[NBLUG/talk] Weird entries in logwatch..

Scott Doty scott at corp.sonic.net
Thu Jan 27 12:04:26 PST 2011


You guys are too fast for me! :P

  -Scott


On 01/27/2011 11:08 AM, Steve Johnson wrote:
> Yeah, I was aware of what the content was, and this shows up in my 
> logs at least 3 times a day, with the same broke image.. I am 
> wondering if it is some kind of stack overflow exploit or something.. 
> decoding on my end also results in a broken png file.
>
> Thanks... I always watch my logs, its actually part of my job :)  
> Morning routine consists of looking through several logs before I even 
> go get coffee :)
>
> -Steve
>
>
> On Thu, Jan 27, 2011 at 10:48 AM, Aaron Grattafiori 
> <aaron at digitalinfinity.net <mailto:aaron at digitalinfinity.net>> wrote:
>
>     Steve,
>
>     That base64 data simply seems to be an image (png) (as referenced by
>     it's content type). URL Decoding it and then base64 decoding it
>     does confirms this. It was broken when I tried to display it (although
>     I might've broken something while trying to quickly decode it). The
>     comment says "Created with GIMP".
>
>     This seems like broken code somewhere.
>
>     Good job being diligent on watching your logs though!
>
>     -Aaron
>
>     On Thu, Jan 27, 2011 at 10:19 AM, Steve Johnson <srj at adnd.com
>     <mailto:srj at adnd.com>> wrote:
>     > Hi NBluggers,
>     >
>     > I've been seeing an interesting entry in my logwatch reports for
>     my apache
>     > logs..  Its a GET statement with a big chunk of base64 code
>     attached to it
>     > with data:image/png as the type.  I am going to assume it is
>     some type of
>     > exploit attempt, and since the logs show that apache is
>     returning a 404
>     > responses that they are not getting anywhere with it.. I'm
>     wondering if
>     > anyone has any details on this exploit, and what I can maybe do
>     to stop them
>     > from even trying.
>     >
>     > Here's the log entry with the encoded GET statement:
>     >
>     > GET
>     >
>     /pages/office-of-institutional-research/external-data-sources/url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADgAAAAOCAYAAAB6pd%2buAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A%2fwD%2foL2nkwAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oGAhENK17O5ogAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAD6UlEQVRIx82WXWxTdRjGf6fndO3adbZ0VLoP9gFMXZQFNgSWDEkEYtSQkNVg4o2JH9NGJTMk6k01vTIhXshFzTCKE5NFORoXXDBs4nTMZHMzSETHDKyQyb7Xbu36dc7p8aaQZm5GNzd8rk7evOf%2fz%2fM%2bz%2f99X4E1htcn68v5742mffVRJd19uucqH539lSq3yKuHtlDmkPj99aPYe39kfRoMOqgCJHSdJNRL3AEE%2fB7h3xZFgO6JuRQdl6PE8zfRPzlF71CEojoXFc%2b9SPy3KxjCc%2bgCpIE0IilB65YWHFQBfAbUZEIDQGPA7xngDsNgMpFUY0Q0ESHHhKbkM3A9yoFqDceGQpTijWjhXxCAtC6gCWk0BAwLzqkAQsC6TJVDGcKrZdeDXp%2fcvki8zeuTH8uO6ehYzRJumxEUBUkyMa%2baUDWBVDLNnJJgNE9ixGZiOlckaQAVAWmBdTqBzqxQJ%2fD2KgrTCDzq9clywO%2fxZMi1AgcBBbhNPhyJ47TlsGuzjaHRSRRdoKq8AF3XOdvZw1BMQneUMl9iZN4eo3AmRWVwFulvqusAngBOryLBY0AcaPD65LeAFPAk0BLwe57OTnz3i4sc3ruFx2s24MwzoWgaW4tNnPn0JLt37KJ2zwGMgk5X3zd8ONJOX7mGvcK5OEGvT94HNGcs2rj!
>     >
>      SzrhUUwn4PV1AV4bcm5nwkYDfc3xhbs%2bVWQZH%2btlekc%2fDtRupKrub1uYT7NhWw9bde%2fl2REUSRR56pJT0lxofhM8xaheXVPA1oDPg9zT%2bExmsDqF8hUqmlvi%2bDUs6RWhW5Ov%2bKaxmK5XFLkIzIe7f%2fiBtwypPVZqIRWJ8Ny6x09OEJJs5rrTxn4yJY00NwRU0mtaMLY9kyL3n9clVAb%2fnley8wnyBkkIHrgILm925JGPTJONRDHqaHDQmx2a4Ph4hpFkpcZqZmBhHtbI4wYDfs3%2bNhn5bpqG03LKl1ydXAS97fXJ%2b9jv0Hq6lyK5C%2fBJ6PEjyj2nW2VQGLw5gLKqn92YSxWgjbrRy89ogVosFoyT%2bZUzcurjD65M71oDjCeDzbCIZ5VqAk9mJm9w5zAdPkRx%2bB3H6Y3Kj7TxQMkzLqfe5V71GvttFiduOa3aQc58E6JseJJXSEVhjeH2yvpxN5qVnygj%2fdJQCWxjBAOm0gVRC5MLPdoZnt2F3rsdisTAV7MBlusT3oVK6TOriCv4fIZnsSDlu1IQRNWVGV83kYKFuZzX7PQ1MFOg0j53nh%2bg8qpLg2eogeyJ53JFddDkLtyiZ6%2b%2b674Vu5cZXiIkJdAEMjnvIqzjEjVCS7rmrhOwC0Vwn58fqkIIXeL72Mn8CJn6UfKGeNt4AAAAASUVORK5CYII%3d)
>     > HTTP/1.1 with response code(s) 404 1 responses
>     >
>     >
>     > So, what do you guys think?
>     >
>     > -Steve
>     >
>     >
>     > _______________________________________________
>     > talk mailing list
>     > talk at nblug.org <mailto:talk at nblug.org>
>     > http://nblug.org/cgi-bin/mailman/listinfo/talk
>     >
>     >
>
>     _______________________________________________
>     talk mailing list
>     talk at nblug.org <mailto:talk at nblug.org>
>     http://nblug.org/cgi-bin/mailman/listinfo/talk
>
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20110127/de7adda1/attachment.htm>


More information about the talk mailing list