[ic] Unauthorized for that session
Dan Bergan
dan at berganconsulting.com
Sat Mar 2 21:10:51 UTC 2013
On Sat, Mar 2, 2013 at 1:12 PM, Grant <emailgrant at gmail.com> wrote:
> Do you ignore these entries in the global error.log? Looking over my
> log, this message is logged for all types of strange requests. Lately
> I'm getting a fair number of requests like this:
>
> http://www.example.com/page.html?id='A=string
>
> "page" changes but is always a valid page. "string" is 9 characters
> long and doesn't change.
>
> Is there anything to watch out for with this?
>
I'm seeing this as well, but I'm getting this error:
Malformed session identifier: 'A=0gkd9LaF3QhmE
I'm seeing the same string from multiple ip addresses. And then later,
I'll see a different string start coming in from multiple ip addresses.
28-Feb: 'A=0gkd9LaF3QhmE
01-Mar: 'A=0XmLmm3PwDpRw
02-Mar: 'A=0XmLmm3PwDpRw
(the first time I saw the error was on Feb. 28.)
I'm seeing another error as well (this one started earlier, and it is also
continuing):
Malformed session identifier: CmKVrLodHYgb"'
The string will change, but it always ends in a double quote followed by a
single quote.
My first thought was that it might be related to this:
https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
But, I really have no idea what they are trying to do, but it does seem
suspicious...
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.icdevgroup.org/pipermail/interchange-users/attachments/20130302/578ce80a/attachment.html>
More information about the interchange-users
mailing list