Re: SEARCH attack
Sorry, I have coding way too much php, so to me the 'localhost' in single quests means the absolute string, not the string as a variable to be parsed; In short I was saying that it would be interesting to send out a 'Location: ' redirect to get them to look at themselves (there own localhost, as in there own ip), Sorry if I was unclear.
As for NOP/JMP/MOV, these are all assembly instructions that are pretty much standard across different computer hardware architectures/platforms; Most exploits these days ask for one of two things, a simple string like a file path (in the case that the httpd does not handle malformed paths correctly) or a hex encoded string (like that big long line in your logfile) that is usually translated into the raw hexadecimal by the server itself; Since exploits need to run code on the remote host to work, they must
inject this assembly code in some form, and the hex that you see in your log files is in fact this assembly code.
By blocking these common hex values that translate into rouge assembly code, you can in effect block these exploits from working to some extent if not completely; But as I said it is a trade off, since every thing you block take away from the possible ipout that can be used by your servers (and thus your customers) scripts.
I hope that clears things up, if not just say so.
- D
On 8 Jun 2004 at 1:07, Robert Cates wrote:
> OK, you've gone beyond me. What do you mean by blocking the NOP operation
> or jmp/mov instruction? How would you do this with an Apache server on a
> Linux platform?
>
> Also, wouldn't replacing the www.microsoft.com with localhost (or
> http://127.0.0.1/) just send the request right back to my own server,
> probably even putting it in a loop?
>
> Robert
>
> ----- Original Message -----
> From: <dking@pimpsoft.com>
> To: <debian-isp@lists.debian.org>
> Sent: Monday, June 07, 2004 11:01 PM
> Subject: Re: SEARCH attack
>
>
> >
> > I see these all the time myself and to turn the server into a black
> > hole when it comes to exploitable code is a interesting idea.
> > Blocking the NOP operation by blocking x90 does that pretty nicely on
> > its own, however you could also block a jmp/mov instruction if you
> > really wanted to be 'safe', but some users like using hex values for
> > things, so its a trade off since people tend to move to other service
> > providers when they find out there current one doesn't allow the
> > input needed by there favorite script.
> >
> > Perhaps switching 'http://www.microsoft.com' from that howto with
> > 'localhost' would be even more interesting; But from a legal
> > standpoint the water is murky on that scale.
> >
> > - D
> >
> > On 7 Jun 2004 at 16:41, Dena Whitebirch wrote:
> >
> > >
> > > I was getting pounded by these too and am wondering though if it worried
> > > anyone else that we might be considered to be attacking Microsoft by
> > > doing this rewrite? Might there be a similar way to just 'stop' them
> like
> > > sending them to /dev/null or something?
> > >
> > > >
> http://216.239.59.104/search?q=cache:RA7huHM9tEoJ:forums.macosxhints.com/showthread.php%3Ft%3D22371+%22SEARCH+/%5Cx90%5Cx02&hl=en
> > >
> > > Regards,
> > >
> > > Dena A. Whitebirch
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> > >
> > >
> >
> >
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
>
>
>
Reply to: