I got a concerned call from a client upset by what his webmaster had reported as "strange" web activities by some of the customers. Their web application was reporting error messages coming from multiple users. Their software used cookies to uniquely identify their customers' sessions.
Further investigation of the error logs showed that although the errors were coming from multiple customers, the IP address on all the errors was the same.
The attacker had looked at his cookies to find the session ID. When the system assigned a unique ID, it assigned the IDs in numerical order, even though the number was hidden in text. For example, the IDs looked like abc1ABC1 and abc2ABC2.
The attacker had guessed that there must be someone else on the system with abc3ABC3 so he changed his cookie value and inherited someone else's session. Once his identity was masked by the other user's ID, he started testing the system for weaknesses, and was producing the error messages that alerted the webmaster.
Solution -- Taking out the unsuccessful attempt to obfuscate the session ID and instead generating a random number proved to solve the problem. Further investigation into the system showed that the attacker was wasting his time dealing with the cookies. The web server was configured to allow reading directory data from the web directory and the customer database was available and visible in this directory listing. The worst part was that the customer database was a text file and the passwords weren't even encrypted.
We also turned off directory listings of the web directories and expired all the customer passwords. What a mess!
For information and assistance on these or any other computer related issues, you can contact us by: E-Mail, or by calling 775/741-8278.