<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    Hey Steve,<br>
    <br>
    <a class="moz-txt-link-freetext" href="http://www.ravelrumba.com/blog/css-images-and-data-uris/">http://www.ravelrumba.com/blog/css-images-and-data-uris/</a><br>
    <br>
    It looks like it's an image imbedded in the url, used with some css
    optimizations(?) -- see link.<br>
    <br>
    (Doesn't mean it isn't sinister, but makes it less likely. :)<br>
    <br>
    &nbsp;-Scott<br>
    <br>
    <br>
    On 01/27/2011 10:19 AM, Steve Johnson wrote:
    <blockquote
      cite="mid:AANLkTinkvSHxKUc6iMVNswP4UDsf=k=qZrO7-d6oYr89@mail.gmail.com"
      type="cite">Hi NBluggers,<br>
      <br>
      I've been seeing an interesting entry in my logwatch reports for
      my apache logs..&nbsp; Its a GET statement with a big chunk of base64
      code attached to it with data:image/png as the type.&nbsp; I am going
      to assume it is some type of exploit attempt, and since the logs
      show that apache is returning a 404 responses that they are not
      getting anywhere with it.. I'm wondering if anyone has any details
      on this exploit, and what I can maybe do to stop them from even
      trying.<br>
      <br>
      Here's the log entry with the encoded GET statement:<br>
      <br>
      GET
/pages/office-of-institutional-research/external-data-sources/url(<a class="moz-txt-link-freetext" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAAOCAYAAAB6pd%2buAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A%2fwD%2foL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oGAhENK17O5ogAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5
X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rj">data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAAOCAYAAAB6pd%2buAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A%2fwD%2foL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oGAhENK17O5ogAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rj</a>!<br>
      &nbsp;SzrhUUwn4PV1AV4bcm5nwkYDfc3xhbs%2bVWQZH%2btlekc%2fDtRupKrub1uYT7NhWw9bde%2fl2REUSRR56pJT0lxofhM8xaheXVPA1oDPg9zT%2bExmsDqF8hUqmlvi%2bDUs6RWhW5Ov%2bKaxmK5XFLkIzIe7f%2fiBtwypPVZqIRWJ8Ny6x09OEJJs5rrTxn4yJY00NwRU0mtaMLY9kyL3n9clVAb%2fnley8wnyBkkIHrgILm925JGPTJONRDHqaHDQmx2a4Ph4hpFkpcZqZmBhHtbI4wYDfs3%2bNhn5bpqG03LKl1ydXAS97fXJ%2b9jv0Hq6lyK5C%2fBJ6PEjyj2nW2VQGLw5gLKqn92YSxWgjbrRy89ogVosFoyT%2bZUzcurjD65M71oDjCeDzbCIZ5VqAk9mJm9w5zAdPkRx%2bB3H6Y3Kj7TxQMkzLqfe5V71GvttFiduOa3aQc58E6JseJJXSEVhjeH2yvpxN5qVnygj%2fdJQCWxjBAOm0gVRC5MLPdoZnt2F3rsdisTAV7MBlusT3oVK6TOriCv4fIZnsSDlu1IQRNWVGV83kYKFuZzX7PQ1MFOg0j53nh%2bg8qpLg2eogeyJ53JFddDkLtyiZ6%2b%2b674Vu5cZXiIkJdAEMjnvIqzjEjVCS7rmrhOwC0Vwn58fqkIIXeL72Mn8CJn6UfKGeNt4AAAAASUVORK5CYII%3d)
      HTTP/1.1 with response code(s) 404 1 responses<br>
      <br>
      <br>
      So, what do you guys think?<br>
      <br>
      -Steve<br>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
talk mailing list
<a class="moz-txt-link-abbreviated" href="mailto:talk@nblug.org">talk@nblug.org</a>
<a class="moz-txt-link-freetext" href="http://nblug.org/cgi-bin/mailman/listinfo/talk">http://nblug.org/cgi-bin/mailman/listinfo/talk</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>