PHP’s http_response_code function

http_response_code is a PHP function that can be used to modify the returned response code for the HTTP requests made to the PHP file where the function is used.

Evasion Technique

This is a function often abused by malicious users to evade detection by spoofing 404 response codes.

All that is needed to do is add this to the malicious PHP file:

http_response_code(404);

This causes all requests to the file to be logged as a 404 response - which would usually mean that the request was to a file that did not exist.

You can see this in the http server’s access log:

::1 - - [12/Jul/2021:20:38:09 -0500] "GET /bu.php HTTP/1.1" 404 112184 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
::1 - - [12/Jul/2021:20:38:33 -0500] "GET /bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e HTTP/1.1" 404 9940 "http://localhost/bu.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
::1 - - [12/Jul/2021:20:38:37 -0500] "GET /bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e&a=72656e616d65&n=696e6465782e706870&t=f HTTP/1.1" 404 3940 "http://localhost/bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
::1 - - [12/Jul/2021:20:38:40 -0500] "POST /bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e&a=72656e616d65&n=696e6465782e706870&t=f HTTP/1.1" 404 4153 "http://localhost/bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e&a=72656e616d65&n=696e6465782e706870&t=f" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
::1 - - [12/Jul/2021:20:38:46 -0500] "GET /bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e HTTP/1.1" 404 9939 "http://localhost/bu.php?p=2f7661722f7777772f68746d6c2f4d6f6e65794d616e&a=72656e616d65&n=696e6465782e706870&t=f" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"

Detection

If you have access to the web server, then the simplest way to confirm whether or not the response code is valid is by checking to see if the file exists or not.

This is not always possible, and can become tedious depending on various circumstances.

In that case - you can view the transferred bytes in the request submitted to the web server and compare it with a valid 404 request.

Often times if the 404 is spoofed, then its transferred bytes will be larger than a valid 404 request (file does not exist).