hello, i am coding new script this days, in the past i was using mail or @fopen to make the notification if any body installed my script or uploaded it to his host . mail("","",""); and the @fopen("http://site/file.php?url=http://"."$HTTP_HOST"."$PHP_SELF","r"); PHP: but i know about @fopen isn't secure enough beside the both of mail and @fopen are so clear in the code and anybody gonna remove them easlly . i don't like to use the both in the notification any more , so please any idea about better notification ways which gonna be more complex in the code ?? thanks
Well, you can either use cUrl, file_get_contents, fopen, or a iframe to a logging page to log the remote url and encrypt the file that runs that code. You could try to obscure the code to make it harder for them to read it outright. I sometimes base64 encode a php function in a string then use eval and base64 decode to run it. Looks like a hash when viewed and they really have to know what they are doing in php to know what eval does, but other then that you could make the install script have to download the mysql table from your website so when they connect it shows the website they are installing it onto. Myself I have a iframe on the main loaded menu in the admin area that loads the support forum. They log into the admin area, it loads the support forum, you track the remote website address. It adds quick access to the support forum for new installers or long time users and a way to track the websites it is installed upon, because you can put a tracking code for the support forums main page.
thanks a lot for that helpful reply , but we missed something here . i was wasting my time with learning some hacking for fun before couple years ago, so i can tell you with being sure about almost of the hacker and the crackers haven't any knowledge about any programming language like more than 70 % of them, and this taking us to the this question, how those 70 % hacking and cracking our works without knowledge about any programming language ??? almost of us know the answer as i guess, about the 30 % of the crackers who know some programming no comments about them but they exactly got almost of the targets which they looking for , after that they posting in the hacking forums to the other 70 % some toys to play with now if u would googling about some hacking forums you will find posts like "null some scripts and put your copyright" and into the body of the post you will find search the script for those words and remove them "eval(base64_decode(" or "mail(" or "file_get_contents" or ....... so about us we cant make 100% secure script, but we trying to keep those 70% away from our work long as possible . that makes use have to do more complex ways in the notification which will be hard to find by searching the script , so any new ideas please ??
One idea: Remove a critical part of your script, some tricky function that it needs, and leave it on your server. Make the script execute that function on your server through some RPC mechanism. That way they will either have to reverse-engineer the missing function, or they will always be notifying you when the script runs. Of course it will mean some traffic for you, but bandwidth is cheap nowadays.
well that is a great idea and it gonna help too if any body null the script ,i can control on every thing with changing the include of the classes and the functions file on my server . 1 - about the traffic , no problem about it , but this way gonna slow down the script loading speed so much for the all customers , right ?? 2 - and about that, what do u mean with through some RPC mechanism , please??? thanks
A bit, but it shouldn't be bad if your server is well-connected and in the same region as your customers. With a good server and efficient code, I think minimal overhead within the US is about 30-100ms depending on distance. It would be best to choose some function that is important but doesn't happen on every single page load. And of course, something that couldn't easily be reverse-engineered, because then they could just replace it with their own that did the same thing. What function would work best really depends on what sort of application you're talking about. Like, instead of having a function called calculate_important_value($x, $y) that is included in your script, instead it could look like this: function calculate_important_value($x, $y) { $x = rawurlencode($x); $y = rawurlencode($y); return file_get_contents("http://my.own.server/my_script.php?x={$x}&y={$y}"); } Code (markup): And then, on your own server, my_script would receive $x and $y in $_GET, do whatever it needed, and return the response. Of course in real usage it would be more complicated, and you'd gracefully handle transient failures (e.g. if your own server was offline for an upgrade), but that's the basic idea.
make it build the call in pieces and encrypt it then have it pull an image file or something from your server and log any ip that pulls the file