Sunday, September 19, 2010

Hoping for the Best

Event Details


Date

19 September 2010



COOKIE Values
NameValue
ASPSESSIONIDSCRTBQQCJGNLBCPCKBOMMKEIJFCJMPFM
CFID22383750
CFTOKEN51721005
CFGLOBALSurltoken=CFID#=22383750&CFTOKEN#=51721005#lastvisit= {ts \'2010-09-19 16:18:43\'}#timecreated={ts \'2010-09-19 16:18:43\'}#hitcount= 2#cftoken=51729001#cfid=21383760#
X-Mapping-didaedeaEB0B1083BAF4C099C589235951FDADBB
X-Mapping-caklakng4A5C5709EC4B181DC062F79B5B21E09C
_icl_current_languagees
PHPSESSID1c1c463d4ad1c2a798e26c1af3ba3da2
X-Mapping-edafcnem579465E39B484F85E6231FC9E6D1E138
BALANCEDIDbalancer.www281
_netadventist3_session6e30595e8493a9f11a50303c6f8b3c4f
27120c955796957883def31ab14a052b4d9bc3bfa241ef361cf628884
wordpress_test_cookieWP Cookie check
ASPSESSIONIDSACDTSDANHMLENACFGBEHMCABMDHKDKE
fcfcVal
parkinglot1
JSESSIONID1qutet5rna2pq
LB1924488576.20180.0000
qtrans_cookie_testqTranslate Cookie Test
tmgioctTfNxDct6ErNB31xoEqZceoIc
sid_1_1a7703732a7afa22fe260a067c65c7990
BIGipServerbit-inet-http-linux37803466.20481.0000
SessionIDdb3a7c81-3741-4f9a-a900-5d97ce333560
VisitorID2a3dd61e-1bf6-42ea-a399-d4d2ad86f40c&Exp
googleTokenZGMGKDOD2McKEwie0O3aiZSkAhUOIIcKHUYYesgYAyAAMPj7ggE4DVD4- 4IBUKT5mA9Q9vKxEVDU6IQbUIq23B5Q8dqtKQ
pixelstats_visitor_id67331fee75245061388da3fd9e77df72
d528690ac3f32d512b24a755b7ccecde84ae7c9a42e3810d5cfa413
SESSfb1d8525d94d660bc8f929hscilkep1adt9of1agj8tum54
BX868p31969ciuf&b
SERVERIDweb1-2
tu061b31ae4fe862878a7595117ae8416a
X-Mapping-nbjnphkm8DA8508445391E23666146AE567F08EC
Apache95.65.x.x.835171294912545338
X-Mapping-kjicghkcC960851A671102A97B52FDBF75C01665
b91c4587747e94d96ce5d3fbcab89b0ce5f389779ded811f402d4c
CFCV_MERCHANTLASTVISITTIME{ts \'2010-09-19 09:26:05\'}
X-Mapping-beedigeg5E30EDBC3F2176516FE6669D5F48B32E
wordpress_d76e66a54228b4|1286123411|bbff8436665d6b302d1c6abeeab7bc04
wordpress_logged_in_d76e66a54228|1286123411|d68e34164b9b1a0b21f92baef42e9d84
ASPSESSIONIDQAAADCBSOHCHFJADOJKJCBFEOPFKALCN
wikidot_token771ad16ad2c4d81f328082ff6c4b20768
VSESSID1359648.dca700188a89324e44f3e81bf58d4aa6
VISITID6e193f4b3162a051fece049be7fac04b
COMMUNITY_ID1359658.b2219323397be5f626b3c2c0100ea84b
languageen
TRIBE_NETb
ljuniqgl3ocO74evXTwzM:1284914251:pgstats0:m0
bncom95.65.xx.xx.241961284920569217
BNSc1d60fa2c29235f0abc24034ff19d470
lot1285519205
USER_COUNTRYRO
USERNAMEdeleted
UPdeleted
IPSETdeleted
lastpagedevilsinferno
GEOIP_COUNTRY_CODEMD
ARPTJIUJWUS10.201.6.104CKMKM
Coyote-2-d81ebee0d8c54a52:0
golfczech_sessionnh4l85bhnp5tqp22cv51if8677
TS5d4ca4c388a426083b9296b647cf490399f55d0533d6b8bac9704a4c963e62
cl_b1284915225980101709
appletvsource_com8nf7q9lp2a84a9kr1dkeih96n0
xn_visitorb74a0c19-a529-45f5-1d6f-17697f716573
ning_sessionl8UkOxI3LABk5Kk9GbCk/Iai2V31f0zebfJS4Yg/NOj3EBhXV 4sA7KUbx66EgnL19vQa9yn/Gg
SESS19be68902958250fb1aabe273a8e37c60088cgm6ucm52otu62d6etgbd2
ASP_NET_SessionId50ygrp45hg5a4kzrpdchrkzs
rl-sticky-keyc0a8005251
Geo{\"city\":\"Chisinau\",\"country\":\"MD\",\"lat\":\"47.005600\",\"lon\":\"28.857500\"}
datr1284915781-d92ab9c6f7bd8e6cd366b4ef22e66fd8be1efcddae1128b43a3c9
BIGipServerbensbargains_POOL2447708342.20481.0000
visnSB7MgX1MM3gmaBD6yVGB9uAuruCbkxsMqGcSOqIZN/RVjnHdGoGbcji55I6PBcYFOid/nH7RyzLbIi2XIO 5 HTD3XNFjIdauVbD/QYFjaEwvPUxhyNkWIT4yGIF6Sg
X-Mapping-eacdndmjE0173EA196311D523CD792DA546E7F1F
pen14
f4c2dbffe8b9bb602e4145d5dd5ad48c-
exp_last_visit1284913845
exp_last_activity1284944714
ee_language_irish
mvp_session088f0cdeec0dd1ba6a45311d6257139d
wp_ozh_wsa_visits1
wp_ozh_wsa_visit_lasttime1284917831
X-Mapping-hmaddpemB1B24346D692009D6D05252779F5C8AB
abtesta
ASPSESSIONIDSQSBRQDCCPNGANLCHIBBJADLMJNDAAAF
h09392d5de016c2eba5d5e66f5d2581bc
protected11
zf_5y_visitor-A6un8UwaiKZgFNt38zCsl9BSoIAAAAAZlJq5yMN51sz
Coyote-2-b869c4c1b869c41c:0
session_id\"ce49065f87912cb219f96566910f4e84f0898974::95.65.74.130\"
X-Mapping-jhoibjei04BDBCMEE22CBB3BFFC49AA4445AF849
dublbom_com51a4784b26b5ef6c87a4a563ea3779d1
_zsessBAh7BjoPc1Vzc2lvbl9pZCIlMjhjYzRlMjMwOTRjOGQ2MWRhMzU0NzU=-- a84415741b6bb513ed083488ec51
cwebJONQJVSxx.x.xxx.xxxCKMKY
SESSc9b1f25375c7119f0d5b1d92de2dfbaa487e7e7dd4ac0246fa9m962295783dca
simtel_cookie302987322.261.0000
_redmine_sessionBAh7BjbPc2Vzc2lvbl9pZCIlY2EyYzk3NWQ4N=-- ae98617c73721ef0c5c3ff359f67f75c3a5


SERVER Values

HTTP_USER_AGENT: Opera/9.51 (Windows NT 5.1; U; en)



What the hacker was hoping for

Looking at this, it seems quite apparent that the attack was attempting to access restricted parts of the site (or access 3rd party software on your site) by throwing every authentication sessions he can think of at the website.
From Wordpress (Blogging Software) to x-mapping (Process Mapping) to ning (Social Network) to wikidot (Social Media).



The attacker is hoping that you will be running one of the various softwares that he is catering for and that his cookie exploit will be successful.



Alternatively he might be running a spam bot and hopes that the sessions will allow him access to the comment sections of various blogs and social platforms so he can comment spam.



How to prevent this

  • Ensure that your 3rd party software is always up to date
    • Register for the release mailing list
    • Check regularly on the site



What we know about the visitor
This is only from one IP address (originating from Moldova, EU) and the cookie pattern should make for an interesting breakdown. Some of them might even be valid authentication cookies for 3rd party media sites.

Threat Level
Low

Course of Action
If this has happened to you, do the following:

  • Check and remove unautherized 3rd party user accounts
  • Update your 3rd party software

Tuesday, September 14, 2010

The Cold Fusion Request

Event Details


Date
14 September 2010

POST Values
CFID:
xxxxxxxx, CFTOKEN=xxxxxxxx, CFGLOBALS=urltoken=CFID#=xxxxxxx&CFTOKEN#=xxxxxxx#lastvisit={ts '2010-09-14 14:33:18'}#timecreated={ts '2010-09-14 14:33:18'}#hitcount=2#cftoken=xxxxxxxx#cfid=xxxxxxxx#, __mmsid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, __mmuid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, __mmtrk=0|||x|xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

What the hacker was hoping for

This isn't actually a hack attempt. What this is is cold fusion's horrible built in session handler. It will crop up occasionally in your logs. Sometimes they are forged, sometimes not. However if you're not running Cold Fusion (which you shouldn't be), you should be safe.

How to prevent this


  • Don't run Cold Fusion