[Dshield] [Emerging-Sigs] Bizarre HTTP GET

Johannes B. Ullrich jullrich at sans.org
Tue Jul 29 13:40:26 GMT 2008


I have seen similar (but different) overly long cookies. They don't appear to exploit anything. I kind of attributed them to spyware relaxing cookie domains, but haven't seen the related spyware so far.


Network Security 2008  - Las Vegas, NV, Sept.28-Oct 6;
http://www.sans.org/info/30123


----- Original Message -----
From: "Matt Jonkman" <jonkman at jonkmans.com>
To: "CunningPike" <cunningpike at gmail.com>
Cc: list at lists.dshield.org, emerging-sigs at emergingthreats.net
Sent: Monday, July 28, 2008 11:36:29 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Dshield] [Emerging-Sigs] Bizarre HTTP GET

That is bizarre. Was there any discernable effect?

Maybe we do a signature for multiple cookie sets?

Anyone aware of a particular attack or possible target effect?

Matt

CunningPike wrote:
> Greetings,
> 
> Has anyone else encountered HTTP GETs like the following? It looks to be 
> pre-loaded with a whole bunch of session-related cookies - almost a 
> session brute-force attempt:
> 
> SRC: GET /esdb/ HTTP/1.0
> SRC: Host: www.dnv.org
> SRC: Cookie: 
> CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
> SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
> SRC: Cookie: clsect=2
> SRC: Cookie: vCard_senderemail=deleted
> SRC: Cookie: vCard_sendername=deleted
> SRC: Cookie: vCard_recpemail=deleted
> SRC: Cookie: vCard_recpname=deleted
> SRC: Cookie: WWWSLB=36
> SRC: Cookie: DFSEX=0
> SRC: Cookie: DFSRM=0
> SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
> SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
> SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
> SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
> SRC: Cookie: DilbertServerID=1527
> SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
> SRC: Cookie: cpage=%2FDefault%2Easp%3F
> SRC: Cookie: REFERRER=(null)
> SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
> SRC: Cookie: ec_token=2E388J5728585X
> SRC: Cookie: 
> cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
> SRC: Cookie: 
> uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
> SRC: 
> u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
> SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
> SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
> SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
> SRC: Cookie: cl_def_hp=tulsa
> SRC: Cookie: cl_def_lang=en
> SRC: Cookie: coxlocale=tulsa%3Ben
> SRC: Cookie: mid=0
> SRC: Cookie: pid=0
> SRC: Cookie: CLENETid=1:27.
> SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
> SRC: Cookie: Apache=70.189.65.104.305671217249028920
> SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
> SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
> SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
> SRC: Cookie: mmlID=93448404
> SRC: Cookie: customer=107947749
> SRC: Cookie: order=74197621
> SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
> SRC: Cookie: 
> SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
> SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
> SRC: Cookie: CFID=5114828
> SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
> SRC: Cookie: 
> MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
> SRC: rEcUREYYrVK,YT0z
> SRC: Cookie: SessionCounters=-1=1,1=1
> SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
> SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
> SRC: Cookie: Domain=beclutter-free.com
> SRC: Cookie: 
> VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM
> SRC: Cookie: RandomSeed=1656187007
> SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
> SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN, 
> comment_by_existing=deleted, Coyote-2-45199505=a140101:0, 
> session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, 
> recSerBox=1, recViewBox=1, 
> MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F, 
> AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 
> 8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM, 
> atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e, 
> ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym, 
> ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1, 
> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524, 
> TLTHID=6C976809451D5D276A4FA9BDE15F1688, 
> TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True, 
> SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003, 
> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=, 
> ubid-main=102-6925827-456
> SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l, 
> _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f, 
> RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr, 
> NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1, 
> SS=Q0=VkNGUw, JServSessionIdroot=jp23zvxnk2.JS1, 
> JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952, 
> krts=BEE1A2038B634522B5BFF0AF4D79F380, 
> krtt=4D8FE08CA91742A2BA0CF0AF4D79F380, 
> krta=AA37AF88973E4068953BF0AF4D79F380, 
> TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 
> PM&IssueDateTime=07/28/2008 12:41:49 PM, 
> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE, 
> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS, 
> userid=4n3J6GJI9v, 
> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5, 
> csxslt=no, 
> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5, 
> cartexists=yes, 
> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5, 
> returning=1, browserid=version=0&v=5&os=0&browser=0, 
> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
> SRC: Cookie: comment_by_existing=deleted
> SRC: Cookie: Coy
> SRC: ote-2-45199505=a140101:0
> SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
> SRC: Cookie: user_id=deleted
> SRC: Cookie: recSerBox=1
> SRC: Cookie: recViewBox=1
> SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
> SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
> SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
> SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
> SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
> SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
> SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
> SRC: Cookie: check%5Fcookie=1
> SRC: Cookie: 
> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
> SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
> SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
> SRC: Cookie: gbShowActions=True
> SRC: Cookie: SES%5FAFX=32066811
> SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
> SRC: Cookie: 
> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
> SRC: Cookie: ubid-main=102-6925827-4568451
> SRC: Cookie: session-id=064-7249049-3252126
> SRC: Cookie: session-id-time=1217335449
> SRC: Cookie: _cookie=OK
> SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
> SRC: Cookie: RUUID=2571083%3A32354115
> SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
> SRC: Cookie: NovaId=1178761725940911354
> SRC: Cookie: PREF=_lm=121724893
> SRC: 8:v=2:frschk=1
> SRC: Cookie: SS=Q0=VkNGUw
> SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
> SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
> SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
> SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
> SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
> SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 
> PM&IssueDateTime=07/28/2008 12:41:49 PM
> SRC: Cookie: 
> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
> SRC: Cookie: 
> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
> SRC: Cookie: userid=4n3J6GJI9v
> SRC: Cookie: 
> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
> SRC: Cookie: csxslt=no
> SRC: Cookie: 
> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
> SRC: Cookie: cartexists=yes
> SRC: Cookie: 
> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
> SRC: Cookie: returning=1
> SRC: Cookie: browserid=version=0&os=0&browser=0
> SRC: Cookie: 
> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
> SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
> SRC:
> 
> --
> CP
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


_________________________________________
SANSFIRE !! The Internet Storm Center Conference
http://www.sans.org/sansfire08/



More information about the list mailing list