On Thu, 12 Aug 2004 08:08:28 -0500, Josh Trutwin <josh at trutwins.homeip.net> wrote: > On Tue, 10 Aug 2004 23:22:47 -0500 > Tom Marble <tmarble at info9.net> wrote: > SetEnvIf Request_URI "(.*)\.dll(.*)" exploit=1 > SetEnvIf Request_URI "/cmd\.exe" exploit=1 > SetEnvIf Request_URI "/root\.exe" exploit=1 > SetEnvIf Request_URI "/shell\.exe" exploit=1 > SetEnvIf Request_URI "/default\.ida" exploit=1 You used \ to excape dots in these above; but the "\x90"s have a backslash in them. Try escaping the backslash (\\) perhaps? A stab in the dark on my part...which I just saw you thought of too. Also, doesn't the carat mean the string must start with \x90? In the case you cited, the "SEARCH..." in the beginning would pass this regex, I think. > SetEnvIf Request_URI "^/\x90" exploit=1 ... > RewriteRule .* http://support.microsoft.com/ [R=permanent] ... > And yeah, I'll probably change that to something other than > support.microsoft.com once I'm done testing. :) A good idea, IMO. Especially since the \x90 stuff could [I think] be bytecode in any exploit, not just MS-centric. _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota Help beta test TCLUG's potential new home: http://plone.mn-linux.org Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list