Bizarre HTTP GET

Discussion:

Bizarre HTTP GET

CunningPike

2008-07-28 20:02:50 UTC

Greetings,

Has anyone else encountered HTTP GETs like the following? It looks to be
pre-loaded with a whole bunch of session-related cookies - almost a
session brute-force attempt:

SRC: GET /esdb/ HTTP/1.0
SRC: Host: www.dnv.org
SRC: Cookie:
CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
SRC: Cookie: clsect=2
SRC: Cookie: vCard_senderemail=deleted
SRC: Cookie: vCard_sendername=deleted
SRC: Cookie: vCard_recpemail=deleted
SRC: Cookie: vCard_recpname=deleted
SRC: Cookie: WWWSLB=36
SRC: Cookie: DFSEX=0
SRC: Cookie: DFSRM=0
SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
SRC: Cookie: DilbertServerID=1527
SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
SRC: Cookie: cpage=%2FDefault%2Easp%3F
SRC: Cookie: REFERRER=(null)
SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
SRC: Cookie: ec_token=2E388J5728585X
SRC: Cookie:
cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
SRC: Cookie:
uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
SRC:
u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
SRC: Cookie: cl_def_hp=tulsa
SRC: Cookie: cl_def_lang=en
SRC: Cookie: coxlocale=tulsa%3Ben
SRC: Cookie: mid=0
SRC: Cookie: pid=0
SRC: Cookie: CLENETid=1:27.
SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
SRC: Cookie: Apache=70.189.65.104.305671217249028920
SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
SRC: Cookie: mmlID=93448404
SRC: Cookie: customer=107947749
SRC: Cookie: order=74197621
SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
SRC: Cookie:
SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
SRC: Cookie: CFID=5114828
SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
SRC: Cookie:
MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
SRC: rEcUREYYrVK,YT0z
SRC: Cookie: SessionCounters=-1=1,1=1
SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
SRC: Cookie: Domain=beclutter-free.com
SRC: Cookie:
VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM
SRC: Cookie: RandomSeed=1656187007
SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted,
recSerBox=1, recViewBox=1,
MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008
8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
TLTHID=6C976809451D5D276A4FA9BDE15F1688,
TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
ubid-main=102-6925827-456
SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l,
_cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f,
RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr,
NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1,
SS=Q0=VkNGUw, JServSessionIdroot=jp23zvxnk2.JS1,
JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
krts=BEE1A2038B634522B5BFF0AF4D79F380,
krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
krta=AA37AF88973E4068953BF0AF4D79F380,
TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
PM&IssueDateTime=07/28/2008 12:41:49 PM,
YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
userid=4n3J6GJI9v,
pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
csxslt=no,
pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
cartexists=yes,
pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
returning=1, browserid=version=0&v=5&os=0&browser=0,
recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
SRC: Cookie: comment_by_existing=deleted
SRC: Cookie: Coy
SRC: ote-2-45199505=a140101:0
SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
SRC: Cookie: user_id=deleted
SRC: Cookie: recSerBox=1
SRC: Cookie: recViewBox=1
SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
SRC: Cookie: check%5Fcookie=1
SRC: Cookie:
Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
SRC: Cookie: gbShowActions=True
SRC: Cookie: SES%5FAFX=32066811
SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
SRC: Cookie:
session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
SRC: Cookie: ubid-main=102-6925827-4568451
SRC: Cookie: session-id=064-7249049-3252126
SRC: Cookie: session-id-time=1217335449
SRC: Cookie: _cookie=OK
SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
SRC: Cookie: RUUID=2571083%3A32354115
SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
SRC: Cookie: NovaId=1178761725940911354
SRC: Cookie: PREF=_lm=121724893
SRC: 8:v=2:frschk=1
SRC: Cookie: SS=Q0=VkNGUw
SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
PM&IssueDateTime=07/28/2008 12:41:49 PM
SRC: Cookie:
YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
SRC: Cookie:
ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
SRC: Cookie: userid=4n3J6GJI9v
SRC: Cookie:
pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
SRC: Cookie: csxslt=no
SRC: Cookie:
pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
SRC: Cookie: cartexists=yes
SRC: Cookie:
pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
SRC: Cookie: returning=1
SRC: Cookie: browserid=version=0&os=0&browser=0
SRC: Cookie:
recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
SRC:

--
CP

_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/

Matt Jonkman

2008-07-29 03:36:29 UTC

Permalink

That is bizarre. Was there any discernable effect?

