Copy link to clipboard
Copied
Hello, all,
We've been seeing a lot of the following, recently, in our logs:
http://www.domain.com/getfile.cfm?uuid{a CF uuid}'A=0
When I entered this in my browser, I was presented with a dialogue to open or save "getfile.cfm". My boss was in a bit of a panic, thinking that someone found a way to download our .cfm templates, thusly exposing all of our code.
As it turns out, all it is really getting is the HTML generated on the fly by our CF server. Okay.. no more sweating bullets.. but, still a concern.
What is the best way to thwart attempts like this (harmless as they are)? I've got form and URL scopes going through both Portcullis and canonicalize(). What else can I do?
Much appreciated.
V/r,
^_^
Copy link to clipboard
Copied
Four days, and over 40 views, but no one has encountered something like this?
V/r,
^_^
Copy link to clipboard
Copied
That was likely an innocent visit by a bot. The webserver logs might give you more information. Use robots.txt to control how bots visit your site.
Copy link to clipboard
Copied
Copy link to clipboard
Copied
I get these as well quite frequently and BKBK is right, the IPs are usually Google IPs, so it must be the google bot doing something.
Copy link to clipboard
Copied
Found it. It does not appear to be a bot. It does, however, appear to be using a very old browser.
HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
REMOTE_ADDR 95.85.87.13
According to ARIN, the IP belongs to RIPE NCC in Amsterdam. But the record hasn't been updated since 2009???
What do you guys think? Isn't this a bit suspicious? Or am I being overly paranoid? (I'm paid to be paranoid; overly paranoid comes with a premium.)
V/r,
^_^
UPDATE: Further research shows that the IP address belongs to someone in Sankt-Peterburg, ul. Gakkelevskaja (Russia).
Copy link to clipboard
Copied
The jury is still out. A bot may be configured to fake any browser of choice.
Does your site involve sensitive or confidential information, high traffic, trade or money? Then you need some paranoia.Check whether there were visits from other IPs in the range, 95.85.x.x.
Copy link to clipboard
Copied
BKBK wrote:
Does your site involve sensitive or confidential information, high traffic, trade or money? Then you need some paranoia.Check whether there were visits from other IPs in the range, 95.85.x.x.
The site, itself, does not contain any of those, or anything along those lines. It's the new public site for USTRANSCOM. If anyone is trying to hack that, it's most likely either A) bored script-kiddies, or B) hackers looking for a gap in the armor and hoping for lateral movement within the network. I'm sure there are more possibilities, but those two are just off the top of my head.
V/r,
^_^
Copy link to clipboard
Copied
I see these quite regularly and most, maybe all have nothing to do with scanners. I've seen these for years and panicked when I first started seeing alerts referencing 'A=0. Like you, I have not found a valid explanation in all my googling. My current theory is that this is the result of a encoding error of some sort -- maybe a confused browser.
Copy link to clipboard
Copied
Well, whether done manually or by automated script, the 'A=0 is intentionally placed at the end of the query string; and it results in the on-the-fly generated HTML from the CF server being offered for save or open in FF or IE, using the serving document name as the name to be saved or opened. It's not coming from any code that I or my team have written. It's most likely someone just testing the waters, seeing what is produced as a result. OR, it could be an automated script to grab pages in HTML that can be saved and re-purposed for someone else's site. Either way, it's still a bit unnerving, esp. given the client that I am working for (USG DoD).
V/r,
^_^
Copy link to clipboard
Copied
For me, still the same. I get about a half dozen of these a day with one of the sites I monitor. I sure wish I knew where these were coming from or at least confirm my encoding suspicion.
Copy link to clipboard
Copied
I noticed the requests come from really old version of Firefox / Mozilla. We recently blocked the user agent string for these really old versions and we haven't had any of these requests since. Must just be some bots somewhere using an old build of firefox to check for websites with holes in.
Copy link to clipboard
Copied
I get these, too... I know it's been a while since this thread was active. Hopefully with our upgrade this weekend and new encoding for the affected application... they will go away!
Copy link to clipboard
Copied
I wanted to put some code in the application.cfc that would look for and remove 'A=0 from all URL parameters, but the boss nixed the idea because it might escalate things if it did turn out to be a hack attempt instead of a bot.
V/r,
^_^
Copy link to clipboard
Copied
well... we did our upgrade... i did receive one of these errors on a page last night... googled the ip and it shows up on a the anti-hacker-alliance on the google results... I'm not sure how legit that site is, so I'm not clicking on it. HA!
For now, I think I'll be monitoring and see if anyone else says anything about a way to block... it was mozilla 5.0
Copy link to clipboard
Copied
I work on a government web site - purely informational - no confidential files, etc.
I see this 'hack' almost everyday. I have researched the IPs associated with the log entries and discovered that the majority of these are linked back to the Russian Federation, although they sometimes appear to be coming from other countries via open proxies. They always seem to come in waves of six identical queries, attempting to piggy-back on the page numbering system on our site.
IP: 2.62.33.149 - Query: [[p=34'A=0]] - OJSC Rostelecom, Russian Federation - Novosibirsk
IP: 79.173.65.89 - Query: [[p=67'A=0]] - Russian Federation
IP: 94.19.237.172 - Query: [[p=34'A=0]] - Russian Federation
IP: 77.94.56.2 - Query: [[p=67'A=0]] - Belarus
IP: 46.159.45.142 - Query: [p=180'A=0] - Russian Federation
For our site, this hack gives the requester nothing but an empty HTML page - markup, but no content whatsoever.
Not sure what the Russians are looking for but......
M. Patrick
Copy link to clipboard
Copied
Ditto on the "six in a row" attempts. A block of six approximately every half hour, now. And, like your situation, most are coming from Russia. We also see the Baidu search engine.
V/r,
^_^
UPDATE: We just got our first from Belarus.
Copy link to clipboard
Copied
To anyone looking for the solution the answer was posted on Stack Overflow on 6th July 2016 here: encoding - Strange URL, contains A=0 or 0=A