[Dshield] [Emerging-Sigs] Bizarre HTTP GET
Johannes B. Ullrich
jullrich at sans.org
Tue Jul 29 13:40:26 GMT 2008
I have seen similar (but different) overly long cookies. They don't appear to exploit anything. I kind of attributed them to spyware relaxing cookie domains, but haven't seen the related spyware so far.
Network Security 2008 - Las Vegas, NV, Sept.28-Oct 6;
http://www.sans.org/info/30123
----- Original Message -----
From: "Matt Jonkman" <jonkman at jonkmans.com>
To: "CunningPike" <cunningpike at gmail.com>
Cc: list at lists.dshield.org, emerging-sigs at emergingthreats.net
Sent: Monday, July 28, 2008 11:36:29 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Dshield] [Emerging-Sigs] Bizarre HTTP GET
That is bizarre. Was there any discernable effect?
Maybe we do a signature for multiple cookie sets?
Anyone aware of a particular attack or possible target effect?
Matt
CunningPike wrote:
> Greetings,
>
> Has anyone else encountered HTTP GETs like the following? It looks to be
> pre-loaded with a whole bunch of session-related cookies - almost a
> session brute-force attempt:
>
> SRC: GET /esdb/ HTTP/1.0
> SRC: Host: www.dnv.org
> SRC: Cookie:
> CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
> SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
> SRC: Cookie: clsect=2
> SRC: Cookie: vCard_senderemail=deleted
> SRC: Cookie: vCard_sendername=deleted
> SRC: Cookie: vCard_recpemail=deleted
> SRC: Cookie: vCard_recpname=deleted
> SRC: Cookie: WWWSLB=36
> SRC: Cookie: DFSEX=0
> SRC: Cookie: DFSRM=0
> SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
> SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
> SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
> SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
> SRC: Cookie: DilbertServerID=1527
> SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
> SRC: Cookie: cpage=%2FDefault%2Easp%3F
> SRC: Cookie: REFERRER=(null)
> SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
> SRC: Cookie: ec_token=2E388J5728585X
> SRC: Cookie:
> cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
> SRC: Cookie:
> uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
> SRC:
> u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
> SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
> SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
> SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
> SRC: Cookie: cl_def_hp=tulsa
> SRC: Cookie: cl_def_lang=en
> SRC: Cookie: coxlocale=tulsa%3Ben
> SRC: Cookie: mid=0
> SRC: Cookie: pid=0
> SRC: Cookie: CLENETid=1:27.
> SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
> SRC: Cookie: Apache=70.189.65.104.305671217249028920
> SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
> SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
> SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
> SRC: Cookie: mmlID=93448404
> SRC: Cookie: customer=107947749
> SRC: Cookie: order=74197621
> SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
> SRC: Cookie:
> SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
> SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
> SRC: Cookie: CFID=5114828
> SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
> SRC: Cookie:
> MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
> SRC: rEcUREYYrVK,YT0z
> SRC: Cookie: SessionCounters=-1=1,1=1
> SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
> SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
> SRC: Cookie: Domain=beclutter-free.com
> SRC: Cookie:
> VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM
> SRC: Cookie: RandomSeed=1656187007
> SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
> SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
> comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
> session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted,
> recSerBox=1, recViewBox=1,
> MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
> AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008
> 8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
> atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
> ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
> ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
> TLTHID=6C976809451D5D276A4FA9BDE15F1688,
> TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
> SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
> ubid-main=102-6925827-456
> SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l,
> _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f,
> RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr,
> NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1,
> SS=Q0=VkNGUw, JServSessionIdroot=jp23zvxnk2.JS1,
> JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
> krts=BEE1A2038B634522B5BFF0AF4D79F380,
> krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
> krta=AA37AF88973E4068953BF0AF4D79F380,
> TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
> PM&IssueDateTime=07/28/2008 12:41:49 PM,
> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
> userid=4n3J6GJI9v,
> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
> csxslt=no,
> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
> cartexists=yes,
> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
> returning=1, browserid=version=0&v=5&os=0&browser=0,
> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
> SRC: Cookie: comment_by_existing=deleted
> SRC: Cookie: Coy
> SRC: ote-2-45199505=a140101:0
> SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
> SRC: Cookie: user_id=deleted
> SRC: Cookie: recSerBox=1
> SRC: Cookie: recViewBox=1
> SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
> SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
> SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
> SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
> SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
> SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
> SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
> SRC: Cookie: check%5Fcookie=1
> SRC: Cookie:
> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
> SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
> SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
> SRC: Cookie: gbShowActions=True
> SRC: Cookie: SES%5FAFX=32066811
> SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
> SRC: Cookie:
> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
> SRC: Cookie: ubid-main=102-6925827-4568451
> SRC: Cookie: session-id=064-7249049-3252126
> SRC: Cookie: session-id-time=1217335449
> SRC: Cookie: _cookie=OK
> SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
> SRC: Cookie: RUUID=2571083%3A32354115
> SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
> SRC: Cookie: NovaId=1178761725940911354
> SRC: Cookie: PREF=_lm=121724893
> SRC: 8:v=2:frschk=1
> SRC: Cookie: SS=Q0=VkNGUw
> SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
> SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
> SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
> SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
> SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
> SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
> PM&IssueDateTime=07/28/2008 12:41:49 PM
> SRC: Cookie:
> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
> SRC: Cookie:
> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
> SRC: Cookie: userid=4n3J6GJI9v
> SRC: Cookie:
> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
> SRC: Cookie: csxslt=no
> SRC: Cookie:
> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
> SRC: Cookie: cartexists=yes
> SRC: Cookie:
> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
> SRC: Cookie: returning=1
> SRC: Cookie: browserid=version=0&os=0&browser=0
> SRC: Cookie:
> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
> SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
> SRC:
>
> --
> CP
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/
More information about the list
mailing list