• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Unexpected characters found in locale in log files

Explorer ,
Jul 10, 2013 Jul 10, 2013

Copy link to clipboard

Copied

DateTimeSeverityThreadIDApplication Name
Jul 10, 2013  8:17 AM  Warning  jrpp-0  CFADMIN 
Unexpected characters found in locale.

I recently noticed that I am getting this error repeated in my application logs... about 20 times per minute....

any ideas what is causing this?

Views

6.9K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Jul 11, 2013 Jul 11, 2013

Copy link to clipboard

Copied

Same issue here.  Any info would be appreciated!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 11, 2013 Jul 11, 2013

Copy link to clipboard

Copied

Dito CF 9,0,1,274733  patch hf901-00010.jar

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jul 12, 2013 Jul 12, 2013

Copy link to clipboard

Copied

I'm getting the same thing since July 1st... It seems to correspond with the latest ColdFusion update. Any solution?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Aug 25, 2013 Aug 25, 2013

Copy link to clipboard

Copied

Anyone found an answer yet?  I am also just experiencing this after upgrading to CF 10 ENT on IIS 7.5  Thanks.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 05, 2013 Sep 05, 2013

Copy link to clipboard

Copied

Anyone??  Adobe, are you out there?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 05, 2013 Sep 05, 2013

Copy link to clipboard

Copied

Yep, they are "out there", but they are not - as a rule - "in here". If you specifically want a response from Adobe, you need to raise a support ticket with them. Whilst occasionally an Adobe person will post here, I get the impression it is only when the question is one of the ones on their "script". The patrons here are just community members, on the whole.

I've no idea what's causing your issue, but a few things:

* which precise log is this in?

* what locale is your site running under?

* do you have any code which will have non-ASCII characters in it?

* are they are any other log entries (if any other logs) made at the same time which might point you at some code that's causing this?

--

Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 05, 2013 Sep 05, 2013

Copy link to clipboard

Copied

Thanks, Adam.  I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

To answer your questions:

* This is being written to the application.log.  I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something.  These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

* I'm not sure what you mean by what "locale" my site is running under.  This is just normal US version.

* I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?), but in theory maybe someone (a hacker?) is trying to submit non-ASCII code into one of my forms or URL variables or something?  If so the URLScan utlity, among other things, should catch that, but again I'm not too sure.

* In the coldfusion-out.log I see something similar, like this, but I don't think it helps.  Coldfusion-out.log seems to collect just about everything being written to every other log.  No other logs have anything around this time.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

"Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Element JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

"Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Element JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

Thanks for any advice.  Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 06, 2013 Sep 06, 2013

Copy link to clipboard

Copied

David-Smith wrote:

Thanks, Adam.  I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

They do. But "occasionally" and the people doing so seem to be only first-level support people, so working with mostly canned responses.

* This is being written to the application.log.  I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something.  These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

"Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

OK, what about in your web server logs. Is there a pattern in there of what someone's (trying to ~) browse to?

* I'm not sure what you mean by what "locale" my site is running under.  This is just normal US version.

* I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?),

Well most of the people in the world live in locales that aren't USA 😉

Obviously one shoudl avoid hard-coded values in code files, but consider this:

<cfset helloWorld = "привет мир">

<cfoutput>#helloWorld#</cfoutput>

It's not uncommon to have non-ASCII characters in source code files.

The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

"Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

"Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

Thanks for any advice.  Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).

On one hand you're saying CFIDE ain't externally exposed... on the other hand that log very clearly demonstrates that URLs within CFIDE are being called. So I think you better check that. You might not be as secure as you think.

Or... this doesn't occur when you yourself are in CFAdmin, does it?


Or do you have code that uses the CFAdminAPI?

--

Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 06, 2013 Sep 06, 2013

Copy link to clipboard

Copied

Thanks again, Adam.  Yeah, I noticed the canned response stuff

I have not corellated any of this with my raw IIS logs, but that is a good idea.  Okay, here is what I found in IIS log:

  • 2013-09-05 03:54:10 myIP GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 80 - 89.76.164.243 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 404 0 0 561

  • 2013-09-05 03:54:23 myIP GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 443 - 95.130.9.89 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 404 0 0 405

So this definitely explains the locale business.  A scanner of some kind it setting locale=it (Italy I assume) and while I don't know what this means or why, I can see how perhaps this is causing errors

That said, both those IPs are NOT internal, quite the contrary, so I have to research and figure out how that is being accessed behind our firewall.  Example: https://www.projecthoneypot.org/ip_95.130.9.89

Looks like my server is returning a 404, so that's good, but still worrisome.

The question remains: what exactly does "Unexpected characters found in locale" mean, and why is it showing up as an error, and why should I care (not a rhetorical question), other than the fact some random IP is able to access my CFIDE?  Thanks!  You've helped set me in the right direction, and perhaps helped me uncover other issues I need to be looking at

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 06, 2013 Sep 06, 2013

Copy link to clipboard

Copied

Don't worry about the specific error message. it's someone trying to hack you on that URL, and they're passing bung data, so the code is erroring.

It's the same as if you had a page expecting a parameter to be numeric and I passed a string: your page might error. This is not a sign of a problem beyond I'm passing the wrong info: garbage in, garbage out.

DO really really worry about the fact your CFIDE is open. This is a serious problem.

--

Adam

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 17, 2013 Sep 17, 2013

Copy link to clipboard

Copied

More on this, its a scan for a hack attempt on the patches that were released earlier this year:

xxx.xxx.xxx.xxx GET /CFIDE/adminapi/administrator.cfc method=login&adminpassword=&rdsPasswordAllowed=true 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 404 7 0 5381 227 249

xxx.xxx.xxx.xxx GET /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/connector.cfm Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 9449 272 405

xxx.xxx.xxx.xxx GET /CFIDE/Administrator/logging/settings.cfm locale=../../../../menu.js%00en 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 200 0 0 9752 215 499

xxx.xxx.xxx.xxx GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 8761 419 405

I took a suggested approach of using a web.config to deny .CFC from being executed by a web browser.  It seems that the first call gives a user direct access to the administrator without having to authenticate (that was one of the fixes)... the rest are followup commands where they try to get access to the file manager and such.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Sep 18, 2013 Sep 18, 2013

Copy link to clipboard

Copied

I am fairly new to IIS 7, how do you deny .CFC (or any URL/template) from being executed by a browser vs. ColdFusion itself calling it?   For example, I tried using IIS7's built-in Request Filtering where you can put files and directories under the "Hidden Segments" tab to block a browser from accessing "CFIDE" but then that broke all my code where the page itself needs access (think CF's built-in  form validation or anything under ajax/scripts).  Is there another way?

Btw, I noticed the FCKeditor probes, as well.  I just deleted the entire FCKeditor directory from ajax/scripts.  I use the latest CKEditor 4 with CF anyway.  The upgrade is really simple.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 18, 2013 Sep 18, 2013

Copy link to clipboard

Copied

forgive me for not remembering the web address of the blog, but they posted a web.config file to place in the cfide folder.  The contents were something similar to this:

<configuration>

   <system.webServer>

      <security>

         <requestFiltering>

            <!-- block all file extensions except cfm,js,css,html, gif png and xml -->

            <fileExtensions allowUnlisted="false" applyToWebDAV="true">

               <add fileExtension=".cfm" allowed="true" />

               <add fileExtension=".js" allowed="true" />

               <add fileExtension=".css" allowed="true" />

               <add fileExtension=".html" allowed="true" />

               <add fileExtension=".gif" allowed="true" />

               <add fileExtension=".png" allowed="true" />

               <add fileExtension=".xml" allowed="true" />

            </fileExtensions>

            <!-- hide configuration dir -->

            <hiddenSegments applyToWebDAV="true">

               <add segment="configuration" />

            </hiddenSegments>

            <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->

            <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />

            <!-- only allow GET,POST verbs -->

            <verbs allowUnlisted="false" applyToWebDAV="true">

               <add verb="GET" allowed="true" />

               <add verb="POST" allowed="true" />

            </verbs>

         </requestFiltering>

      </security>

   </system.webServer>

</configuration>

I believe the reasonining is that Coldfusion itself doesnt go through IIS when accessing its own resources within those folders, and only web browsers call through IIS, so blocking with the above web.config provides a patch.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 29, 2014 Nov 29, 2014

Copy link to clipboard

Copied

LATEST

Hi ifsteve,  did you or anyone got this resolved by putting the web.config?  I run CF9 on Linux Apache and it seems that whenever I sign in the CFADMIN it's giving that error.  I think it could be me but I am not 100% sure.  The CFIDE is protected so I don't think it's an attack.  This error is driving me crazy.  Any help is appreciated.  Thank you.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation