Re: SEARCH attack
I see these all the time myself and to turn the server into a black
hole when it comes to exploitable code is a interesting idea.
Blocking the NOP operation by blocking x90 does that pretty nicely on
its own, however you could also block a jmp/mov instruction if you
really wanted to be 'safe', but some users like using hex values for
things, so its a trade off since people tend to move to other service
providers when they find out there current one doesn't allow the
input needed by there favorite script.
Perhaps switching 'http://www.microsoft.com' from that howto with
'localhost' would be even more interesting; But from a legal
standpoint the water is murky on that scale.
On 7 Jun 2004 at 16:41, Dena Whitebirch wrote:
> I was getting pounded by these too and am wondering though if it worried
> anyone else that we might be considered to be attacking Microsoft by
> doing this rewrite? Might there be a similar way to just 'stop' them like
> sending them to /dev/null or something?
> > http://126.96.36.199/search?q=cache:RA7huHM9tEoJ:forums.macosxhints.com/showthread.php%3Ft%3D22371+%22SEARCH+/%5Cx90%5Cx02&hl=en
> Dena A. Whitebirch
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com