[Dshield] [Emerging-Sigs] Bizarre HTTP GET

CunningPike cunningpike at gmail.com
Wed Jul 30 04:32:27 GMT 2008


No discernible effect, other than a 404 from the server.

I'd certainly be interested in a sig - even if only to see how
widespread this is, and maybe identify a pattern.

CP

Matt Jonkman wrote:
> That is bizarre. Was there any discernable effect?
> 
> Maybe we do a signature for multiple cookie sets?
> 
> Anyone aware of a particular attack or possible target effect?
> 
> Matt
> 
> CunningPike wrote:
>> Greetings,
>>
>> Has anyone else encountered HTTP GETs like the following? It looks to 
>> be pre-loaded with a whole bunch of session-related cookies - almost a 
>> session brute-force attempt:
>>
>> SRC: GET /esdb/ HTTP/1.0
>> SRC: Host: www.dnv.org
>> SRC: Cookie: 
>> CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23 
>>
>> SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
>> SRC: Cookie: clsect=2
>> SRC: Cookie: vCard_senderemail=deleted
>> SRC: Cookie: vCard_sendername=deleted
>> SRC: Cookie: vCard_recpemail=deleted
>> SRC: Cookie: vCard_recpname=deleted
>> SRC: Cookie: WWWSLB=36
>> SRC: Cookie: DFSEX=0
>> SRC: Cookie: DFSRM=0
>> SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
>> SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
>> SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
>> SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
>> SRC: Cookie: DilbertServerID=1527
>> SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
>> SRC: Cookie: cpage=%2FDefault%2Easp%3F
>> SRC: Cookie: REFERRER=(null)
>> SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html
>> SRC: Cookie: ec_token=2E388J5728585X
>> SRC: Cookie: 
>> cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q== 
>>
>> SRC: Cookie: 
>> uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J 
>>
>> SRC: 
>> u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq 
>>
>> SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
>> SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
>> SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
>> SRC: Cookie: cl_def_hp=tulsa
>> SRC: Cookie: cl_def_lang=en
>> SRC: Cookie: coxlocale=tulsa%3Ben
>> SRC: Cookie: mid=0
>> SRC: Cookie: pid=0
>> SRC: Cookie: CLENETid=1:27.
>> SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
>> SRC: Cookie: Apache=70.189.65.104.305671217249028920
>> SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
>> SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
>> SRC: Cookie: 
>> SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
>> SRC: Cookie: mmlID=93448404
>> SRC: Cookie: customer=107947749
>> SRC: Cookie: order=74197621
>> SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
>> SRC: Cookie: 
>> SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
>> SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
>> SRC: Cookie: CFID=5114828
>> SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
>> SRC: Cookie: 
>> MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL 
>>
>> SRC: rEcUREYYrVK,YT0z
>> SRC: Cookie: SessionCounters=-1=1,1=1
>> SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
>> SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk
>> SRC: Cookie: Domain=beclutter-free.com
>> SRC: Cookie: 
>> VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011 5:42:58 AM
>> SRC: Cookie: RandomSeed=1656187007
>> SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
>> SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN, 
>> comment_by_existing=deleted, Coyote-2-45199505=a140101:0, 
>> session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, 
>> recSerBox=1, recViewBox=1, 
>> MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F, 
>> AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 
>> 8:42:34 AM, ATLASTVISITED=7/28/2008 8:42:34 AM, 
>> atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e, 
>> ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym, 
>> ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1, 
>> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524, 
>> TLTHID=6C976809451D5D276A4FA9BDE15F1688, 
>> TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True, 
>> SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003, 
>> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=, 
>> ubid-main=102-6925827-456
>> SRC: 8451, session-id=102-7741321-4364915, 
>> session-id-time=1217833200l, _cookie=OK, 
>> PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f, RUUID=2571083%3A32354115, 
>> BX=f9e330t48rfl6&b=3&s=vr, NovaId=1178761725940911354, 
>> PREF=_lm=1217248938:v=2:frschk=1, SS=Q0=VkNGUw, 
>> JServSessionIdroot=jp23zvxnk2.JS1, 
>> JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952, 
>> krts=BEE1A2038B634522B5BFF0AF4D79F380, 
>> krtt=4D8FE08CA91742A2BA0CF0AF4D79F380, 
>> krta=AA37AF88973E4068953BF0AF4D79F380, 
>> TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 
>> PM&IssueDateTime=07/28/2008 12:41:49 PM, 
>> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE, 
>> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS, 
>> userid=4n3J6GJI9v, 
>> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5, 
>> csxslt=no, 
>> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5, 
>> cartexists=yes, 
>> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5, 
>> returning=1, browserid=version=0&v=5&os=0&browser=0, 
>> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D 
>>
>> SRC: Cookie: comment_by_existing=deleted
>> SRC: Cookie: Coy
>> SRC: ote-2-45199505=a140101:0
>> SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
>> SRC: Cookie: user_id=deleted
>> SRC: Cookie: recSerBox=1
>> SRC: Cookie: recViewBox=1
>> SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
>> SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
>> SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
>> SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
>> SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
>> SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
>> SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
>> SRC: Cookie: check%5Fcookie=1
>> SRC: Cookie: 
>> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524 
>>
>> SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
>> SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
>> SRC: Cookie: gbShowActions=True
>> SRC: Cookie: SES%5FAFX=32066811
>> SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
>> SRC: Cookie: 
>> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0= 
>>
>> SRC: Cookie: ubid-main=102-6925827-4568451
>> SRC: Cookie: session-id=064-7249049-3252126
>> SRC: Cookie: session-id-time=1217335449
>> SRC: Cookie: _cookie=OK
>> SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
>> SRC: Cookie: RUUID=2571083%3A32354115
>> SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
>> SRC: Cookie: NovaId=1178761725940911354
>> SRC: Cookie: PREF=_lm=121724893
>> SRC: 8:v=2:frschk=1
>> SRC: Cookie: SS=Q0=VkNGUw
>> SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
>> SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
>> SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
>> SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
>> SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
>> SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49 
>> PM&IssueDateTime=07/28/2008 12:41:49 PM
>> SRC: Cookie: 
>> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
>> SRC: Cookie: 
>> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS 
>>
>> SRC: Cookie: userid=4n3J6GJI9v
>> SRC: Cookie: 
>> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5 
>>
>> SRC: Cookie: csxslt=no
>> SRC: Cookie: 
>> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5 
>>
>> SRC: Cookie: cartexists=yes
>> SRC: Cookie: 
>> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
>> SRC: Cookie: returning=1
>> SRC: Cookie: browserid=version=0&os=0&browser=0
>> SRC: Cookie: 
>> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5 
>>
>> SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
>> SRC:
>>
>> -- 
>> CP
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 



More information about the list mailing list