[Dshield] Bizarre HTTP GET

jayjwa jayjwa at atr2.ath.cx
Wed Jul 30 10:28:27 GMT 2008



On Mon, 28 Jul 2008, CunningPike wrote:

-> Has anyone else encountered HTTP GETs like the following? It looks to be
-> pre-loaded with a whole bunch of session-related cookies - almost a session
-> brute-force attempt:

Cookie-stealing exploition going on? w/ XSS? Poke around the URLs and look for 
anything suspect.


-> SRC: GET /esdb/ HTTP/1.0
-> SRC: Host: www.dnv.org

I'd try this host + URL.

-> SRC: Cookie:
-> CFGLOBALS=urltoken%3DCFID%23%3D5114828%26CFTOKEN%23%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23lastvisit%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23timecreated%3D%7Bts%20%272008%2D07%2D28%2005%3A44%3A48%27%7D%23hitcount%3D2%23cftoken%3D4df075f6e9570c6b%2D69B123B0%2DC293%2D63BC%2D8214A6C04C3BEDEC%23cfid%3D5114828%23
-> SRC: Cookie: EHRLES1=UserID=120097&SessionID=njLibvFq4EPJ1XIbddWd
-> SRC: Cookie: clsect=2
-> SRC: Cookie: vCard_senderemail=deleted
-> SRC: Cookie: vCard_sendername=deleted
-> SRC: Cookie: vCard_recpemail=deleted
-> SRC: Cookie: vCard_recpname=deleted


You did the deleted stuff? If so, that might have been what they were after.


-> SRC: Cookie: WWWSLB=36
-> SRC: Cookie: DFSEX=0
-> SRC: Cookie: DFSRM=0
-> SRC: Cookie: DFSID=69B123CF%2DC293%2D63BC%2D8E9B64941A808E71
-> SRC: Cookie: ctk=NDg4ZGJmMzM0NmJkNDE2OGNhN2JiMTliYmRjZg%3D%3D
-> SRC: Cookie: ASPSESSIONIDSARQCRBR=PJGMNBNCCGELJMEDPCEGFKEG
-> SRC: Cookie: SWID=16E3EC6E-CF85-446A-9D4C-96ECB622741B
-> SRC: Cookie: DilbertServerID=1527
-> SRC: Cookie: daytimer=cid=us&shopperid=07AEE5F8701748C08186911E3136B728
-> SRC: Cookie: cpage=%2FDefault%2Easp%3F
-> SRC: Cookie: REFERRER=(null)
-> SRC: Cookie: MEMBER_PAGE=sherry67/fun2.html

Dilbert the comic strip? :-\


-> SRC: Cookie: ec_token=2E388J5728585X
-> SRC: Cookie:
-> cs=aRL8zWKg7VZKYty0w0mD/AGXTD6XF3p5wnJcPpCDKruklai90AfsjdcXewjHnzw+nObctrcn2LZHN0w+kYGrftcXTD6hAEy2lxdMCK8HxD6fzL2uEDRcqhBBqnjHgErJlxdMfjcHDB6XN0w+lxdMftdHDA6Q==
-> SRC: Cookie:
-> uu=XKLbDI/uRzDn2Fb4zx2itAbRbbqgkW2cM7Jb6qPi7pnW8n4psxLr/IbXTunh9jrpluc7SgCRbbqQoi6589J
-> SRC:
-> u+gMCH1nD8c04cnI+6aAxHon2F/vMJ9HN7ccTi1zwMRuMUDFI75AxSU4Upfj/NBWZbrRl2X6zki0aY/I/WbOC7ihAQh64Q5IuKgMC7vmwMn6ZsJFtGgZxLZqg1lvs+IFtuqhHirorYP0uIKH5MnCxbbqmRsta4JFt/LhNvyqgkX0uINFNuqCRS/wxmP26oIH5MlCxbbqgkW3q4MEtiq
-> SRC: Cookie: nCircleBlog=70.189.65.104.119791217249048649
-> SRC: Cookie: CRAYOLA_POPUP=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
-> SRC: Cookie: CRAYOLA_ANON=%7Bts%20%272008%2D07%2D28%2008%3A44%3A07%27%7D
-> SRC: Cookie: cl_def_hp=tulsa
-> SRC: Cookie: cl_def_lang=en
-> SRC: Cookie: coxlocale=tulsa%3Ben
-> SRC: Cookie: mid=0
-> SRC: Cookie: pid=0
-> SRC: Cookie: CLENETid=1:27.
-> SRC: Cookie: CTOpt=time=1217249030638&sess=31267557671
-> SRC: Cookie: Apache=70.189.65.104.305671217249028920

Another host to check.

-> SRC: Cookie: DOESBROWSERACCEPTCOOKIES=true
-> SRC: Cookie: bowtie=7/28/2008 5:44:05 AM
-> SRC: Cookie: SESS388d7b52fe6c27d2aa44abf18a9e18f5=ced65dmr7t0ivgi6m2eo253553
-> SRC: Cookie: mmlID=93448404
-> SRC: Cookie: customer=107947749
-> SRC: Cookie: order=74197621

"customer" + "order" likely means some money is transfered some place.


-> SRC: Cookie: ASPSESSIONIDASSAASAR=GMAKJFCCDJBGKLNIIHFHGEAD
-> SRC: Cookie:
-> SESS3f4f40b66af5a88185d3cdeee42c51df=cabbc17ccf3fa317d7aacc5939b767e1
-> SRC: Cookie: CFTOKEN=4df075f6e9570c6b-69B123B0-C293-63BC-8214A6C04C3BEDEC
-> SRC: Cookie: CFID=5114828
-> SRC: Cookie: ASPSESSIONIDSADDCRQT=MAFPKONCFEJFFFNEANIEMIDI
-> SRC: Cookie:
-> MSTk=qs=06oENya4ZG5X757KKL0xhi4IDo8OINeZnkPNp8JeC4KYxPlud3QTsaXj51ZvZuZDDmtFZ2Hq8-RqBwMWFJgneKQOuTvap04WzrxmFW9ZJbt_m2_bm6_Ujoe5KdION9XyBZADyUAjqOhV5ogDJrUww6zjHOb-ndzsL6Gaizx-JkI6zphcZsy3jXX3nCqUVs-tDwxEI7Vm-l6C1CIXjwg7mpM61HL
-> SRC: rEcUREYYrVK,YT0z
-> SRC: Cookie: SessionCounters=-1=1,1=1
-> SRC: Cookie: SLTk=Exp=7/25/2008 5:42:58 AM
-> SRC: Cookie: LastURL=http://www.beclutter-free.com/default.pk

This one might give a clue, too.


-> SRC: Cookie: Domain=beclutter-free.com
-> SRC: Cookie: VisitorID=52c70e3e-06b9-4f44-9191-908b841e2c91&Exp=7/28/2011
-> 5:42:58 AM
-> SRC: Cookie: RandomSeed=1656187007
-> SRC: Cookie: SessionID=c89affca-26c7-4d41-852b-6524ac8dfcf0
-> SRC: Cookie: ASPSESSIONIDQSRRBDBD=KIKBFGMCMFDFGNONJIDDPFBN,
-> comment_by_existing=deleted, Coyote-2-45199505=a140101:0,
-> session_id=192bd2b3f61e2d804f7cd875ef73d13f, user_id=deleted, recSerBox=1,
-> recViewBox=1, MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F,
-> AnandTechVisitedDate=7/28/2008 8:42:34 AM, ATLASTVISITEDSYS=7/28/2008 8:42:34
-> AM, ATLASTVISITED=7/28/2008 8:42:34 AM,
-> atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e,
-> ASP.NET_SessionId=cfxenb55qyaph52pubkzrwym,
-> ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG, check%5Fcookie=1,
-> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524,
-> TLTHID=6C976809451D5D276A4FA9BDE15F1688,
-> TLTSID=6C976809451D5D276A4FA9BDE15F1688z0, gbShowActions=True,
-> SES%5FAFX=32066811, SES%5FBBB=7%2F28%2F20083465003,
-> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=,
-> ubid-main=102-6925827-456
-> SRC: 8451, session-id=102-7741321-4364915, session-id-time=1217833200l,
-> _cookie=OK, PHPSESSID=192bd2b3f61e2d804f7cd875ef73d13f,
-> RUUID=2571083%3A32354115, BX=f9e330t48rfl6&b=3&s=vr,
-> NovaId=1178761725940911354, PREF=_lm=1217248938:v=2:frschk=1, SS=Q0=VkNGUw,
-> JServSessionIdroot=jp23zvxnk2.JS1,
-> JSESSIONID=JyvSLN2QfH5PGSnr9WTsLp7d1cy15vXCM1b31kzsRfQnQG41Gbct!-965242952,
-> krts=BEE1A2038B634522B5BFF0AF4D79F380, krtt=4D8FE08CA91742A2BA0CF0AF4D79F380,
-> krta=AA37AF88973E4068953BF0AF4D79F380, TimeTrack=LastSeenDateTime=07/28/2008
-> 12:41:49 PM&IssueDateTime=07/28/2008 12:41:49 PM,
-> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE,
-> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS,
-> userid=4n3J6GJI9v,
-> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5,
-> csxslt=no,
-> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5,
-> cartexists=yes,
-> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5,
-> returning=1, browserid=version=0&v=5&os=0&browser=0,
-> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D
-> SRC: Cookie: comment_by_existing=deleted
-> SRC: Cookie: Coy
-> SRC: ote-2-45199505=a140101:0
-> SRC: Cookie: session_id=edea9cad57fa4ea044d2112cb130935c
-> SRC: Cookie: user_id=deleted
-> SRC: Cookie: recSerBox=1
-> SRC: Cookie: recViewBox=1
-> SRC: Cookie: MC1=V=2&GUID=7EA9C99D78EA4BEA9E69073667E0EE2F
-> SRC: Cookie: AnandTechVisitedDate=7/28/2008 8:42:34 AM
-> SRC: Cookie: ATLASTVISITEDSYS=7/28/2008 8:42:34 AM
-> SRC: Cookie: ATLASTVISITED=7/28/2008 8:42:34 AM
-> SRC: Cookie: atusessionw=c4fae3e2-ddb8-43a7-9a73-9da7971ed57e
-> SRC: Cookie: ASP.NET_SessionId=k12rlqremxlcc555yxo3o345
-> SRC: Cookie: ASPSESSIONIDCCTQRSSQ=FNCOJMLDNBOOPDBIMMNMCNGG
-> SRC: Cookie: check%5Fcookie=1

If cookies need to be checked, as this data implies, then the cookies likely 
are valuable.

-> SRC: Cookie:
-> Visitor=LastUpdated=7%2F28%2F2008+8%3A42%3A33+AM&DateNew=7%2F28%2F2008+8%3A42%3A33+AM&UsID=84546524
-> SRC: Cookie: TLTHID=6C976809451D5D276A4FA9BDE15F1688
-> SRC: Cookie: TLTSID=6C976809451D5D276A4FA9BDE15F1688z0
-> SRC: Cookie: gbShowActions=True
-> SRC: Cookie: SES%5FAFX=32066811
-> SRC: Cookie: SES%5FBBB=7%2F28%2F20083465003
-> SRC: Cookie:
-> session-token=2J14tyfHeablq/E8o5vH34mzd7r+3WwsWN6swM+GHojeJxOrJRmao4ZZyjkVbC/HnlZablBXtKJFu5t4fo4a5XSComGLTWp2mxYqcXBLln6MYBcz6kg6BOXKadorGWUeM75bPJuSbbJHVk4xh/H7cqOYXISAYezpyWXKP//VttE7oGoh0/rzIRvKUN+GmOhT75xBfaQoKN0=
-> SRC: Cookie: ubid-main=102-6925827-4568451
-> SRC: Cookie: session-id=064-7249049-3252126
-> SRC: Cookie: session-id-time=1217335449
-> SRC: Cookie: _cookie=OK
-> SRC: Cookie: PHPSESSID=7b67gthtqulfi3dd4ls8bvl9b4
-> SRC: Cookie: RUUID=2571083%3A32354115
-> SRC: Cookie: BX=f9e330t48rfl6&b=3&s=vr
-> SRC: Cookie: NovaId=1178761725940911354

"NovaId" appears several times. It seems to reference some type of badware:

http://www.windowskb.com/Uwe/Forum.aspx/windowsxp/182404/HELP-Please

However, stuff like that is the rule, not the excepion, for Windows ;-)

So it might not be directly related to this incident. Many Joe Average users 
go about their daily business infected with spyware/adware/malware, blaming 
anything obvious on the site they are currently at or a slow connection.


The URL referenced in the below URL users claim is related to their NovaID 
one. They say it has cookie-handling routines. Sounds promising.

http://forums.spybot.info/archive/index.php/t-546.html

"A different one popped up in the last couple days that has the following
  address. It seems to be rules for cookie handling
  but it's waaaaaay over my head."

Possibly these are the cookies that thing is supposed to handle.


-> SRC: Cookie: PREF=_lm=121724893
-> SRC: 8:v=2:frschk=1
-> SRC: Cookie: SS=Q0=VkNGUw
-> SRC: Cookie: JServSessionIdroot=jp23zvxnk2.JS1
-> SRC: Cookie: JSESSIONID=34355F7F7F2A3745ECF560D79B7002A4
-> SRC: Cookie: krts=BEE1A2038B634522B5BFF0AF4D79F380
-> SRC: Cookie: krtt=4D8FE08CA91742A2BA0CF0AF4D79F380
-> SRC: Cookie: krta=AA37AF88973E4068953BF0AF4D79F380
-> SRC: Cookie: TimeTrack=LastSeenDateTime=07/28/2008 12:41:49


Java stuff? Might be related to any recent Java vulns.

-> PM&IssueDateTime=07/28/2008 12:41:49 PM
-> SRC: Cookie:
-> YourSavedSettings=2S76V1HA81ZEV3_YOUR_SAVED_SETTINGS_NEED_THIS_COOKIE
-> SRC: Cookie:
-> ShortUrlAddressesAndFunAds=28C8TL104WUU2H3A3IY3PMI_0_ACCEPT_COOKIE_FOR_SMALL_ADDRESSES_AND_FUN_ADS
-> SRC: Cookie: userid=4n3J6GJI9v
-> SRC: Cookie:
-> pds%5Flife=d=AQAdZMKMA9Hp2aji9%2F5UEWuTCL7IuorEa4aDXwtUny9t8%2FKoSkVxcZiiesUQ1q%2Bx1BkNwWGZF5pa%2BgugtLfJ0c30&v=5
-> SRC: Cookie: csxslt=no
-> SRC: Cookie:
-> pds%5Fsess=d=AQC3dYx%2BAw646%2BXXzxastpQOQ8b3lQiKwnBO2t326NLn8el1nPJmefeAdcPVikRsDDMdjLo0C5ME%2Fx7G1WEQwlK4&v=5
-> SRC: Cookie: cartexists=yes


A "cart" in web terms usually implies some sort of shopping or money exchange 
is possible. This isn't looking good.

-> SRC: Cookie:
-> pds%5Fvcart%5Fsess=d=TD3j6hAA1k6lWjghi8jKBkSxSh9IAAQAAgBpAAAAAQA%3D&v=5
-> SRC: Cookie: returning=1
-> SRC: Cookie: browserid=version=0&os=0&browser=0
-> SRC: Cookie:
-> recentlocs=d=K8kIuxQAyV1%2Bd6gw9oB0WCJVPHK9BkofSAAIAFoAPwAAAEAAPgA8AEJvb2tzLCBUZXh0Ym9va3MsIFVzZWQgQm9va3MsIERWRHMsIE11c2ljLCBUb3lzLCBIb21lICYgR2lmdBoAV2ViSG9zdC9pbmRleC5hc3A%2Fej15JnJ2PTE%3D&v=5
-> SRC: User-Agent: Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
-> SRC:

Old?                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



My guess: an unpatched Windows user got her cookies stolen, possible XSS. The 
answer to why is likely decernable from searching around the referenced URLs.

The account associated with the cart/userid/session is a likely reason for 
this attack. You might find out more by sticking some of the more exotic 
static text in Google. Nothing solid, just the directions I'd take to find out 
more about this.






More information about the list mailing list