I'm not sure this applies to your specific question or situation, but it applies to the title of the question. I'm posting this as an answer here because the issue of unauthorized code (in general) making it's was onto a web server isn't very well covered in any guidance I'm aware of. I'm hoping that this answer will help others that are in a situation more similar to ours than yours.
You cannot be 100% sure, but a Secure Development Lifecycle augmented by tools can go a long way toward helping. It can be labor-intensive, and involve manual checking of logs, or at least some human interaction, but if you've got sensitive data, and the budget to implement any of the approaches, it is worth the effort IMO.
We have a process in place to help assure that code published to our server is approved, reviewed code. I'm not going to list any products, but here is the general outline of our procedures and policies:
Policies:
- Developers do not have access to the live system, period. Developers cannot push code to the servers. Code needs to be pushed by a designated team outside of development.
- All changes are tracked (source control)
- All changes must be reviewed prior to being published. (and the review is documented and signed by the reviewer and developer.)
- The code review specifies a specific source code revision # that is approved for publish.
- The team that publishes the code publishes it directly from source control via an automated build/deployment script. They simply supply the revision # and tag. The script does the job of taking the code from the right location in source control and pushing it out to the live server. They don't know how to do anything else.
Tools that help to enforce this:
- We have software running on our web server that logs any file changes.
- changes to code raise a flag for our security administrator, who checks to ensure that the change was approved, reviewed, and implemented by the process
- This helps us catch code that could make it onto the server either through a rogue insider, or through some code upload.
- We also have software that can compare files/directories for differences. (possible tools here) These tools can be used to scan a "known-good" set of published code and compare them to our live server. "Known good" in this case is code that's in a reviewed/approved revision directly from source control.
- Many of these tools can be scripted.
- We haven't implemented this, but we are toying around with the idea of having a build server configuration that would check out the code from source control and use scripts do the comparison automatically, emailing specified people if there are differences detected. On paper, we've figured out how to do this, but haven't yet gotten around to testing/implementing it.
Of course, this isn't the WHOLE of our development/risk management/deployment process, but it does highlight the pieces that deal with ensuring the code that's approved is actually in place on our live server. I'm leaving out the continuous automated pen tests, and a whole slew of other countermeasures we employ to try to minimize the risk to our customers.
It's also not foolproof. There are holes that a determined attacker could exploit. For example, if our administrator isn't actually reviewing changes to ensure they are approved, the process is not going to work. Also, there's obviously a time lag - the security officer can't monitor changes 24/7, so if he or she isn't around, there's the chance that someone can get unauthorized code on the server and it'll be there until the admin is back on the job.
As an alternative, we've toyed with the idea of simply having a build server automatically publish the entire website every x hours from a pre-determined, pre-approved tag. This way, even if bad code gets out there, it will get erased automatically every x hours. But there are obvious issues with that approach, and we're not ready to go that route yet.
It's quite possible that all our work is foolish and we're doing it wrong, but there's so little guidance out there for this particular problem that we're muddling along the best we can. This process is also based around our specific environment and business model. (maintaining our own websites, self-hosted, entire development team, business units, and Network Admins are all in-house.) It's probably not applicable to anyone in a different situation. Hopefully, someone else out there has other approaches that are more efficient and work better.
So, in agreement with the other answers, there is no 100% foolproof way to ensure that unauthorized code can make it to the servers. But that shouldn't dissuade you from doing all that you can. And if you can document and demonstrate to your user that you're doing something, you will go a long way to building their trust. If you are honest about the potential holes in the plan/process, you will likely gain their trust even further. The point is to do all you can, within the constraints of reason, budget, time, and available tools.