So called zero day exploits are getting a lot of publicity some times, but do not have any relevance in practice (for almost all of us here). "Hackers manually scanning the net for versions" are very likely not interested in your web site, they go for prominent targets where they can receive the publicity they want from the hack. The average web master/web server admin is chanceless against such manual attacks anyway, and obfuscating versions is more likely to attract, then to hinder them.
Remains the every day business: Bot net managed fully automated (self learning and auto improving) clever scripts scanning the web for interesting targets to take over, in order to spread all this spam we have to live with from pirated machines, and some older (mostly forgotten and unmaintained) automated scripts are scanning ports without further action. That's the stuff you find in your server logs every day, and that's where obfuscation again does not make any sense, as these scripts do detect what they want in several different ways, not by simply reading out backlinks, or PHP versions.
Sorry to say, that's my daily professional experience since many years now - I would love to have better news for you here.
Greetings,
Chris
--
an operating system must operate
development is life
my repo
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- rgasch created topic »Using PageUtil::addVar() to load script code« 11:48 AM
- michiel responded to »password problem« 10:01 AM
- mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
- mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
Theme by iThinkMedia.com footer - Beacon for Hackers?
-
- Rank: Team Member
- Registered: May 03, 2004
- Last visit: May 31, 2010
- Posts: 511
Posted: Jul 07, 2009 - 01:59 AM
-
- Rank: Software Foundation
- Registered: Jul 21, 2001
- Last visit: May 31, 2010
- Posts: 624
Posted: Jul 07, 2009 - 04:20 AM
Slam is right. Obfuscation really doesnt work. The only place it's worked is in obscuring email addresses with JS on web pages and that is only because spammers didnt want to have the headache of decoding JS. Remember, obfuscation doesnt stop something being machine readable.
Drak
--
Zikula Lead Developer
Board Member of the Zikula Foundation
Follow me on twitter.com/zikuladrak -
- Rank: Helper
- Registered: Dec 31, 1969
- Last visit: May 20, 2010
- Posts: 524
Posted: Aug 26, 2009 - 11:19 PM
"slam"
"Hackers manually scanning the net for versions" are very likely not interested in your web site, they go for prominent targets
well, thank you very much for implicit compliment.
Fact is, I've got two servers with about 40 domains on each, with a handful of high-traffic sites which receive more than 200.000 attacks every day (SQL injection, remote execution, attempted overflows, session forging, port scanning, shell login attempts, ftp login attempts, etc.)
The second server is new, and I haven't done all the obfuscation I'd like.
About a month ago, and exploit for phpMyAdmin's config.inc.php was published and my second server was hit, while my first server - which is fully obfuscated - wasn't and I had time to make a small change thwarting the attack and wait until a fix was released (which took another 2 weeks - scandalous!).
...
It seems you spend too much time reading what forum purists write about obfuscation without trying it yourself.
Or maybe it is too complicated to grasp, because every separate element in the world has to fit in two boxes: "right" or "wrong"?
What I am saying is simply this:
"a fully patched and well-maintained obfuscated server is marginally safer than a fully patched and well-maintained non-obfuscated server"
"Safer" is to be understood as a time span, with a value between 0 and several days if lucky.
Obfuscation is like a financial option, it does have a benefit, but is not guaranteed to work out. Learn to live with uncertainty and shift the event probability curve slightly in your direction. -
- Rank: Software Foundation
- Registered: Jul 21, 2001
- Last visit: May 31, 2010
- Posts: 624
Posted: Aug 27, 2009 - 12:26 AM
Not at all, I am well aware of server administration in a commercial environment as I run a hosting business and colocation facilities where I manage a lot of equipment. What I say comes from my own experience as I tend not to believe what is written without seeing in action for myself. I used to spend a lot of time on such things but found it to be a waste of time.
Obfuscation is has it's place as a stopgap under some circumstances: e.g. encoding email addresses on a webpage tends to work only because harvesters don't decode them out of choice as it requires more CPU cycles.
Your time would be much better spent investing in a good SELinux ruleset, active state filtering and so on. When it comes to PHP applications, that you didnt write yourself, the fact is, they ARE going to be exploited at some point so it's better to mitigate the possibility of the exploit elevating.
Obfuscation is simply like hiding your keys under the doormat.
Drak
--
Zikula Lead Developer
Board Member of the Zikula Foundation
Follow me on twitter.com/zikuladrak
- Moderated by:
- Support
