| Re: monitoring IP address calls of a PHP application [message #175065 is a reply to message #175064] |
Tue, 09 August 2011 13:30  |
me
Messages: 192
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 8/9/2011 8:50 AM, The Natural Philosopher wrote:
> Bill B wrote:
>> On 8/9/2011 2:00 AM, E.Sajad wrote:
>>> So I'm trying to protect myself by somehow verifying that their
>>> delivered application:
>>>
>>> 1. Does not connect to/use/call any other web services or connect to
>>> other IP addresses (or servers) other than Google [note: the
>>> application extracts some info from Google search results]
>>> 2. Does not connect to any databases other than the one on the local
>>> server
>>> 3. Does not use any third-party libraries that I might have to pay for
>>> in the future.
>>> 4. Does not contain files that, although they need to be editable (for
>>> future modification, such as XML configuration files), have been
>>> converted into binary or non-editable or non-readable format.
>>
>> <snip>
>>
>>> I believe if I can somehow monitor all the IP addresses that the
>>> application calls (connects to) in
>>> real time, I'll be able to check if it's referencing any web services
>>> or sources other than Google as well as other than my own database.
>>> This alone will solve concerns number 1 and 2. But I don't even know
>>> how to do this! Should I install a monitoring application on my
>>> virtual dedicated server that would run in the background? What
>>> application(s) do you folks recommend?
>>
>> <snip>
>>
>> Practically speaking, if the person who did the coding is in fact
>> devious (I'm not assuming so but looking at worst case) it would be
>> easy to write code that would activate #1 and #2 at some point in the
>> future. That the code does neither now may be of little comfort.
>>
>> Bill B
> Its php ffs
>
> phpinfo will reveal if any extraneous libs are linked in.
> A grep of its source code for any system() type calls will reveal if odd
> ode is being invoked.
>
> Ditto a code walk for any database open calls or CURL will check for
> access to where it may or may not access.
>
> If its beyond the OP, I suggest a paid contract to another contractor to
> 'find the bugs, and indentify the rubbish'
>
> Set a thief to catch a thief.
Thanks, I had overlooked that. Good reminder.
Bill B
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]