied to your purchase) then sending back a response so the script knows whether or not to perform the functions of the script. If there is no corresponding confirmation number in the author's database the script will not work. There might also be some handling to validate that the script isn't being run from multiple servers. So blocking/redirecting the call will likely break the script.

really interesting comments

i have no reason to believe that the code is malicious in anyway

 

i think it's reasonable to allow the script to call home just to check on validity etc

the problem is how much of my server resources are being used

 

in windows, every program thinks it's hogging just a small piece of resource that won't effect performance - problem is when u get 200 programs with the same idea

 

similarly, allowing scripts to run by themselves freely could have serious implications on my server

 

but what if, what if code was malicious and was using the server to send out spam?

use some intelligence and make it only send out small amounts of spam + do this randomly

a dangerous situation i would say

 

So, what can you do? That's tricky and depends on many legal issues and the country you reside. Because PHP is built on Open source technology I think that (for most countries) content authors are limited in what they can demand in the Terms of Use. For example, I don't know if he can prevent you, in the TOS, from unencrypting the code. Even if you are within your right to unencrypt the code, you may or may not be entitled to modify that code. Again, this will be determined by the TOS and what is allowed. Just because someone states something in the TOS - it doesn't mean it is valid.

 

So, you should start by reading the TOS then determine what it allows you to do. If there is something the TOS prevents you from doing that you want to do,then you can research whether that clause in the TOS is valid or not. This isn't so much an issue of what you can technically do as much as it is what you can legally do.

yes, all valid concerns and good points

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

but what if, what if code was malicious and was using the server to send out spam?

use some intelligence and make it only send out small amounts of spam + do this randomly

a dangerous situation i would say

You are right to be concerned. If the script is running on your server it could, potentially, be accessing any files for your site (e.g. the database connection info) as well as accessing the database and then doing who knows what with that data. I would take a two-pronged approach:

 

1) Ask the author about it. Ask what the purpose of the call is and some details about what is being passed. If the author is legit he/she should be willing to give you that information in a manner that at least makes sense. If the author is malicious chances are they are going to give you a lot of garbage information that "just doesn't seem right". Of course the person could just be terrible at explaining things or just doesn't want to explain them

 

2) Search the internet for any information regarding the script. Chances are someone has unencrypted the code and knows what it does. If there was malicious code in there I would bet there is information about it somewhere on the net. AFAIK, you can't really "encrypt" the scripts because the PHP interpreted has to understand it. What they are using is obfuscation in converting the code to something that is not readable by humans. This is also done by people wanting to "protect" their JavaScript code. This works for the majority of users looking at the source code, but anyone who really wants to convert the code back to a readable format (and has some basic knowledge) should be able to do so.

Link to comment
Share on other sites
OM2 Regular Member

OM2

Posted
  • Author
Posted
You are right to be concerned. If the script is running on your server it could, potentially, be accessing any files for your site (e.g. the database connection info) as well as accessing the database and then doing who knows what with that data. I would take a two-pronged approach:

 

1) Ask the author about it. Ask what the purpose of the call is and some details about what is being passed. If the author is legit he/she should be willing to give you that information in a manner that at least makes sense. If the author is malicious chances are they are going to give you a lot of garbage information that "just doesn't seem right". Of course the person could just be terrible at explaining things or just doesn't want to explain them

 

2) Search the internet for any information regarding the script. Chances are someone has unencrypted the code and knows what it does. If there was malicious code in there I would bet there is information about it somewhere on the net. AFAIK, you can't really "encrypt" the scripts because the PHP interpreted has to understand it. What they are using is obfuscation in converting the code to something that is not readable by humans. This is also done by people wanting to "protect" their JavaScript code. This works for the majority of users looking at the source code, but anyone who really wants to convert the code back to a readable format (and has some basic knowledge) should be able to do so.

i was hoping u would tell me there was nothing to worry about!

the code i purchased today is not very widely sold - it's not that popular

it's just a script for a wordpress plugin - it makes it easy to populate data for another plugin

 

i could have spent a few hours coding myself the same functionality (i'm still just a newbie to php!)

i could have hired a freelancer to code for me - maybe would have cost $50

else: i could just spend $30 and buy the code - this is what i did

 

99.9% of the time, it's always plain php code - everything to read and go through - referring to wordpress plugins (in my experience)

no idea why the developer chose to encrypt

 

i researched a little and i read that u could encrypt so that it was 'almost' impossible to decipher

i also read a few post replies from people saying it was rubbish that u couldn't decipher - difficult yes, but not exactly impossible

 

if i was a bit more competent at coding php (or other backend code) i could think up of many many ways in which malicious code could be hidden away

 

all very worrying and concerning!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.