Re: SEARCH attack

To: <debian-isp@lists.debian.org>
Cc: <dking@pimpsoft.com>
Subject: Re: SEARCH attack
From: "Robert Cates" <robert@kormar.de>
Date: Tue, 8 Jun 2004 01:07:32 +0200
Message-id: <[🔎] 004a01c44ce4$36f77ce0$0d01a8c0@kormar.net>
Reply-to: "Robert Cates" <robert@kormar.de>
References: <[🔎] 004f01c44cb0$abae52e0$0d01a8c0@kormar.net> <[🔎] 40C4754E.13359.1A1E9DFA@localhost>

OK, you've gone beyond me.  What do you mean by blocking the NOP operation
or jmp/mov instruction?  How would you do this with an Apache server on a
Linux platform?

Also, wouldn't replacing the www.microsoft.com with localhost (or
http://127.0.0.1/) just send the request right back to my own server,
probably even putting it in a loop?

Robert

----- Original Message ----- 
From: <dking@pimpsoft.com>
To: <debian-isp@lists.debian.org>
Sent: Monday, June 07, 2004 11:01 PM
Subject: Re: SEARCH attack


>
> I see these all the time myself and to turn the server into a black
> hole when it comes to exploitable code is a interesting idea.
> Blocking the NOP operation by blocking x90 does that pretty nicely on
> its own, however you could also block a jmp/mov instruction if you
> really wanted to be 'safe', but some users like using hex values for
> things, so its a trade off since people tend to move to other service
> providers when they find out there current one doesn't allow the
> input needed by there favorite script.
>
> Perhaps switching 'http://www.microsoft.com' from that howto with
> 'localhost' would be even more interesting; But from a legal
> standpoint the water is murky on that scale.
>
>  - D
>
> On 7 Jun 2004 at 16:41, Dena Whitebirch wrote:
>
> >
> > I was getting pounded by these too and am wondering though if it worried
> > anyone else that we might be considered to be attacking Microsoft by
> > doing this rewrite?  Might there be a similar way to just 'stop' them
like
> > sending them to /dev/null or something?
> >
> > >
http://216.239.59.104/search?q=cache:RA7huHM9tEoJ:forums.macosxhints.com/showthread.php%3Ft%3D22371+%22SEARCH+/%5Cx90%5Cx02&hl=en
> >
> > Regards,
> >
> > Dena A. Whitebirch
> >
> >
> > -- 
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
> >
> >
>
>
>
>
>
> -- 
> To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: SEARCH attack
  - From: Steve Kemp <skx@debian.org>
- Re: SEARCH attack
  - From: dking@pimpsoft.com

References:
- Re: SEARCH attack
  - From: "Robert Cates" <robert@kormar.de>
- Re: SEARCH attack
  - From: dking@pimpsoft.com

Prev by Date: Re: SEARCH attack
Next by Date: Re: SEARCH attack
Previous by thread: Re: SEARCH attack
Next by thread: Re: SEARCH attack
Index(es):
- Date
- Thread