[Dshield] Bizarre HTTP GET
jayjwa
jayjwa at atr2.ath.cx
Wed Jul 30 10:28:27 GMT 2008
On Mon, 28 Jul 2008, CunningPike wrote:
-> Has anyone else encountered HTTP GETs like the following? It looks to be
-> pre-loaded with a whole bunch of session-related cookies - almost a session
-> brute-force attempt:
Cookie-stealing exploition going on? w/ XSS? Poke around the URLs and look for
anything suspect.
-> SRC: GET /esdb/ HTTP/1.0
-> SRC: Host: www.dnv.org
I'd try this host + URL.
-> SRC: Cookie:
-> CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
-> SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
-> SRC: Cookie: clsect=2
-> SRC: Cookie: vCard_senderemail=deleted
-> SRC: Cookie: vCard_sendername=deleted
-> SRC: Cookie: vCard_recpemail=deleted
-> SRC: Cookie: vCard_recpname=deleted
You did the deleted stuff? If so, that might have been what they were after.
-> SRC: Cookie: WWWSLB=36
-> SRC: Cookie: DFSEX=0
-> SRC: Cookie: DFSRM=0
-> SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
-> SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
-> SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
-> SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
-> SRC: Cookie: DilbertServerID=1527
-> SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
-> SRC: Cookie: cpage=%2FDefault%2Easp%3F
-> SRC: Cookie: REFERRER=(null)
-> SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
Dilbert the comic strip? :-\
-> SRC: Cookie: ec_token=2E388J5728585X
-> SRC: Cookie:
-> cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
-> SRC: Cookie:
-> uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
-> SRC:
-> u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
-> SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
-> SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
-> SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
-> SRC: Cookie: cl_def_hp=tulsa
-> SRC: Cookie: cl_def_lang=en
-> SRC: Cookie: coxlocale=tulsa%3Ben
-> SRC: Cookie: mid=0
-> SRC: Cookie: pid=0
-> SRC: Cookie: CLENETid=1:27.
-> SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
-> SRC: Cookie: Apache=70.189.65.104.305671217249028920
Another host to check.
-> SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
-> SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
-> SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
-> SRC: Cookie: mmlID=93448404
-> SRC: Cookie: customer=107947749
-> SRC: Cookie: order=74197621
"customer" + "order" likely means some money is transfered some place.
-> SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
-> SRC: Cookie:
-> SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
-> SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
-> SRC: Cookie: CFID=5114828
-> SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
-> SRC: Cookie:
-> MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
-> SRC: rEcUREYYrVK,YT0z
-> SRC: Cookie: SessionCounters=-1=1,1=1
-> SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
-> SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
This one might give a clue, too.
-> SRC: Cookie: Domain=beclutter-free.com
-> SRC: Cookie: VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011
-> 5:42:58 AM
-> SRC: Cookie: RandomSeed=1656187007
-> SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
-> SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
-> comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
-> session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, recSerBox=1,
-> recViewBox=1, MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
-> AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 8:42:34
-> AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
-> atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
-> ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
-> ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
-> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
-> TLTHID=6C976809451D5D276A4FA9BDE15F1688,
-> TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
-> SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
-> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
-> ubid-main=102-6925827-456
-> SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l,
-> _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f,
-> RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr,
-> NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1, SS=Q0=VkNGUw,
-> JServSessionIdroot=jp23zvxnk2.JS1,
-> JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
-> krts=BEE1A2038B634522B5BFF0AF4D79F380, krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
-> krta=AA37AF88973E4068953BF0AF4D79F380, TimeTrack=LastSeenDateTime=07/28/2008
-> 12:41:49 PM&IssueDateTime=07/28/2008 12:41:49 PM,
-> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
-> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
-> userid=4n3J6GJI9v,
-> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
-> csxslt=no,
-> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
-> cartexists=yes,
-> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
-> returning=1, browserid=version=0&v=5&os=0&browser=0,
-> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
-> SRC: Cookie: comment_by_existing=deleted
-> SRC: Cookie: Coy
-> SRC: ote-2-45199505=a140101:0
-> SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
-> SRC: Cookie: user_id=deleted
-> SRC: Cookie: recSerBox=1
-> SRC: Cookie: recViewBox=1
-> SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
-> SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
-> SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
-> SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
-> SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
-> SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
-> SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
-> SRC: Cookie: check%5Fcookie=1
If cookies need to be checked, as this data implies, then the cookies likely
are valuable.
-> SRC: Cookie:
-> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
-> SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
-> SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
-> SRC: Cookie: gbShowActions=True
-> SRC: Cookie: SES%5FAFX=32066811
-> SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
-> SRC: Cookie:
-> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
-> SRC: Cookie: ubid-main=102-6925827-4568451
-> SRC: Cookie: session-id=064-7249049-3252126
-> SRC: Cookie: session-id-time=1217335449
-> SRC: Cookie: _cookie=OK
-> SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
-> SRC: Cookie: RUUID=2571083%3A32354115
-> SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
-> SRC: Cookie: NovaId=1178761725940911354
"NovaId" appears several times. It seems to reference some type of badware:
http://www.windowskb.com/Uwe/Forum.aspx/windowsxp/182404/HELP-Please
However, stuff like that is the rule, not the excepion, for Windows ;-)
So it might not be directly related to this incident. Many Joe Average users
go about their daily business infected with spyware/adware/malware, blaming
anything obvious on the site they are currently at or a slow connection.
The URL referenced in the below URL users claim is related to their NovaID
one. They say it has cookie-handling routines. Sounds promising.
http://forums.spybot.info/archive/index.php/t-546.html
"A different one popped up in the last couple days that has the following
address. It seems to be rules for cookie handling
but it's waaaaaay over my head."
Possibly these are the cookies that thing is supposed to handle.
-> SRC: Cookie: PREF=_lm=121724893
-> SRC: 8:v=2:frschk=1
-> SRC: Cookie: SS=Q0=VkNGUw
-> SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
-> SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
-> SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
-> SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
-> SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
-> SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49
Java stuff? Might be related to any recent Java vulns.
-> PM&IssueDateTime=07/28/2008 12:41:49 PM
-> SRC: Cookie:
-> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
-> SRC: Cookie:
-> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
-> SRC: Cookie: userid=4n3J6GJI9v
-> SRC: Cookie:
-> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
-> SRC: Cookie: csxslt=no
-> SRC: Cookie:
-> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
-> SRC: Cookie: cartexists=yes
A "cart" in web terms usually implies some sort of shopping or money exchange
is possible. This isn't looking good.
-> SRC: Cookie:
-> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
-> SRC: Cookie: returning=1
-> SRC: Cookie: browserid=version=0&os=0&browser=0
-> SRC: Cookie:
-> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
-> SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
-> SRC:
Old? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
My guess: an unpatched Windows user got her cookies stolen, possible XSS. The
answer to why is likely decernable from searching around the referenced URLs.
The account associated with the cart/userid/session is a likely reason for
this attack. You might find out more by sticking some of the more exotic
static text in Google. Nothing solid, just the directions I'd take to find out
more about this.
More information about the list
mailing list