Brainiac

Question

'A=0 - hack attempt??

Forum|Forum|10 years ago
October 8, 2015
4 replies
9728 views

Hello, all,

We've been seeing a lot of the following, recently, in our logs:

http://www.domain.com/getfile.cfm?uuid{a CF uuid}'A=0

When I entered this in my browser, I was presented with a dialogue to open or save "getfile.cfm". My boss was in a bit of a panic, thinking that someone found a way to download our .cfm templates, thusly exposing all of our code.

As it turns out, all it is really getting is the HTML generated on the fly by our CF server. Okay.. no more sweating bullets.. but, still a concern.

What is the best way to thwart attempts like this (harmless as they are)? I've got form and URL scopes going through both Portcullis and canonicalize(). What else can I do?

Much appreciated.

V/r,

^_^

Security

This topic has been closed for replies.

knowledgeable_master0D45

New Participant

To anyone looking for the solution the answer was posted on Stack Overflow on 6th July 2016 here: encoding - Strange URL, contains A=0 or 0=A

m.patrick40759440

New Participant

I work on a government web site - purely informational - no confidential files, etc.

I see this 'hack' almost everyday. I have researched the IPs associated with the log entries and discovered that the majority of these are linked back to the Russian Federation, although they sometimes appear to be coming from other countries via open proxies. They always seem to come in waves of six identical queries, attempting to piggy-back on the page numbering system on our site.

IP: 2.62.33.149 - Query: [[p=34'A=0]] - OJSC Rostelecom, Russian Federation - Novosibirsk

IP: 79.173.65.89 - Query: [[p=67'A=0]] - Russian Federation

IP: 94.19.237.172 - Query: [[p=34'A=0]] - Russian Federation

IP: 77.94.56.2 - Query: [[p=67'A=0]] - Belarus

IP: 46.159.45.142 - Query: [p=180'A=0] - Russian Federation

For our site, this hack gives the requester nothing but an empty HTML page - markup, but no content whatsoever.

Not sure what the Russians are looking for but......

M. Patrick

WolfShadeAuthor

Brainiac

Ditto on the "six in a row" attempts. A block of six approximately every half hour, now. And, like your situation, most are coming from Russia. We also see the Baidu search engine.

V/r,

^_^

UPDATE: We just got our first from Belarus.

lora3677

New Participant

I get these, too... I know it's been a while since this thread was active. Hopefully with our upgrade this weekend and new encoding for the affected application... they will go away!

WolfShadeAuthor

Brainiac

I wanted to put some code in the application.cfc that would look for and remove 'A=0 from all URL parameters, but the boss nixed the idea because it might escalate things if it did turn out to be a hack attempt instead of a bot.

V/r,

^_^

lora3677

New Participant

well... we did our upgrade... i did receive one of these errors on a page last night... googled the ip and it shows up on a the anti-hacker-alliance on the google results... I'm not sure how legit that site is, so I'm not clicking on it. HA!

For now, I think I'll be monitoring and see if anyone else says anything about a way to block... it was mozilla 5.0

WolfShadeAuthor

Brainiac

Four days, and over 40 views, but no one has encountered something like this?

V/r,

^_^

BKBK

Community Expert

That was likely an innocent visit by a bot. The webserver logs might give you more information. Use robots.txt to control how bots visit your site.

WolfShadeAuthor

Brainiac

Hi, BKBK‌ and haxtbh‌, thanks for replying.

I'm trying to find the email that my boss forwarded to me that contained the pertinent information. I'll check the IP addresses; hopefully it's just a bot. Normally I look at the user-agent info, but I'm drawing a blank on this one.

V/r,

^_^

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded