[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SEARCH attack



On Tue, Jun 08, 2004 at 01:07:32AM +0200, Robert Cates wrote:
> OK, you've gone beyond me.  What do you mean by blocking the NOP operation
> or jmp/mov instruction?  How would you do this with an Apache server on a
> Linux platform?

  Presumably meaning that you'd use a rule to block the
 value '0x90' (That's 90 in hex) anywhere within an URL.

  This is because the 0x90 byte is the value for the NOP 
 instruction on the x86 platform and is common in exploits.

  It's unlikely to ever occur in a legitimate request so
 it seems like a simple thing to do. 

  However if you're going to do that you might as well go the
 whole hog and just install 'mod_security' for Apache which will
 allow you to filter values passed to scripts (POST / GET) as
 well.

> Also, wouldn't replacing the www.microsoft.com with localhost (or
> http://127.0.0.1/) just send the request right back to my own server,
> probably even putting it in a loop?

  The desired affect is that it would redirect to the requestors
 machine.  As the attacker fetches a page, and recives a redirect
 response it should then go off and request it.  So sending out
 a 127.0.0.1 response should make it request a page from its
 own machine.

  However these redirects are largely pointless.  Most of the worms
 that I've ever been hit with have ignored the redirect request
 anyway.  So you've not achived anything.


  It'd be simple to test this; find a machine which is getting 
 repeatedly hit by one of these requests and see if you can redirect
 it to somewhere else on your server - testing if it worked by looking
 at your access log.  I'd be suprised if it did.

  Really this kind of stuff, whilst annoying and irritating in 
 many ways, is just background noise on todays internet.

  Patch your boxes, and ignore exploit attempts that affect other
 platforms.

Steve
--
# The Debian Security Audit Project.
http://www.debian.org/security/audit



Reply to: