I must say that hiding or obfuscating is not the most effective ways of security but it’s still effective to keep a Script Kiddy confused about what actually you are using in your server.
As an example - Server may use vulnerable version of PHP, with a public exploit released at some underground markets, Most of the time a simple automated exploit is released to help the “Point-Click-Hackers” (Script Kiddies). Now all they have to find is which Version of PHP you are using and if it is vulnerable, Point the exploit, launch it and own your system. In these cases obfuscating can really help you a lot.
By PHP obfuscation you can hide PHP, Which means you can stop or slow down a hacker attacking your machine.
In this tutorial, we’ll be looking at some of the most popular methods used by Site Administrators to Hide PHP , So let’s get started.
PHP as a default exposes the fact that if it is installed on a server or not, by adding its signature to the Web server header which can really be lethal in some cases.
To set this off , Simply go to your php installation directory under “conf_files” , you can find your standard PHP Configuration file named “php.ini”
Now under this file , go to the “Miscellaneous” section and simply turn expose_php to Off.
By adding a simple line of code you can actually fool an attacker about what service are you using.
Most Web servers like Apache etc. Can be configured to use some basic rules that would allow to parse different file-types with PHP.
A file like index.php, gives a straight clue to the attacker that the server is using php. But if we can use some basic server configuration to actually allow a extension like “.mpl” etc to parse PHP code. The attacker will certainly have no clue about the file extension.
For the Scope of this tutorial I’ll only be covering some Apache Rules/Configurations, but if you need help with some other servers, feel free to comment or PM me.
The configurations can be added either using the .htaccess directive or directly through the Apache Configurations file. Just add the following set of rules
Obfuscation is not the most effective way of security and at most of the times, it doesn’t help, as a professional hacker would already know these modifications and can easily make out what you are trying to hide. But obfuscation would really slow down the attacker and will keep away some script kiddies. It is better to obfuscate than rather telling him what he wants.
Re: Obfuscating PHP
Thanks for Adding! Will try to be more regular now! :)
Re: Obfuscating PHP
To be more precise peoples can make a php file with
|All times are GMT +5.5. The time now is 20:37.|