[ic] Unauthorized for that session
Grant
emailgrant at gmail.com
Sun Mar 3 21:19:45 UTC 2013
>> Do you ignore these entries in the global error.log? Looking over my
>> log, this message is logged for all types of strange requests. Lately
>> I'm getting a fair number of requests like this:
>>
>> http://www.example.com/page.html?id='A=string
>>
>> "page" changes but is always a valid page. "string" is 9 characters
>> long and doesn't change.
>>
>> Is there anything to watch out for with this?
>>
>
> I'm seeing this as well, but I'm getting this error:
> Malformed session identifier: 'A=0gkd9LaF3QhmE
>
> I'm seeing the same string from multiple ip addresses. And then later, I'll
> see a different string start coming in from multiple ip addresses.
> 28-Feb: 'A=0gkd9LaF3QhmE
> 01-Mar: 'A=0XmLmm3PwDpRw
> 02-Mar: 'A=0XmLmm3PwDpRw
>
> (the first time I saw the error was on Feb. 28.)
>
> I'm seeing another error as well (this one started earlier, and it is also
> continuing):
> Malformed session identifier: CmKVrLodHYgb"'
>
> The string will change, but it always ends in a double quote followed by a
> single quote.
>
> My first thought was that it might be related to this:
> https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
>
> But, I really have no idea what they are trying to do, but it does seem
> suspicious...
>
> Dan
Thanks Dan, we're seeing similar stuff.
- Grant
More information about the interchange-users
mailing list