2008/02/25

I don't know what this person did... but... WTF??

I asked a client to send me a log file today... I wasn't prepared for what I received.

The e-mail comes in with two attachments. I open them and they're both like this:

RnJvbTogPFNhdmVkIGJ5IFdpbmRvd3MgSW50ZXJuZXQgRXhwbG9yZXIgNz4NClN1YmplY3Q6IEpv
YiBMb2c6IEJFWDAyMjU2LnhtbA0KRGF0ZTogTW9uLCAyNSBGZWIgMjAwOCAxMDowMToyNiAtMDUw
MA0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOw0KCWNoYXJzZXQ9
InVuaWNvZGUiDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQNCkNvbnRlbnQtTG9j
YXRpb246IGZpbGU6Ly9DOlxEb2N1bWVudHMgYW5kIFNldHRpbmdzXFNVWkFOTkVcTG9jYWwgU2V0
dGluZ3NcVGVtcFxsb2dFOTguaHRtDQpYLU1pbWVPTEU6IFByb2R1Y2VkIEJ5IE1pY3Jvc29mdCBN
aW1lT0xFIFY2LjAwLjI5MDAuMzE5OA0KDQovLzQ4QUNFQVJBQlBBRU1BVkFCWkFGQUFSUUFnQUVn
QVZBQk5BRXdBSUFCUUFGVUFRZ0JNQUVrQVF3QWdBQ0lBTFFBdkFDOEFWd0F6DQpBRU1BTHdBdkFF


Hmm... looks like Base64 encoding... No problem - I run it through a decoder and get this:

From:
Subject: Job Log: BEX02256.xml
Date: Mon, 25 Feb 2008 10:01:26 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset="unicode"
Content-Transfer-Encoding: base64
Content-Location: file://C:\Documents and Settings\SUZANNE\Local Settings\Temp\logE98.htm
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

//48ACEARABPAEMAVABZAFAARQAgAEgAVABNAEwAIABQAFUAQgBMAEkAQwAgACIALQAvAC8AVwAz
AEMALwAvAEQAVABEACAASABUAE0ATAAgADQALgAwACAAVAByAGEAbgBzAGkAdABpAG8AbgBhAGwA
LwAvAEUATgAiAD4ADQAKADwASABUAE0ATAA+ADwASABFAEEARAA+ADwAVABJAFQATABFAD4ASgBv
AGIAIABMAG8AZwA6ACAAQgBFAFgAMAAyADIANQA2AC4AeABtAGwAPAAvAFQASQBUAEwARQA+AA0A
CgA8AE0ARQBUAEEAIABoAHQAdABwAC0AZQBxAHUAaQB2AD0AQwBvAG4AdABlAG4AdAAtAFQAeQBw
AGUAIABjAG8AbgB0AGUAbgB0AD0AIgB0AGUAeAB0AC8AaAB0AG0AbAA7ACAAYwBoAGEAcgBzAGUA
dAA9AHUAbgBpAGMAbwBkAGUAIgA+AA0ACgA8AFMAVABZAEwARQAgAHQAeQBwAGUAPQB0AGUAeAB0
AC8AYwBzAHMAPgBCAE8ARABZACAAewANAAoACQBGAE8ATgBUAC0AUwBJAFoARQA6ACAAOQBwAHQA
OwAgAEYATwBOAFQALQBGAEEATQBJAEwAWQA6ACAAQQByAGkAYQBsAA0ACgB9AA0ACgBQAFIARQAu


What?? MORE Base64 encoded text?? At least I now know that the data is HTML and this aberation is courtesy of IE7... Decode it AGAIN and get this:

ÿþ?
?
????J?o?b? ?L?o?g?:? ?B?E?X?0?2?2?5?6?.?x?m?l??
?
??
?
??B?O?D?Y? ?{?
?
? ?F?O?N?T?-?S?I?Z?E?:? ?9?p?t?;? ?F?O?N?T?-?F?A?M?I?L?Y?:? ?A?r?i?a?l?
?
?}?
?
?P?R?E?.?W?W?_?I?N?D?E?N?T? ?{?
?
? ?M?A?R?G?I?N?-?L?E?F?T?:? ?1?0?p?x?;? ?W?O?R?D?-?W?R?A?P?:? ?b?r?e?a?k?-?w?o?r?d?


What's with all the question marks??? Wash those out and I get:




Hey! Look! Semi-valid HTML code! Feed that to my browser and I get the log I'm looking for!

How the hell did a user end up with a question mark infested, double-Base64 encoded log file? I'm sure you can't do that by accident...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)