Yep, last week I was doing a Audit to a web server of a client and he also
have that cookie, and they also have webtrends.
The cookie also includes the browser ip address and in normal cases will
expire on 2010.
There is alot of fuzz around this cookie and CIA. But usualy it belongs to a
web stats program. Do a search on google.

VV

-----Original Message-----
From: Marty Block [mailto:martykesem.net]
Sent: terça-feira, 2 de Julho de 2002 19:11
To: webappsecsecurityfocus.com
Subject: Help finding a cookie generator

Hi
we're a coldfusion/iis/win2k shop that has recently discovered our server is
placing cookies on visitors browsers. the signature of the cookie starts
with EGSOFT. we contacted them and the rest of the signature does not
resemble "one of there's"

We're left witht he conclusion that even with firewall, lots of iis and
win2k config and lockdown, we got some kind of worm.

What I need is to try to figure out what process or program is doing this.
What kind of tools can i use to watch the incoming/outbound traffic to the
browser and what can I do at the server to look at the processes which might
be involved.

Thanks,

Marty

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]