Maybe we do a signature for multiple cookie sets?

Anyone aware of a particular attack or possible target effect?

Matt

Post by CunningPike
Greetings,
Has anyone else encountered HTTP GETs like the following? It looks to be
pre-loaded with a whole bunch of session-related cookies - almost a
SRC: GET /esdb/ HTTP/1.0
SRC: Host: www.dnv.org
CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
SRC: Cookie: clsect=2
SRC: Cookie: vCard_senderemail=deleted
SRC: Cookie: vCard_sendername=deleted
SRC: Cookie: vCard_recpemail=deleted
SRC: Cookie: vCard_recpname=deleted
SRC: Cookie: WWWSLB=36
SRC: Cookie: DFSEX=0
SRC: Cookie: DFSRM=0
SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
SRC: Cookie: DilbertServerID=1527
SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
SRC: Cookie: cpage=%2FDefault%2Easp%3F
SRC: Cookie: REFERRER=(null)
SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
SRC: Cookie: ec_token=2E388J5728585X
cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
SRC: Cookie: cl_def_hp=tulsa
SRC: Cookie: cl_def_lang=en
SRC: Cookie: coxlocale=tulsa%3Ben
SRC: Cookie: mid=0
SRC: Cookie: pid=0
SRC: Cookie: CLENETid=1:27.
SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
SRC: Cookie: Apache=70.189.65.104.305671217249028920
SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
SRC: Cookie: mmlID=93448404
SRC: Cookie: customer=107947749
SRC: Cookie: order=74197621
SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
SRC: Cookie: CFID=5114828
SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
SRC: rEcUREYYrVK,YT0z
SRC: Cookie: SessionCounters=-1=1,1=1
SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
SRC: Cookie: Domain=beclutter-free.com
VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM
SRC: Cookie: RandomSeed=1656187007
SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted,
recSerBox=1, recViewBox=1,
MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008
8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
TLTHID=6C976809451D5D276A4FA9BDE15F1688,
TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
ubid-main=102-6925827-456
SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l,
_cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f,
RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr,
NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1,
SS=Q0=VkNGUw, JServSessionIdroot=jp23zvxnk2.JS1,
JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
krts=BEE1A2038B634522B5BFF0AF4D79F380,
krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
krta=AA37AF88973E4068953BF0AF4D79F380,
TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
PM&IssueDateTime=07/28/2008 12:41:49 PM,
YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
userid=4n3J6GJI9v,
pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
csxslt=no,
pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
cartexists=yes,
pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
returning=1, browserid=version=0&v=5&os=0&browser=0,
recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
SRC: Cookie: comment_by_existing=deleted
SRC: Cookie: Coy
SRC: ote-2-45199505=a140101:0
SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
SRC: Cookie: user_id=deleted
SRC: Cookie: recSerBox=1
SRC: Cookie: recViewBox=1
SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
SRC: Cookie: check%5Fcookie=1
Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
SRC: Cookie: gbShowActions=True
SRC: Cookie: SES%5FAFX=32066811
SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
SRC: Cookie: ubid-main=102-6925827-4568451
SRC: Cookie: session-id=064-7249049-3252126
SRC: Cookie: session-id-time=1217335449
SRC: Cookie: _cookie=OK
SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
SRC: Cookie: RUUID=2571083%3A32354115
SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
SRC: Cookie: NovaId=1178761725940911354
SRC: Cookie: PREF=_lm=121724893
SRC: 8:v=2:frschk=1
SRC: Cookie: SS=Q0=VkNGUw
SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
PM&IssueDateTime=07/28/2008 12:41:49 PM
YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
SRC: Cookie: userid=4n3J6GJI9v
pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
SRC: Cookie: csxslt=no
pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
SRC: Cookie: cartexists=yes
pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
SRC: Cookie: returning=1
SRC: Cookie: browserid=version=0&os=0&browser=0
recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
--
CP
_______________________________________________
Emerging-sigs mailing list
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/

Johannes B. Ullrich

2008-07-29 13:40:26 UTC

Permalink

I have seen similar (but different) overly long cookies. They don't appear to exploit anything. I kind of attributed them to spyware relaxing cookie domains, but haven't seen the related spyware so far.

Network Security 2008 - Las Vegas, NV, Sept.28-Oct 6;
http://www.sans.org/info/30123

----- Original Message -----
From: "Matt Jonkman" <jonkman-eqVdsuqBafFWk0Htik3J/***@public.gmane.org>
To: "CunningPike" <cunningpike-***@public.gmane.org>
Cc: list-js9DF5ScdFUR2m3UPm69cti2O/***@public.gmane.org, emerging-sigs-***@public.gmane.org
Sent: Monday, July 28, 2008 11:36:29 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Dshield] [Emerging-Sigs] Bizarre HTTP GET

That is bizarre. Was there any discernable effect?

Maybe we do a signature for multiple cookie sets?

Anyone aware of a particular attack or possible target effect?

Matt

Peter Lindgren

2008-07-29 04:31:20 UTC

Permalink

I hope you figure it out, I am getting failure to deliver email messages I never sent. In God we trust ! Peter Lindgren National Past President IOGT> Date: Mon, 28 Jul 2008 23:36:29 -0400> From: jonkman-eqVdsuqBafFWk0Htik3J/***@public.gmane.org> To: cunningpike-***@public.gmane.org> CC: list-js9DF5ScdFUR2m3UPm69cti2O/***@public.gmane.org; emerging-sigs-***@public.gmane.org> Subject: Re: [Dshield] [Emerging-Sigs] Bizarre HTTP GET> > That is bizarre. Was there any discernable effect?> > Maybe we do a signature for multiple cookie sets?> > Anyone aware of a particular attack or possible target effect?> > Matt> > CunningPike wrote:> > Greetings,> > > > Has anyone else encountered HTTP GETs like the following? It looks to be > > pre-loaded with a whole bunch of session-related cookies - almost a > > session brute-force attempt:> > > > SRC: GET /esdb/ HTTP/1.0> >
SRC: Host: www.dnv.org> > SRC: Cookie: > > CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23> > SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd> > SRC: Cookie: clsect=2> > SRC: Cookie: vCard_senderemail=deleted> > SRC: Cookie: vCard_sendername=deleted> > SRC: Cookie: vCard_recpemail=deleted> > SRC: Cookie: vCard_recpname=deleted> > SRC: Cookie: WWWSLB=36> > SRC: Cookie: DFSEX=0> > SRC: Cookie: DFSRM=0> > SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71> > SRC: Cookie
: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D> > SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG> > SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B> > SRC: Cookie: DilbertServerID=1527> > SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728> > SRC: Cookie: cpage=%2FDefault%2Easp%3F> > SRC: Cookie: REFERRER=(null)> > SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html> > SRC: Cookie: ec_token=2E388J572858!
5X> > SR
C: Cookie: > > cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==> > SRC: Cookie: > > uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J> > SRC: > > u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq> > SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649> > SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D> > SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D> > SRC: Cookie: cl_def_hp=tulsa> > SRC: Cookie: cl_def_lang=en> > SRC: Cookie:
coxlocale=tulsa%3Ben> > SRC: Cookie: mid=0> > SRC: Cookie: pid=0> > SRC: Cookie: CLENETid=1:27.> > SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671> > SRC: Cookie: Apache=70.189.65.104.305671217249028920> > SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true> > SRC: Cookie: bowtie=7/28/2008 5:44:05 AM> > SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553> > SRC: Cookie: mmlID=93448404> > SRC: Cookie: customer=107947749> > SRC: Cookie: order=74197621> > SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD> > SRC: Cookie: > > SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1> > SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC> > SRC: Cookie: CFID=5114828> > SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI>

SRC: Cookie: > > MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL> > SRC: rEcUREYYrVK,YT0z> > SRC: Cookie: SessionCounters=-1=1,1=1> > SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM> > SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk> > SRC: Cookie: !

Domain=b
eclutter-free.com> > SRC: Cookie: > > VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM> > SRC: Cookie: RandomSeed=1656187007> > SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0> > SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN, > > comment_by_existing=deleted, Coyote-2-45199505=a140101:0, > > session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, > > recSerBox=1, recViewBox=1, > > MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F, > > AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 > > 8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM, > > atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e, > > ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym, > > ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1, > > Visitor=LastUpd
ated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524, > > TLTHID=6C976809451D5D276A4FA9BDE15F1688, > > TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True, > > SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003, > > session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=, > > ubid-main=102-6925827-456> > SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l, > > _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f, > > RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr, > > NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1, > > SS=Q0=VkNGUw, JServSessionId
root=jp23zvxnk2.JS1, > > JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952, > > krts=BEE1A2038B634522B5BFF0AF4D79F380, > > krtt=4D8FE08CA91742A2BA0CF0AF4D79F380, > > krta=AA37AF88973E4068953BF0AF4D79F380, > > TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 > > PM&IssueDateTime=07/28/2008 12:41:49 PM, > > YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE, > > ShortUrlAddressesAndFunAds=28C8TL104!
WUU2H3A3
IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS, > > userid=4n3J6GJI9v, > > pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5, > > csxslt=no, > > pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5, > > cartexists=yes, > > pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5, > > returning=1, browserid=version=0&v=5&os=0&browser=0, > > recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D> > SRC: Cookie: comment_by_existing=deleted> > SRC: Cookie: Coy> > SRC: ote-2-45199505=a140101:0> > SRC: Cookie: session
_id=edea9cad57fa4ea044d2112cb130935c> > SRC: Cookie: user_id=deleted> > SRC: Cookie: recSerBox=1> > SRC: Cookie: recViewBox=1> > SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F> > SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM> > SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM> > SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM> > SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e> > SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345> > SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG> > SRC: Cookie: check%5Fcookie=1> > SRC: Cookie: > > Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524> > SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688> > SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1
688z0> > SRC: Cookie: gbShowActions=True> > SRC: Cookie: SES%5FAFX=32066811> > SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003> > SRC: Cookie: > > session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=> > SRC: Cookie: ubid-main=102-6925827-4568451> > SRC: Cookie: session-id=064-72!
49049-32
52126> > SRC: Cookie: session-id-time=1217335449> > SRC: Cookie: _cookie=OK> > SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4> > SRC: Cookie: RUUID=2571083%3A32354115> > SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr> > SRC: Cookie: NovaId=1178761725940911354> > SRC: Cookie: PREF=_lm=121724893> > SRC: 8:v=2:frschk=1> > SRC: Cookie: SS=Q0=VkNGUw> > SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1> > SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4> > SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380> > SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380> > SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380> > SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 > > PM&IssueDateTime=07/28/2008 12:41:49 PM> > SRC: Cookie: > > YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_T
HIS_COOKIE> > SRC: Cookie: > > ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS> > SRC: Cookie: userid=4n3J6GJI9v> > SRC: Cookie: > > pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5> > SRC: Cookie: csxslt=no> > SRC: Cookie: > > pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5> > SRC: Cookie: cartexists=yes> > SRC: Cookie: > > pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5> > SRC: Cookie: returning=1> > SRC: Cookie: browserid=version=0&os=0&browser=0> > SRC: Cookie: > > recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c
2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5> > SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)> > SRC:> > > > --> > CP> > > > > > _______________________________________________> > Emerging-sigs mailing list> > Emerging-sigs-***@public.gmane.org> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs> > -- > --------------------------------------------> Matthew Jonkman> Emerging!
Threats

Phone 765-429-0398> Fax 312-264-0205> http://www.emergingthreats.net> --------------------------------------------> > PGP: http://www.jonkmans.com/mattjonkman.asc> > > _________________________________________> SANSFIRE !! The Internet Storm Center Conference> http://www.sans.org/sansfire08/

_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008
_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/

CunningPike

2008-07-30 04:32:27 UTC

Permalink

No discernible effect, other than a 404 from the server.

I'd certainly be interested in a sig - even if only to see how
widespread this is, and maybe identify a pattern.

CP

Post by Matt Jonkman
That is bizarre. Was there any discernable effect?
Maybe we do a signature for multiple cookie sets?
Anyone aware of a particular attack or possible target effect?
Matt

Post by CunningPike
Greetings,
Has anyone else encountered HTTP GETs like the following? It looks to
be pre-loaded with a whole bunch of session-related cookies - almost a
SRC: GET /esdb/ HTTP/1.0
SRC: Host: www.dnv.org
CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
SRC: Cookie: clsect=2
SRC: Cookie: vCard_senderemail=deleted
SRC: Cookie: vCard_sendername=deleted
SRC: Cookie: vCard_recpemail=deleted
SRC: Cookie: vCard_recpname=deleted
SRC: Cookie: WWWSLB=36
SRC: Cookie: DFSEX=0
SRC: Cookie: DFSRM=0
SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
SRC: Cookie: DilbertServerID=1527
SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
SRC: Cookie: cpage=%2FDefault%2Easp%3F
SRC: Cookie: REFERRER=(null)
SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
SRC: Cookie: ec_token=2E388J5728585X
cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
SRC: Cookie: cl_def_hp=tulsa
SRC: Cookie: cl_def_lang=en
SRC: Cookie: coxlocale=tulsa%3Ben
SRC: Cookie: mid=0
SRC: Cookie: pid=0
SRC: Cookie: CLENETid=1:27.
SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
SRC: Cookie: Apache=70.189.65.104.305671217249028920
SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
SRC: Cookie: mmlID=93448404
SRC: Cookie: customer=107947749
SRC: Cookie: order=74197621
SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
SRC: Cookie: CFID=5114828
SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
SRC: rEcUREYYrVK,YT0z
SRC: Cookie: SessionCounters=-1=1,1=1
SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
SRC: Cookie: Domain=beclutter-free.com
VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM
SRC: Cookie: RandomSeed=1656187007
SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted,
recSerBox=1, recViewBox=1,
MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008
8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
TLTHID=6C976809451D5D276A4FA9BDE15F1688,
TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
ubid-main=102-6925827-456
SRC: 8451, session-id=102-7741321-4364915,
session-id-time=1217833200l, _cookie=OK,
PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f, RUUID=2571083%3A32354115,
BX=f9e330t48rfl6&b=3&s=vr, NovaId=1178761725940911354,
PREF=_lm=1217248938:v=2:frschk=1, SS=Q0=VkNGUw,
JServSessionIdroot=jp23zvxnk2.JS1,
JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
krts=BEE1A2038B634522B5BFF0AF4D79F380,
krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
krta=AA37AF88973E4068953BF0AF4D79F380,
TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
PM&IssueDateTime=07/28/2008 12:41:49 PM,
YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
userid=4n3J6GJI9v,
pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
csxslt=no,
pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
cartexists=yes,
pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
returning=1, browserid=version=0&v=5&os=0&browser=0,
recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
SRC: Cookie: comment_by_existing=deleted
SRC: Cookie: Coy
SRC: ote-2-45199505=a140101:0
SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
SRC: Cookie: user_id=deleted
SRC: Cookie: recSerBox=1
SRC: Cookie: recViewBox=1
SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
SRC: Cookie: check%5Fcookie=1
Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
SRC: Cookie: gbShowActions=True
SRC: Cookie: SES%5FAFX=32066811
SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
SRC: Cookie: ubid-main=102-6925827-4568451
SRC: Cookie: session-id=064-7249049-3252126
SRC: Cookie: session-id-time=1217335449
SRC: Cookie: _cookie=OK
SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
SRC: Cookie: RUUID=2571083%3A32354115
SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
SRC: Cookie: NovaId=1178761725940911354
SRC: Cookie: PREF=_lm=121724893
SRC: 8:v=2:frschk=1
SRC: Cookie: SS=Q0=VkNGUw
SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
PM&IssueDateTime=07/28/2008 12:41:49 PM
YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
SRC: Cookie: userid=4n3J6GJI9v
pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
SRC: Cookie: csxslt=no
pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
SRC: Cookie: cartexists=yes
pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
SRC: Cookie: returning=1
SRC: Cookie: browserid=version=0&os=0&browser=0
recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
--
CP
_______________________________________________
Emerging-sigs mailing list
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/

jayjwa

2008-07-30 10:28:27 UTC

Permalink

On Mon, 28 Jul 2008, CunningPike wrote:

-> Has anyone else encountered HTTP GETs like the following? It looks to be
-> pre-loaded with a whole bunch of session-related cookies - almost a session
-> brute-force attempt:

Cookie-stealing exploition going on? w/ XSS? Poke around the URLs and look for
anything suspect.

-> SRC: GET /esdb/ HTTP/1.0
-> SRC: Host: www.dnv.org

I'd try this host + URL.

-> SRC: Cookie:
-> CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
-> SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
-> SRC: Cookie: clsect=2
-> SRC: Cookie: vCard_senderemail=deleted
-> SRC: Cookie: vCard_sendername=deleted
-> SRC: Cookie: vCard_recpemail=deleted
-> SRC: Cookie: vCard_recpname=deleted

You did the deleted stuff? If so, that might have been what they were after.

-> SRC: Cookie: WWWSLB=36
-> SRC: Cookie: DFSEX=0
-> SRC: Cookie: DFSRM=0
-> SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
-> SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
-> SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
-> SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
-> SRC: Cookie: DilbertServerID=1527
-> SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
-> SRC: Cookie: cpage=%2FDefault%2Easp%3F
-> SRC: Cookie: REFERRER=(null)
-> SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html

Dilbert the comic strip? :-\

-> SRC: Cookie: ec_token=2E388J5728585X
-> SRC: Cookie:
-> cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
-> SRC: Cookie:
-> uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
-> SRC:
-> u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
-> SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
-> SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
-> SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
-> SRC: Cookie: cl_def_hp=tulsa
-> SRC: Cookie: cl_def_lang=en
-> SRC: Cookie: coxlocale=tulsa%3Ben
-> SRC: Cookie: mid=0
-> SRC: Cookie: pid=0
-> SRC: Cookie: CLENETid=1:27.
-> SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
-> SRC: Cookie: Apache=70.189.65.104.305671217249028920

Another host to check.

-> SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
-> SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
-> SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
-> SRC: Cookie: mmlID=93448404
-> SRC: Cookie: customer=107947749
-> SRC: Cookie: order=74197621

"customer" + "order" likely means some money is transfered some place.

-> SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
-> SRC: Cookie:
-> SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
-> SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
-> SRC: Cookie: CFID=5114828
-> SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
-> SRC: Cookie:
-> MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
-> SRC: rEcUREYYrVK,YT0z
-> SRC: Cookie: SessionCounters=-1=1,1=1
-> SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
-> SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk

This one might give a clue, too.

