[Dshield] [Emerging-Sigs] Bizarre HTTP GET

Peter Lindgren iogt007 at hotmail.com
Tue Jul 29 04:31:20 GMT 2008


I hope you figure it out, I am getting failure to deliver email messages I never sent. In God we trust ! Peter Lindgren National Past President IOGT> Date: Mon, 28 Jul 2008 23:36:29 -0400> From: jonkman at jonkmans.com> To: cunningpike at gmail.com> CC: list at lists.dshield.org; emerging-sigs at emergingthreats.net> Subject: Re: [Dshield] [Emerging-Sigs] Bizarre HTTP GET> > That is bizarre. Was there any discernable effect?> > Maybe we do a signature for multiple cookie sets?> > Anyone aware of a particular attack or possible target effect?> > Matt> > CunningPike wrote:> > Greetings,> > > > Has anyone else encountered HTTP GETs like the following? It looks to be > > pre-loaded with a whole bunch of session-related cookies - almost a > > session brute-force attempt:> > > > SRC: GET /esdb/ HTTP/1.0> > SRC: Host: www.dnv.org> > SRC: Cookie: > > CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23> > SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd> > SRC: Cookie: clsect=2> > SRC: Cookie: vCard_senderemail=deleted> > SRC: Cookie: vCard_sendername=deleted> > SRC: Cookie: vCard_recpemail=deleted> > SRC: Cookie: vCard_recpname=deleted> > SRC: Cookie: WWWSLB=36> > SRC: Cookie: DFSEX=0> > SRC: Cookie: DFSRM=0> > SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71> > SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D> > SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG> > SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B> > SRC: Cookie: DilbertServerID=1527> > SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728> > SRC: Cookie: cpage=%2FDefault%2Easp%3F> > SRC: Cookie: REFERRER=(null)> > SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html> > SRC: Cookie: ec_token=2E388J5728585X> > SRC: Cookie: > > cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==> > SRC: Cookie: > > uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J> > SRC: > > u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq> > SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649> > SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D> > SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D> > SRC: Cookie: cl_def_hp=tulsa> > SRC: Cookie: cl_def_lang=en> > SRC: Cookie: coxlocale=tulsa%3Ben> > SRC: Cookie: mid=0> > SRC: Cookie: pid=0> > SRC: Cookie: CLENETid=1:27.> > SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671> > SRC: Cookie: Apache=70.189.65.104.305671217249028920> > SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true> > SRC: Cookie: bowtie=7/28/2008 5:44:05 AM> > SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553> > SRC: Cookie: mmlID=93448404> > SRC: Cookie: customer=107947749> > SRC: Cookie: order=74197621> > SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD> > SRC: Cookie: > > SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1> > SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC> > SRC: Cookie: CFID=5114828> > SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI> > SRC: Cookie: > > MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL> > SRC: rEcUREYYrVK,YT0z> > SRC: Cookie: SessionCounters=-1=1,1=1> > SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM> > SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk> > SRC: Cookie: Domain=beclutter-free.com> > SRC: Cookie: > > VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM> > SRC: Cookie: RandomSeed=1656187007> > SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0> > SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN, > > comment_by_existing=deleted, Coyote-2-45199505=a140101:0, > > session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, > > recSerBox=1, recViewBox=1, > > MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F, > > AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 > > 8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM, > > atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e, > > ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym, > > ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1, > > Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524, > > TLTHID=6C976809451D5D276A4FA9BDE15F1688, > > TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True, > > SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003, > > session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=, > > ubid-main=102-6925827-456> > SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l, > > _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f, > > RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr, > > NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1, > > SS=Q0=VkNGUw, JServSessionIdroot=jp23zvxnk2.JS1, > > JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952, > > krts=BEE1A2038B634522B5BFF0AF4D79F380, > > krtt=4D8FE08CA91742A2BA0CF0AF4D79F380, > > krta=AA37AF88973E4068953BF0AF4D79F380, > > TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 > > PM&IssueDateTime=07/28/2008 12:41:49 PM, > > YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE, > > ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS, > > userid=4n3J6GJI9v, > > pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5, > > csxslt=no, > > pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5, > > cartexists=yes, > > pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5, > > returning=1, browserid=version=0&v=5&os=0&browser=0, > > recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D> > SRC: Cookie: comment_by_existing=deleted> > SRC: Cookie: Coy> > SRC: ote-2-45199505=a140101:0> > SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c> > SRC: Cookie: user_id=deleted> > SRC: Cookie: recSerBox=1> > SRC: Cookie: recViewBox=1> > SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F> > SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM> > SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM> > SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM> > SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e> > SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345> > SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG> > SRC: Cookie: check%5Fcookie=1> > SRC: Cookie: > > Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524> > SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688> > SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0> > SRC: Cookie: gbShowActions=True> > SRC: Cookie: SES%5FAFX=32066811> > SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003> > SRC: Cookie: > > session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=> > SRC: Cookie: ubid-main=102-6925827-4568451> > SRC: Cookie: session-id=064-7249049-3252126> > SRC: Cookie: session-id-time=1217335449> > SRC: Cookie: _cookie=OK> > SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4> > SRC: Cookie: RUUID=2571083%3A32354115> > SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr> > SRC: Cookie: NovaId=1178761725940911354> > SRC: Cookie: PREF=_lm=121724893> > SRC: 8:v=2:frschk=1> > SRC: Cookie: SS=Q0=VkNGUw> > SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1> > SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4> > SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380> > SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380> > SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380> > SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 > > PM&IssueDateTime=07/28/2008 12:41:49 PM> > SRC: Cookie: > > YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE> > SRC: Cookie: > > ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS> > SRC: Cookie: userid=4n3J6GJI9v> > SRC: Cookie: > > pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5> > SRC: Cookie: csxslt=no> > SRC: Cookie: > > pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5> > SRC: Cookie: cartexists=yes> > SRC: Cookie: > > pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5> > SRC: Cookie: returning=1> > SRC: Cookie: browserid=version=0&os=0&browser=0> > SRC: Cookie: > > recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5> > SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)> > SRC:> > > > --> > CP> > > > > > _______________________________________________> > Emerging-sigs mailing list> > Emerging-sigs at emergingthreats.net> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs> > -- > --------------------------------------------> Matthew Jonkman> Emerging Threats> Phone 765-429-0398> Fax 312-264-0205> http://www.emergingthreats.net> --------------------------------------------> > PGP: http://www.jonkmans.com/mattjonkman.asc> > > _________________________________________> SANSFIRE !! The Internet Storm Center Conference> http://www.sans.org/sansfire08/
_________________________________________________________________
Use video conversation to talk face-to-face with Windows Live Messenger.
http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008


More information about the list mailing list