[ic] Unauthorized for that session

Grant emailgrant at gmail.com
Sun Mar 3 21:19:45 UTC 2013

>> Do you ignore these entries in the global error.log?  Looking over my
>> log, this message is logged for all types of strange requests.  Lately
>> I'm getting a fair number of requests like this:
>> http://www.example.com/page.html?id='A=string
>> "page" changes but is always a valid page.  "string" is 9 characters
>> long and doesn't change.
>> Is there anything to watch out for with this?
> I'm seeing this as well, but I'm getting this error:
> Malformed session identifier: 'A=0gkd9LaF3QhmE
> I'm seeing the same string from multiple ip addresses.  And then later, I'll
> see a different string start coming in from multiple ip addresses.
> 28-Feb: 'A=0gkd9LaF3QhmE
> 01-Mar: 'A=0XmLmm3PwDpRw
> 02-Mar: 'A=0XmLmm3PwDpRw
> (the first time I saw the error was on Feb. 28.)
> I'm seeing another error as well (this one started earlier, and it is also
> continuing):
>  Malformed session identifier: CmKVrLodHYgb"'
> The string will change, but it always ends in a double quote followed by a
> single quote.
> My first thought was that it might be related to this:
> https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
> But, I really have no idea what they are trying to do, but it does seem
> suspicious...
> Dan

Thanks Dan, we're seeing similar stuff.

- Grant

More information about the interchange-users mailing list