DateTimeSeverityThreadIDApplication NameJul 10, 2013 8:17 AM Warning jrpp-0 CFADMIN Unexpected characters found in locale.I recently noticed that I am getting this error repeated in my application logs... about 20 times per minute....any ideas what is causing this?

Inspiring

Question

Unexpected characters found in locale in log files

Forum|Forum|12 years ago
July 10, 2013
6 replies
7722 views

Date	Time	Severity	ThreadID	Application Name
Jul 10, 2013	8:17 AM	Warning	jrpp-0	CFADMIN
Unexpected characters found in locale.

I recently noticed that I am getting this error repeated in my application logs... about 20 times per minute....

any ideas what is causing this?

This topic has been closed for replies.

I

ifsteveAuthor

Inspiring

More on this, its a scan for a hack attempt on the patches that were released earlier this year:

xxx.xxx.xxx.xxx GET /CFIDE/adminapi/administrator.cfc method=login&adminpassword=&rdsPasswordAllowed=true 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 404 7 0 5381 227 249

xxx.xxx.xxx.xxx GET /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/connector.cfm Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 9449 272 405

xxx.xxx.xxx.xxx GET /CFIDE/Administrator/logging/settings.cfm locale=../../../../menu.js%00en 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 200 0 0 9752 215 499

xxx.xxx.xxx.xxx GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 8761 419 405

I took a suggested approach of using a web.config to deny .CFC from being executed by a web browser. It seems that the first call gives a user direct access to the administrator without having to authenticate (that was one of the fixes)... the rest are followup commands where they try to get access to the file manager and such.

D

DCwebGuy

Inspiring

I am fairly new to IIS 7, how do you deny .CFC (or any URL/template) from being executed by a browser vs. ColdFusion itself calling it? For example, I tried using IIS7's built-in Request Filtering where you can put files and directories under the "Hidden Segments" tab to block a browser from accessing "CFIDE" but then that broke all my code where the page itself needs access (think CF's built-in form validation or anything under ajax/scripts). Is there another way?

Btw, I noticed the FCKeditor probes, as well. I just deleted the entire FCKeditor directory from ajax/scripts. I use the latest CKEditor 4 with CF anyway. The upgrade is really simple.

I

ifsteveAuthor

Inspiring

forgive me for not remembering the web address of the blog, but they posted a web.config file to place in the cfide folder. The contents were something similar to this:

<system.webServer>

</fileExtensions>

</hiddenSegments>

</verbs>

</requestFiltering>

</security>

</system.webServer>

</configuration>

I believe the reasonining is that Coldfusion itself doesnt go through IIS when accessing its own resources within those folders, and only web browsers call through IIS, so blocking with the above web.config provides a patch.

D

David-Smith

Participating Frequently

Anyone?? Adobe, are you out there?

A

Adam Cameron.

Inspiring

Yep, they are "out there", but they are not - as a rule - "in here". If you specifically want a response from Adobe, you need to raise a support ticket with them. Whilst occasionally an Adobe person will post here, I get the impression it is only when the question is one of the ones on their "script". The patrons here are just community members, on the whole.

I've no idea what's causing your issue, but a few things:

* which precise log is this in?

* what locale is your site running under?

* do you have any code which will have non-ASCII characters in it?

* are they are any other log entries (if any other logs) made at the same time which might point you at some code that's causing this?

--

Adam

D

David-Smith

Participating Frequently

Thanks, Adam. I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

To answer your questions:

* This is being written to the application.log. I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something. These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

* I'm not sure what you mean by what "locale" my site is running under. This is just normal US version.

* I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?), but in theory maybe someone (a hacker?) is trying to submit non-ASCII code into one of my forms or URL variables or something? If so the URLScan utlity, among other things, should catch that, but again I'm not too sure.

* In the coldfusion-out.log I see something similar, like this, but I don't think it helps. Coldfusion-out.log seems to collect just about everything being written to every other log. No other logs have anything around this time.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

"Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Element JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

"Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Element JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

Thanks for any advice. Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).