October 4th, 2005, 06:01 PM
providing server details to a hired programmer?
Hi guys, first time poster and i am glad i found this site, my question might sound silly but because of my inexpierence my future actions can be a big mistake from my part.
I have hired a programmer to write a php script for me because i would have absolutely no idea where to start if i would have to do this but i am having difficulties installing the script so everything would work properly.
The hired programmer offered to help out and he asked me if i could provide the log in details for the ftp account so he can upload and take a look at what i did wrong and he can adjust the whole thing so i can review it and learn from my mistakes.
But can this situation be exploited in a harmfull manor?
There is nothing special on the server as yet and in the future i would change the password when i would upload the site i have been working on.
But could there be any kind of malware being installed without me ever knowing it and by granting him the log in details i would be cutting my own hands so to speak?
October 4th, 2005, 06:12 PM
Depending on how much work he is doing for you, you might want to get him to sign an NDA.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
October 4th, 2005, 06:13 PM
Yup.. Get your company's lawyer to help you out with the details..
It will save you a lot of worries..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
October 4th, 2005, 06:14 PM
Is he from a professional firm or is he just kind of a "friend of a friend"?
He can do damage if he has complete unrestricted access to your FTP sever.
You can always scan your FTP server afterwards if you feel he has put something untoward on it. Examine your logs afterwards to see if he uploaded/down loaded any files or better yet be there when he is doing his work on it, ask him to come into your office to do it, that way you can always be at his side so you can keep an eye on what he is doing.
Make an directory for him and only give him rights to that paticular directory, copy the PHP program to his directory so he can work on it there.
And obviously it goes without saying remove the login details he used afterwards!
October 4th, 2005, 06:22 PM
As others have mentioned an NDA is definately the first thing you want to do.
As far as releasing the credentials to the FTP... I personally wouldn't do it.. If it's just a page of php... there's no installing to be done. It's just a matter of uploading it... You could download the entire site and provide him with an archive containing all the files. Is this your own server, a company server or do you pay for hosting... If it's your own server or a company server make sure you don't give him credentials that are also a valid login for telnet/ssh if you have those services running and decide to give him access.. Also if it's hosting you pay for, be adviced that usually the cpanel, usermin, whatever management system you use has the same password as your FTP account... meaning he'll have full access to your hosting, which if it's like certain ones I have could contain credit card details.
Nokia asked a good question in how you met him... I've done work on for a number of people, some who ran across business websites I've had, and others who were friends of a friend or relatives of a friend... and the work experience is different in either case...
Does the server have php on it? If it doesn't that could be a good reason why the script doesn't work...
Before you do anything ask him to justify how having FTP access will assist him and what he hopes to accomplish with the access. Let us know what you find out.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
October 4th, 2005, 09:03 PM
Thanks guys for your replies the site in question is a personal site and does not belong to a company.
I'm kind of warry of the whole situation, i have aquired the services of the programmer through an online service.
Would it be better for me to ask more specific instructions on how i should install the script myself?
October 4th, 2005, 09:06 PM
I would definatley go with what HT said and ask him why he wants FTP access and what will he do with it if he gets it.
October 5th, 2005, 06:34 PM
Thanks guys for your support
October 5th, 2005, 10:38 PM
Bear in mind, that you should get people who do work for you to sign an NDA and general contract.
Even without any access to your production server, you still have to trust your programmer to write code competently and not create any backdoors - which of course would give them access anyway.
If you don't trust someone, don't let them write PHP code for you, and don't give them access to your server either. They are equivalent.