Masquerade PHP as ASP
While I'm not generally someone to advocate Security through Obscurity, I do believe that it helps to make it harder for an attackers, because if they don't know what you're using, they may follow the wrong path (trying out hacking tools geared towards IIS on Apache, or believing you're running Apache when you're using thttpd) and hopefully just give up.
Here's a (really simple) method of making things look a little less obvious by using Apache's .htaccess file in the root directory of our web site. Just add the following two lines to it.
AddType application/x-httpd-php .asp DirectoryIndex default.asp
That's it already. This just let's Apache know that .asp files should be processed by the PHP interpreter, and that default.asp should be the DirectoryIndex file (by default it's index.html, index.php, etc.)
Of course, this is not nearly enough to truly conceal what's running under the hood. Apache would have to be patched to reply with an IIS signature in HTTP response headers, and if you're using sessions, the default cookie name of "PHPSESSID" should be changed to match with whatever IIS may be using.
One could then take things a step further and add ErrorDocument directives to the .htaccess file.
ErrorDocument 404 /404.asp ErrorDocument 403 /403.asp
Then create and edit the 404.asp/403.asp files so they display IIS error messages when things go wrong.
You can also pick a completely random file extension. Lucidix' trademark, for example, is using the .lx extension for some of our projects.
Posted: November 15th, 2004 under PHP.
Tags: asp, extension, obscurity, PHP, security