Re: SEARCH attack
On Tue, Jun 08, 2004 at 01:07:32AM +0200, Robert Cates wrote:
> OK, you've gone beyond me. What do you mean by blocking the NOP operation
> or jmp/mov instruction? How would you do this with an Apache server on a
> Linux platform?
Presumably meaning that you'd use a rule to block the
value '0x90' (That's 90 in hex) anywhere within an URL.
This is because the 0x90 byte is the value for the NOP
instruction on the x86 platform and is common in exploits.
It's unlikely to ever occur in a legitimate request so
it seems like a simple thing to do.
However if you're going to do that you might as well go the
whole hog and just install 'mod_security' for Apache which will
allow you to filter values passed to scripts (POST / GET) as
> Also, wouldn't replacing the www.microsoft.com with localhost (or
> http://127.0.0.1/) just send the request right back to my own server,
> probably even putting it in a loop?
The desired affect is that it would redirect to the requestors
machine. As the attacker fetches a page, and recives a redirect
response it should then go off and request it. So sending out
a 127.0.0.1 response should make it request a page from its
However these redirects are largely pointless. Most of the worms
that I've ever been hit with have ignored the redirect request
anyway. So you've not achived anything.
It'd be simple to test this; find a machine which is getting
repeatedly hit by one of these requests and see if you can redirect
it to somewhere else on your server - testing if it worked by looking
at your access log. I'd be suprised if it did.
Really this kind of stuff, whilst annoying and irritating in
many ways, is just background noise on todays internet.
Patch your boxes, and ignore exploit attempts that affect other
# The Debian Security Audit Project.