-> SRC: Cookie: Domain=beclutter-free.com
-> SRC: Cookie: VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011
-> 5:42:58 AM
-> SRC: Cookie: RandomSeed=1656187007
-> SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
-> SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
-> comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
-> session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, recSerBox=1,
-> recViewBox=1, MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
-> AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 8:42:34
-> AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
-> atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
-> ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
-> ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
-> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
-> TLTHID=6C976809451D5D276A4FA9BDE15F1688,
-> TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
-> SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
-> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
-> ubid-main=102-6925827-456
-> SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l,
-> _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f,
-> RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr,
-> NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1, SS=Q0=VkNGUw,
-> JServSessionIdroot=jp23zvxnk2.JS1,
-> JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
-> krts=BEE1A2038B634522B5BFF0AF4D79F380, krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
-> krta=AA37AF88973E4068953BF0AF4D79F380, TimeTrack=LastSeenDateTime=07/28/2008
-> 12:41:49 PM&IssueDateTime=07/28/2008 12:41:49 PM,
-> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
-> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
-> userid=4n3J6GJI9v,
-> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
-> csxslt=no,
-> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
-> cartexists=yes,
-> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
-> returning=1, browserid=version=0&v=5&os=0&browser=0,
-> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
-> SRC: Cookie: comment_by_existing=deleted
-> SRC: Cookie: Coy
-> SRC: ote-2-45199505=a140101:0
-> SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
-> SRC: Cookie: user_id=deleted
-> SRC: Cookie: recSerBox=1
-> SRC: Cookie: recViewBox=1
-> SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
-> SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
-> SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
-> SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
-> SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
-> SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
-> SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
-> SRC: Cookie: check%5Fcookie=1

If cookies need to be checked, as this data implies, then the cookies likely
are valuable.

-> SRC: Cookie:
-> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
-> SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
-> SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
-> SRC: Cookie: gbShowActions=True
-> SRC: Cookie: SES%5FAFX=32066811
-> SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
-> SRC: Cookie:
-> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
-> SRC: Cookie: ubid-main=102-6925827-4568451
-> SRC: Cookie: session-id=064-7249049-3252126
-> SRC: Cookie: session-id-time=1217335449
-> SRC: Cookie: _cookie=OK
-> SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
-> SRC: Cookie: RUUID=2571083%3A32354115
-> SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
-> SRC: Cookie: NovaId=1178761725940911354

"NovaId" appears several times. It seems to reference some type of badware:

http://www.windowskb.com/Uwe/Forum.aspx/windowsxp/182404/HELP-Please

However, stuff like that is the rule, not the excepion, for Windows ;-)

So it might not be directly related to this incident. Many Joe Average users
go about their daily business infected with spyware/adware/malware, blaming
anything obvious on the site they are currently at or a slow connection.

The URL referenced in the below URL users claim is related to their NovaID
one. They say it has cookie-handling routines. Sounds promising.

http://forums.spybot.info/archive/index.php/t-546.html

"A different one popped up in the last couple days that has the following
address. It seems to be rules for cookie handling
but it's waaaaaay over my head."

Possibly these are the cookies that thing is supposed to handle.

-> SRC: Cookie: PREF=_lm=121724893
-> SRC: 8:v=2:frschk=1
-> SRC: Cookie: SS=Q0=VkNGUw
-> SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
-> SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
-> SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
-> SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
-> SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
-> SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49

Java stuff? Might be related to any recent Java vulns.

-> PM&IssueDateTime=07/28/2008 12:41:49 PM
-> SRC: Cookie:
-> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
-> SRC: Cookie:
-> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
-> SRC: Cookie: userid=4n3J6GJI9v
-> SRC: Cookie:
-> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
-> SRC: Cookie: csxslt=no
-> SRC: Cookie:
-> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
-> SRC: Cookie: cartexists=yes

A "cart" in web terms usually implies some sort of shopping or money exchange
is possible. This isn't looking good.

-> SRC: Cookie:
-> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
-> SRC: Cookie: returning=1
-> SRC: Cookie: browserid=version=0&os=0&browser=0
-> SRC: Cookie:
-> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
-> SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
-> SRC:

Old? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

My guess: an unpatched Windows user got her cookies stolen, possible XSS. The
answer to why is likely decernable from searching around the referenced URLs.

The account associated with the cart/userid/session is a likely reason for
this attack. You might find out more by sticking some of the more exotic
static text in Google. Nothing solid, just the directions I'd take to find out
more about this.

_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/