
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#ffffff" text="#000000">

    You guys are too fast for me! :P<br>

    <br>

    &nbsp;-Scott<br>

    <br>

    <br>

    On 01/27/2011 11:08 AM, Steve Johnson wrote:

    <blockquote

      cite="mid:AANLkTimbxd9GRDdpGtJcNjxDcknsJ5SFJH=c4RnzKma7@mail.gmail.com"

      type="cite">Yeah, I was aware of what the content was, and this

      shows up in my logs at least 3 times a day, with the same broke

      image.. I am wondering if it is some kind of stack overflow

      exploit or something.. decoding on my end also results in a broken

      png file. <br>

      <br>

      Thanks... I always watch my logs, its actually part of my job :)&nbsp;

      Morning routine consists of looking through several logs before I

      even go get coffee :)<br>

      <br>

      -Steve<br>

      <br>

      <br>

      <div class="gmail_quote">On Thu, Jan 27, 2011 at 10:48 AM, Aaron

        Grattafiori <span dir="ltr">&lt;<a moz-do-not-send="true"

            href="mailto:aaron@digitalinfinity.net">aaron@digitalinfinity.net</a>&gt;</span>

        wrote:<br>

        <blockquote class="gmail_quote" style="border-left: 1px solid

          rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left:

          1ex;">Steve,<br>

          <br>

          That base64 data simply seems to be an image (png) (as

          referenced by<br>

          it's content type). URL Decoding it and then base64 decoding

          it<br>

          does confirms this. It was broken when I tried to display it

          (although<br>

          I might've broken something while trying to quickly decode

          it). The<br>

          comment says "Created with GIMP".<br>

          <br>

          This seems like broken code somewhere.<br>

          <br>

          Good job being diligent on watching your logs though!<br>

          <br>

          -Aaron<br>

          <div>

            <div class="h5"><br>

              On Thu, Jan 27, 2011 at 10:19 AM, Steve Johnson &lt;<a

                moz-do-not-send="true" href="mailto:srj@adnd.com">srj@adnd.com</a>&gt;

              wrote:<br>

              &gt; Hi NBluggers,<br>

              &gt;<br>

              &gt; I've been seeing an interesting entry in my logwatch

              reports for my apache<br>

              &gt; logs..&nbsp; Its a GET statement with a big chunk of

              base64 code attached to it<br>

              &gt; with data:image/png as the type.&nbsp; I am going to

              assume it is some type of<br>

              &gt; exploit attempt, and since the logs show that apache

              is returning a 404<br>

              &gt; responses that they are not getting anywhere with

              it.. I'm wondering if<br>

              &gt; anyone has any details on this exploit, and what I

              can maybe do to stop them<br>

              &gt; from even trying.<br>

              &gt;<br>

              &gt; Here's the log entry with the encoded GET statement:<br>

              &gt;<br>

              &gt; GET<br>

              &gt;

/pages/office-of-institutional-research/external-data-sources/url(<a class="moz-txt-link-freetext" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAAOCAYAAAB6pd%2buAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A%2fwD%2foL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oGAhENK17O5ogAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5

X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rj">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAAOCAYAAAB6pd%2buAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A%2fwD%2foL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oGAhENK17O5ogAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rj</a>!<br>

              &gt;

&nbsp;SzrhUUwn4PV1AV4bcm5nwkYDfc3xhbs%2bVWQZH%2btlekc%2fDtRupKrub1uYT7NhWw9bde%2fl2REUSRR56pJT0lxofhM8xaheXVPA1oDPg9zT%2bExmsDqF8hUqmlvi%2bDUs6RWhW5Ov%2bKaxmK5XFLkIzIe7f%2fiBtwypPVZqIRWJ8Ny6x09OEJJs5rrTxn4yJY00NwRU0mtaMLY9kyL3n9clVAb%2fnley8wnyBkkIHrgILm925JGPTJONRDHqaHDQmx2a4Ph4hpFkpcZqZmBhHtbI4wYDfs3%2bNhn5bpqG03LKl1ydXAS97fXJ%2b9jv0Hq6lyK5C%2fBJ6PEjyj2nW2VQGLw5gLKqn92YSxWgjbrRy89ogVosFoyT%2bZUzcurjD65M71oDjCeDzbCIZ5VqAk9mJm9w5zAdPkRx%2bB3H6Y3Kj7TxQMkzLqfe5V71GvttFiduOa3aQc58E6JseJJXSEVhjeH2yvpxN5qVnygj%2fdJQCWxjBAOm0gVRC5MLPdoZnt2F3rsdisTAV7MBlusT3oVK6TOriCv4fIZnsSDlu1IQRNWVGV83kYKFuZzX7PQ1MFOg0j53nh%2bg8qpLg2eogeyJ53JFddDkLtyiZ6%2b%2b674Vu5cZXiIkJdAEMjnvIqzjEjVCS7rmrhOwC0Vwn58fqkIIXeL72Mn8CJn6UfKGeNt4AAAAASUVORK5CYII%3d)<br>

              &gt; HTTP/1.1 with response code(s) 404 1 responses<br>

              &gt;<br>

              &gt;<br>

              &gt; So, what do you guys think?<br>

              &gt;<br>

              &gt; -Steve<br>

              &gt;<br>

              &gt;<br>

            </div>

          </div>

          &gt; _______________________________________________<br>

          &gt; talk mailing list<br>

          &gt; <a moz-do-not-send="true" href="mailto:talk@nblug.org">talk@nblug.org</a><br>

          &gt; <a moz-do-not-send="true"

            href="http://nblug.org/cgi-bin/mailman/listinfo/talk"

            target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a><br>

          &gt;<br>

          &gt;<br>

          <br>

          _______________________________________________<br>

          talk mailing list<br>

          <a moz-do-not-send="true" href="mailto:talk@nblug.org">talk@nblug.org</a><br>

          <a moz-do-not-send="true"

            href="http://nblug.org/cgi-bin/mailman/listinfo/talk"

            target="_blank">http://nblug.org/cgi-bin/mailman/listinfo/talk</a><br>

        </blockquote>

      </div>

      <br>

      <pre wrap="">

<fieldset class="mimeAttachmentHeader"></fieldset>

_______________________________________________

talk mailing list

<a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a>

<a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>