• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

'A=0 - hack attempt??

LEGEND ,
Oct 08, 2015 Oct 08, 2015

Copy link to clipboard

Copied

Hello, all,

We've been seeing a lot of the following, recently, in our logs:

http://www.domain.com/getfile.cfm?uuid{a CF uuid}'A=0

When I entered this in my browser, I was presented with a dialogue to open or save "getfile.cfm".  My boss was in a bit of a panic, thinking that someone found a way to download our .cfm templates, thusly exposing all of our code.

As it turns out, all it is really getting is the HTML generated on the fly by our CF server.  Okay.. no more sweating bullets.. but, still a concern.

What is the best way to thwart attempts like this (harmless as they are)?  I've got form and URL scopes going through both Portcullis and canonicalize().  What else can I do?

Much appreciated.

V/r,

^_^

TOPICS
Security

Views

9.1K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Oct 12, 2015 Oct 12, 2015

Copy link to clipboard

Copied

Four days, and over 40 views, but no one has encountered something like this?

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 12, 2015 Oct 12, 2015

Copy link to clipboard

Copied

That was likely an innocent visit by a bot. The webserver logs might give you more information. Use robots.txt to control how bots visit your site.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Oct 13, 2015 Oct 13, 2015

Copy link to clipboard

Copied

Hi, BKBK‌ and haxtbh‌, thanks for replying.

I'm trying to find the email that my boss forwarded to me that contained the pertinent information.  I'll check the IP addresses; hopefully it's just a bot.  Normally I look at the user-agent info, but I'm drawing a blank on this one.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Oct 13, 2015 Oct 13, 2015

Copy link to clipboard

Copied

I get these as well quite frequently and BKBK is right, the IPs are usually Google IPs, so it must be the google bot doing something.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Oct 13, 2015 Oct 13, 2015

Copy link to clipboard

Copied

Found it.  It does not appear to be a bot.  It does, however, appear to be using a very old browser.

HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)

REMOTE_ADDR 95.85.87.13


According to ARIN, the IP belongs to RIPE NCC in Amsterdam.  But the record hasn't been updated since 2009???


What do you guys think?  Isn't this a bit suspicious?  Or am I being overly paranoid?  (I'm paid to be paranoid; overly paranoid comes with a premium.)


V/r,


^_^


UPDATE: Further research shows that the IP address belongs to someone in Sankt-Peterburg, ul. Gakkelevskaja (Russia).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Oct 13, 2015 Oct 13, 2015

Copy link to clipboard

Copied

The jury is still out. A bot may be configured to fake any browser of choice.

Does your site involve sensitive or confidential information, high traffic, trade or money? Then you need some paranoia.Check whether there were visits from other IPs in the range, 95.85.x.x.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Oct 14, 2015 Oct 14, 2015

Copy link to clipboard

Copied

BKBK wrote:

Does your site involve sensitive or confidential information, high traffic, trade or money? Then you need some paranoia.Check whether there were visits from other IPs in the range, 95.85.x.x.

The site, itself, does not contain any of those, or anything along those lines.  It's the new public site for USTRANSCOM.  If anyone is trying to hack that, it's most likely either A) bored script-kiddies, or B) hackers looking for a gap in the armor and hoping for lateral movement within the network.  I'm sure there are more possibilities, but those two are just off the top of my head.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Oct 14, 2015 Oct 14, 2015

Copy link to clipboard

Copied

I see these quite regularly and most, maybe all have nothing to do with scanners. I've seen these for years and panicked when I first started seeing alerts referencing 'A=0. Like you, I have not found a valid explanation in all my googling. My current theory is that this is the result of a encoding error of some sort -- maybe a confused browser.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Oct 14, 2015 Oct 14, 2015

Copy link to clipboard

Copied

Well, whether done manually or by automated script, the 'A=0 is intentionally placed at the end of the query string; and it results in the on-the-fly generated HTML from the CF server being offered for save or open in FF or IE, using the serving document name as the name to be saved or opened.  It's not coming from any code that I or my team have written.  It's most likely someone just testing the waters, seeing what is produced as a result.  OR, it could be an automated script to grab pages in HTML that can be saved and re-purposed for someone else's site.  Either way, it's still a bit unnerving, esp. given the client that I am working for (USG DoD).

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 27, 2016 Jan 27, 2016

Copy link to clipboard

Copied

For me, still the same. I get about a half dozen of these a day with one of the sites I monitor. I sure wish I knew where these were coming from or at least confirm my encoding suspicion.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
Jan 27, 2016 Jan 27, 2016

Copy link to clipboard

Copied

I noticed the requests come from really old version of Firefox / Mozilla. We recently blocked the user agent string for these really old versions and we haven't had any of these requests since. Must just be some bots somewhere using an old build of firefox to check for websites with holes in.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 23, 2016 Jun 23, 2016

Copy link to clipboard

Copied

I get these, too... I know it's been a while since this thread was active. Hopefully with our upgrade this weekend and new encoding for the affected application... they will go away!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Jun 24, 2016 Jun 24, 2016

Copy link to clipboard

Copied

I wanted to put some code in the application.cfc that would look for and remove 'A=0 from all URL parameters, but the boss nixed the idea because it might escalate things if it did turn out to be a hack attempt instead of a bot.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 01, 2016 Jul 01, 2016

Copy link to clipboard

Copied

well... we did our upgrade... i did receive one of these errors on a page last night... googled the ip and it shows up on a the anti-hacker-alliance on the google results... I'm not sure how legit that site is, so I'm not clicking on it. HA!

For now, I think I'll be monitoring and see if anyone else says anything about a way to block... it was mozilla 5.0    

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 03, 2016 Aug 03, 2016

Copy link to clipboard

Copied

I work on a government web site - purely informational - no confidential files, etc.

I see this 'hack' almost everyday.  I have researched the IPs associated with the log entries and discovered that the majority of these are linked back to the Russian Federation, although they sometimes appear to be coming from other countries via open proxies. They always seem to come in waves of six identical queries, attempting to piggy-back on the page numbering system on our site.

IP: 2.62.33.149 - Query: [[p=34'A=0]] - OJSC Rostelecom, Russian Federation - Novosibirsk

IP: 79.173.65.89 - Query: [[p=67'A=0]] - Russian Federation

IP: 94.19.237.172 - Query: [[p=34'A=0]] - Russian Federation

IP: 77.94.56.2 - Query: [[p=67'A=0]] - Belarus

IP: 46.159.45.142 - Query: [p=180'A=0] - Russian Federation

For our site, this hack gives the requester nothing but an empty HTML page - markup, but no content whatsoever.

Not sure what the Russians are looking for but......

M. Patrick

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 03, 2016 Aug 03, 2016

Copy link to clipboard

Copied

Ditto on the "six in a row" attempts.  A block of six approximately every half hour, now.  And, like your situation, most are coming from Russia.  We also see the Baidu search engine.

V/r,

^_^

UPDATE:  We just got our first from Belarus.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 04, 2016 Aug 04, 2016

Copy link to clipboard

Copied

LATEST

To anyone looking for the solution the answer was posted on Stack Overflow on 6th July 2016 here: encoding - Strange URL, contains A=0 or 0=A

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation