homepage Welcome to WebmasterWorld Guest from 54.226.43.155
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / New To Web Development
Forum Library, Charter, Moderators: brotherhood of lan & mack

New To Web Development Forum

    
WordPress Hacker Best Practices & Malicious Code Site Audit
When hiring offshore developers, how can I best protect myself re: hacking
pumanegra2012




msg:3989817
 5:55 pm on Sep 15, 2009 (gmt 0)

Hi folks,

My dev skills are minimal, and as a result, I need to rely in offshore web developers to help me configure my sites.

I hired web developers from India on Odesk to help me fix my half baked website redesign project that was abandoned by another developer I hired. The guy I hired (who had 5 star reviews) said that he was the "Project Lead" and that another developer would work on my site, under his guidance. I was a little annoyed by the bait & switch, however, I checked out the company's portfolio of sites, which included some I recognized, checked out the source code for SEO friendliness & hired them.

Not only did these guys leave the job unfinished, I discovered weird code added to one of my blog posts, with the edit log indicated that he was the last person to log in (code shown below).

As I'm somewhat new to this (please provide your answers in an easy, step by step noob friendly way):

1) Any idea what this code is and what it does? I did a Google search off a snippet (LeoHighlights_iframe) and find many sites that appear to have this code.

2) What best practices do you recommend when hiring and providing admin access to an offshore web developer sourced from Odesk or Elance?

- I gave him access to my entire public_html folder. Was this wrong? What ought I do in the future?

3) How do I scan or audit my website for malicious code?

4) Looking at this developer's code - it looks messy and I will still need to hire yet someone else to finish the job and clean up the code, resulting in more expense & headache.

Any tips on how to hiring & vetting offshore developers? I have had such bad experiences hiring India & Pakistan contractors I am considering only hiring from the Philippines.

Much thanks in advance!

_____________

Here is a snippet of the mystery code, as it is too long to publish:

<input id="gwProxy" type="hidden" /> <input id="jsProxy" onclick="jsCall();" type="hidden" />

<span id="leoHighlights_iframe_modal_span_container"> </span>
<div id="leoHighlights_iframe_modal_div_container" style="border: 1px solid black; position: absolute; visibility: hidden; display: none; width: 394px; height: 40px; z-index: 32768; background-color: white;" onmouseover="leoHighlightsHandleIFrameMouseOver();" onmouseout="leoHighlightsHandleIFrameMouseOut();">
<div id="leo_iFrame_closebar" style="position: absolute; top: 0px; left: 0px; width: 394px; height: 40px; z-index: 32768; background-image: url(chrome://shim/content/highlightsFilter-1/header.gif);"><a href="javascript: leoHighlightsIFrameClose();"></a></div>
</div>
<script type="text/javascript">// <![CDATA[
createInlineScriptElement("var%20LEO_HIGHLIGHTS_DEBUG%20%3D%20true%3B%0Avar%20LEO_HIGHLIGHTS_DEBUG_POS%20%3D%20false%3B%0Avar%20LEO_HIGHLIGHTS_INFINITE_LOOP_COUNT%20%3D%20300%3B%0Avar%20LEO_HIGHLIGHTS_MAX_HIGHLIGHTS%20%3D%20200%3B%0Avar%20LEO_HIGHLIGHTS_IFRAME_ID%20%3D%20%22leoHighlights_iframe%22%3B%0Avar%20LEO_HIGHLIGHTS_IFRAME_DIV_ID%20%3D

on so forth for an entire page

 

pumanegra2012




msg:3989822
 5:59 pm on Sep 15, 2009 (gmt 0)

Oh, I should clarify, if you can provide step by step instructions on how to check my cPanel as well as my WordPress files, I would be overjoyed. Thanks!

httpwebwitch




msg:3990421
 5:26 pm on Sep 16, 2009 (gmt 0)

I suspect that someone who edited that post had a browser extension installed called "The Browser Highlighter", by eBay.

It is often bundled with updates from Skype, consequently many people install it unintentionally. But it's a legit browser extension, and many people install it on purpose.

It rewrites stuff in web pages you visit, presumably helpful stuff like comparing prices on eBay and highlighting phone numbers for Skype. And it leaves a fingerprint just like the code you've quoted above.

There are also versions floating out there that are not actually by eBay. And there are trojans about that install a fake version of it in your browser, also not by eBay. And they do malicious things.

I can imagine that someone with this extension was working on your WP back-end, and published a post after all that hidden crap had been injected into it.

Anyways, check your browser extensions, remove that one if it's there, and also remove that extra code from your posts ASAP.

laertes




msg:3990456
 6:16 pm on Sep 16, 2009 (gmt 0)

A good practice is to install a local development version of your wordpress site. You can use a program called XAMPP that installs a virtual server on your machine. Then, when you recieve any code changes from a coder, install them locally first so you can review their effect before uploading to your production site.

This isn't as hard as it sounds. Do a search for "how to install wordpress on your PC" or something similar and you'll find some good turorials.

Once you've installed WP and XAMPP locally, import your live databaase with all the posts, install your theme and any plug-ins you're using, and you'll have your own sandbox site to tinker with.

pumanegra2012




msg:3990465
 6:38 pm on Sep 16, 2009 (gmt 0)

Thanks for the replies! I will check out Mamp.

Any recos on how to do a WordPress files audit and server audit for weird stuff?

Thanks in advance!

Cheers,

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / New To Web Development
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved