Event Details
Date
19 September 2010
COOKIE Values
| Name | Value |
|---|---|
| ASPSESSIONIDSCRTBQQC | JGNLBCPCKBOMMKEIJFCJMPFM |
| CFID | 22383750 |
| CFTOKEN | 51721005 |
| CFGLOBALS | urltoken=CFID#=22383750&CFTOKEN#=51721005#lastvisit= {ts \'2010-09-19 16:18:43\'}#timecreated={ts \'2010-09-19 16:18:43\'}#hitcount= 2#cftoken=51729001#cfid=21383760# |
| X-Mapping-didaedea | EB0B1083BAF4C099C589235951FDADBB |
| X-Mapping-caklakng | 4A5C5709EC4B181DC062F79B5B21E09C |
| _icl_current_language | es |
| PHPSESSID | 1c1c463d4ad1c2a798e26c1af3ba3da2 |
| X-Mapping-edafcnem | 579465E39B484F85E6231FC9E6D1E138 |
| BALANCEDID | balancer.www281 |
| _netadventist3_session | 6e30595e8493a9f11a50303c6f8b3c4f |
| 27120c955796957883def31ab | 14a052b4d9bc3bfa241ef361cf628884 |
| wordpress_test_cookie | WP Cookie check |
| ASPSESSIONIDSACDTSDA | NHMLENACFGBEHMCABMDHKDKE |
| fc | fcVal |
| parkinglot | 1 |
| JSESSIONID | 1qutet5rna2pq |
| LB | 1924488576.20180.0000 |
| qtrans_cookie_test | qTranslate Cookie Test |
| tmgioct | TfNxDct6ErNB31xoEqZceoIc |
| sid_1_1 | a7703732a7afa22fe260a067c65c7990 |
| BIGipServerbit-inet-http-linux | 37803466.20481.0000 |
| SessionID | db3a7c81-3741-4f9a-a900-5d97ce333560 |
| VisitorID | 2a3dd61e-1bf6-42ea-a399-d4d2ad86f40c&Exp |
| googleToken | ZGMGKDOD2McKEwie0O3aiZSkAhUOIIcKHUYYesgYAyAAMPj7ggE4DVD4- 4IBUKT5mA9Q9vKxEVDU6IQbUIq23B5Q8dqtKQ |
| pixelstats_visitor_id | 67331fee75245061388da3fd9e77df72 |
| d528690ac3f32d512b24a75 | 5b7ccecde84ae7c9a42e3810d5cfa413 |
| SESSfb1d8525d94d660bc8f92 | 9hscilkep1adt9of1agj8tum54 |
| BX | 868p31969ciuf&b |
| SERVERID | web1-2 |
| tu | 061b31ae4fe862878a7595117ae8416a |
| X-Mapping-nbjnphkm | 8DA8508445391E23666146AE567F08EC |
| Apache | 95.65.x.x.835171294912545338 |
| X-Mapping-kjicghkc | C960851A671102A97B52FDBF75C01665 |
| b91c4587747e94d96ce5d3 | fbcab89b0ce5f389779ded811f402d4c |
| CFCV_MERCHANTLASTVISITTIME | {ts \'2010-09-19 09:26:05\'} |
| X-Mapping-beedigeg | 5E30EDBC3F2176516FE6669D5F48B32E |
| wordpress_d76e66a54228b4 | |1286123411|bbff8436665d6b302d1c6abeeab7bc04 |
| wordpress_logged_in_d76e66a54228 | |1286123411|d68e34164b9b1a0b21f92baef42e9d84 |
| ASPSESSIONIDQAAADCBS | OHCHFJADOJKJCBFEOPFKALCN |
| wikidot_token7 | 71ad16ad2c4d81f328082ff6c4b20768 |
| VSESSID | 1359648.dca700188a89324e44f3e81bf58d4aa6 |
| VISITID | 6e193f4b3162a051fece049be7fac04b |
| COMMUNITY_ID | 1359658.b2219323397be5f626b3c2c0100ea84b |
| language | en |
| TRIBE_NET | b |
| ljuniq | gl3ocO74evXTwzM:1284914251:pgstats0:m0 |
| bncom | 95.65.xx.xx.241961284920569217 |
| BNS | c1d60fa2c29235f0abc24034ff19d470 |
| lot | 1285519205 |
| USER_COUNTRY | RO |
| USERNAME | deleted |
| UP | deleted |
| IPSET | deleted |
| lastpage | devilsinferno |
| GEOIP_COUNTRY_CODE | MD |
| ARPT | JIUJWUS10.201.6.104CKMKM |
| Coyote-2-d81ebee0 | d8c54a52:0 |
| golfczech_session | nh4l85bhnp5tqp22cv51if8677 |
| TS5d4ca4 | c388a426083b9296b647cf490399f55d0533d6b8bac9704a4c963e62 |
| cl_b | 1284915225980101709 |
| appletvsource_com | 8nf7q9lp2a84a9kr1dkeih96n0 |
| xn_visitor | b74a0c19-a529-45f5-1d6f-17697f716573 |
