On Tue, Jun 08, 2004 at 01:07:32AM +0200, Robert Cates wrote: > OK, you've gone beyond me. What do you mean by blocking the NOP operation > or jmp/mov instruction? How would you do this with an Apache server on a > Linux platform?
Presumably meaning that you'd use a rule to block the value '0x90' (That's 90 in hex) anywhere within an URL. This is because the 0x90 byte is the value for the NOP instruction on the x86 platform and is common in exploits. It's unlikely to ever occur in a legitimate request so it seems like a simple thing to do. However if you're going to do that you might as well go the whole hog and just install 'mod_security' for Apache which will allow you to filter values passed to scripts (POST / GET) as well. > Also, wouldn't replacing the www.microsoft.com with localhost (or > http://127.0.0.1/) just send the request right back to my own server, > probably even putting it in a loop? The desired affect is that it would redirect to the requestors machine. As the attacker fetches a page, and recives a redirect response it should then go off and request it. So sending out a 127.0.0.1 response should make it request a page from its own machine. However these redirects are largely pointless. Most of the worms that I've ever been hit with have ignored the redirect request anyway. So you've not achived anything. It'd be simple to test this; find a machine which is getting repeatedly hit by one of these requests and see if you can redirect it to somewhere else on your server - testing if it worked by looking at your access log. I'd be suprised if it did. Really this kind of stuff, whilst annoying and irritating in many ways, is just background noise on todays internet. Patch your boxes, and ignore exploit attempts that affect other platforms. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
