Obfuscation is not the most effective way of security and at most of the
times, it doesn’t help, as a professional hacker would already know
these modifications and can easily make out what you are trying to hide.
But obfuscation would really slow down the attacker and will keep away
some script kiddies. It is better to obfuscate than rather telling him
what he wants.
As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.
By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.
In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.
PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.
To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”
Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.
By adding a simple line of code you can actually fool an attacker about what service are you using.
Spoof.php
Note: The header call should be made before you send any data to the client.
Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.
EG:-
A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.
For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.
The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules
Syntax :-
Example :-
Note : Only use those extensions which are normally not used by
the server , for example don’t use .txt extension as the server will
interpret .txt as PHP code and if it contains some php , it will be
executed.
[via] If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged
As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.
By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.
In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.
Editing php.ini file
PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.
To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”
Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.
Spoofing
By adding a simple line of code you can actually fool an attacker about what service are you using.
Spoof.php
Note: The header call should be made before you send any data to the client.
Using Some Basic Apache Rules
Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.
EG:-
A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.
For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.
The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules
Syntax :-
Code:
AddType application/x-httpd-php .extenstion
Code:
AddType application/x-httpd-php .mpl .mp3 .py .asp
[via] If you enjoyed this post, make sure you subscribe to my RSS feed! Comments are encouraged
No comments:
Write comments