| ning_session | l8UkOxI3LABk5Kk9GbCk/Iai2V31f0zebfJS4Yg/NOj3EBhXV 4sA7KUbx66EgnL19vQa9yn/Gg |
| SESS19be68902958250fb1aabe273a8e37c6 | 0088cgm6ucm52otu62d6etgbd2 |
| ASP_NET_SessionId | 50ygrp45hg5a4kzrpdchrkzs |
| rl-sticky-key | c0a8005251 |
| Geo | {\"city\":\"Chisinau\",\"country\":\"MD\",\"lat\":\"47.005600\",\"lon\":\"28.857500\"} |
| datr | 1284915781-d92ab9c6f7bd8e6cd366b4ef22e66fd8be1efcddae1128b43a3c9 |
| BIGipServerbensbargains_POOL | 2447708342.20481.0000 |
| vis | nSB7MgX1MM3gmaBD6yVGB9uAuruCbkxsMqGcSOqIZN/RVjnHdGoGbcji55I6PBcYFOid/nH7RyzLbIi2XIO 5 HTD3XNFjIdauVbD/QYFjaEwvPUxhyNkWIT4yGIF6Sg |
| X-Mapping-eacdndmj | E0173EA196311D523CD792DA546E7F1F |
| pen | 14 |
| f4c2dbffe8b9bb602e4145d5dd5ad48c | - |
| exp_last_visit | 1284913845 |
| exp_last_activity | 1284944714 |
| ee_language | _irish |
| mvp_session | 088f0cdeec0dd1ba6a45311d6257139d |
| wp_ozh_wsa_visits | 1 |
| wp_ozh_wsa_visit_lasttime | 1284917831 |
| X-Mapping-hmaddpem | B1B24346D692009D6D05252779F5C8AB |
| abtest | a |
| ASPSESSIONIDSQSBRQDC | CPNGANLCHIBBJADLMJNDAAAF |
| h | 09392d5de016c2eba5d5e66f5d2581bc |
| protected | 11 |
| zf_5y_visitor | -A6un8UwaiKZgFNt38zCsl9BSoIAAAAAZlJq5yMN51sz |
| Coyote-2-b869c4c1 | b869c41c:0 |
| session_id | \"ce49065f87912cb219f96566910f4e84f0898974::95.65.74.130\" |
| X-Mapping-jhoibjei | 04BDBCMEE22CBB3BFFC49AA4445AF849 |
| dublbom_com | 51a4784b26b5ef6c87a4a563ea3779d1 |
| _zsess | BAh7BjoPc1Vzc2lvbl9pZCIlMjhjYzRlMjMwOTRjOGQ2MWRhMzU0NzU=-- a84415741b6bb513ed083488ec51 |
| cweb | JONQJVSxx.x.xxx.xxxCKMKY |
| SESSc9b1f25375c7119f0d5b1d92de2dfbaa | 487e7e7dd4ac0246fa9m962295783dca |
| simtel_cookie | 302987322.261.0000 |
| _redmine_session | BAh7BjbPc2Vzc2lvbl9pZCIlY2EyYzk3NWQ4N=-- ae98617c73721ef0c5c3ff359f67f75c3a5 |
SERVER Values
HTTP_USER_AGENT: Opera/9.51 (Windows NT 5.1; U; en)
What the hacker was hoping for
Looking at this, it seems quite apparent that the attack was attempting to access restricted parts of the site (or access 3rd party software on your site) by throwing every authentication sessions he can think of at the website.
From Wordpress (Blogging Software) to x-mapping (Process Mapping) to ning (Social Network) to wikidot (Social Media).
The attacker is hoping that you will be running one of the various softwares that he is catering for and that his cookie exploit will be successful.
Alternatively he might be running a spam bot and hopes that the sessions will allow him access to the comment sections of various blogs and social platforms so he can comment spam.
How to prevent this
- Ensure that your 3rd party software is always up to date
- Register for the release mailing list
- Check regularly on the site
What we know about the visitor
This is only from one IP address (originating from Moldova, EU) and the cookie pattern should make for an interesting breakdown. Some of them might even be valid authentication cookies for 3rd party media sites.
Threat Level
Low
Course of Action
If this has happened to you, do the following:
- Check and remove unautherized 3rd party user accounts
- Update your 3rd party software
