[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Odd session cookies


It looks like someone trying to guess existing cookies and retrieve session information for existing sessions. Based on the cookie format, I am guessing the sessions are actually controlled by PHP - you can add some code to log IP address and cookie combinations and see if there is a patterns.

I am pretty sure sess_rfc1867-tests-post is a cookie name from the PHP test suite. The other examples you gave look like what might happen if you set a custom session handler and didn't add a unique value for each session.

If you are worried about actual session hijacking, store the client IP address in the session and don't let other IPs use it and/or consider an application firewall that can detect these things (no specific recommendation).

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Fri, Sep 7, 2018, 1:17 AM John <john.iliffe@xxxxxxxxx> wrote:
Beginning last Sunday (2 September) I have been finding several oddly named
session cookies each day on my server.  The normal Apache session cookies have
names like "sess_d50280ded90f1dbd48fcfd5fc77baa77".  These new ones have names
like:

sess_mycustomsession
sess_sessionidhere


The content seems strange too, although so far I haven't found anything
important in one of the.  The owner name is often mine, although some have
"php-fpm" as the file owner. 

Here is an example:

cookie name:  sess_rfc1867-tests-post

cookie content: 

upload_progress_rfc1867_sid_only_cookie_2.php|a:5:{s:10:"start_time";i:153591608
5;s:14:"content_length";i:603;s:15:"bytes_processed";i:603;s:4:"done";b:1;s:5:"f
iles";a:2:{i:0;a:7:{s:10:"field_name";s:5:"file1";s:4:"name";s:9:"file1.txt";s:8
:"tmp_name";s:14:"/tmp/phpQWrbXC";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_tim
e";i:1535916085;s:15:"bytes_processed";i:1;}i:1;a:7:{s:10:"field_name";s:5:"file
2";s:4:"name";s:9:"file2.txt";s:8:"tmp_name";s:14:"/tmp/phpSoCWFv";s:5:"error";i
:0;s:4:"done";b:1;s:10:"start_time";i:1535916085;s:15:"bytes_processed";i:1;}}}

Does anyone have any idea what these are and if I have some sort of a compromise
to the server going on?

Thanks in advance.

John



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx