Re: Hackers jam Microsoft's site

Robert S. Thau (rst@ai.mit.edu)
Sat, 21 Jun 1997 12:43:50 -0400 (EDT)


Robert Harley writes:
> Does anyone know what the URL for slugging an NT machine is? Any bets
> that it's a telnet to port 139, something like this:
> telnet://blabla.microsoft.com:139/

The bug that's getting the press involves nothing so exotic --- it's a
standard HTTP request for a URL of the form:

http://victim.com/?foo=XXXXXXXXXXXXXXXXX....

with the "correct" number of X's (typically in the range of a few
thousand). Note that:

*) The number of X's required to kill web service seems to vary
from installation to installation
*) However, *precisely* that many X's must be used -- one fewer,
and the query is processed normally; one more, and you get a
bogus 40x error of some kind, but the server remains up.

An exploit for the bug, written in Java for no particular reason,
is available at http://www.eden.com/~tfast/jihad.html (along with
documentation which seems to encourage hostile use in the usual
"of course no one responsible would actually *want* to... nudge
nudge, wink wink" style).

rst