[NBLUG/talk] Weird entries in logwatch..
fratm at adnd.com
Thu Jan 27 11:08:31 PST 2011
Yeah, I was aware of what the content was, and this shows up in my logs at
least 3 times a day, with the same broke image.. I am wondering if it is
some kind of stack overflow exploit or something.. decoding on my end also
results in a broken png file.
Thanks... I always watch my logs, its actually part of my job :) Morning
routine consists of looking through several logs before I even go get coffee
On Thu, Jan 27, 2011 at 10:48 AM, Aaron Grattafiori <
aaron at digitalinfinity.net> wrote:
> That base64 data simply seems to be an image (png) (as referenced by
> it's content type). URL Decoding it and then base64 decoding it
> does confirms this. It was broken when I tried to display it (although
> I might've broken something while trying to quickly decode it). The
> comment says "Created with GIMP".
> This seems like broken code somewhere.
> Good job being diligent on watching your logs though!
> On Thu, Jan 27, 2011 at 10:19 AM, Steve Johnson <srj at adnd.com> wrote:
> > Hi NBluggers,
> > I've been seeing an interesting entry in my logwatch reports for my
> > logs.. Its a GET statement with a big chunk of base64 code attached to
> > with data:image/png as the type. I am going to assume it is some type of
> > exploit attempt, and since the logs show that apache is returning a 404
> > responses that they are not getting anywhere with it.. I'm wondering if
> > anyone has any details on this exploit, and what I can maybe do to stop
> > from even trying.
> > Here's the log entry with the encoded GET statement:
> > GET
> > HTTP/1.1 with response code(s) 404 1 responses
> > So, what do you guys think?
> > -Steve
> > _______________________________________________
> > talk mailing list
> > talk at nblug.org
> > http://nblug.org/cgi-bin/mailman/listinfo/talk
> talk mailing list
> talk at nblug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk