Skip navigation
Currently Being Moderated

Unexpected characters found in locale in log files

Jul 10, 2013 5:20 AM

DateTimeSeverityThreadIDApplication Name
Jul 10, 2013  8:17 AM  Warning  jrpp-0  CFADMIN 
Unexpected characters found in locale.

 

I recently noticed that I am getting this error repeated in my application logs... about 20 times per minute....

 

any ideas what is causing this?

 
Replies
  • Currently Being Moderated
    Jul 11, 2013 6:35 AM   in reply to ifsteve

    Same issue here.  Any info would be appreciated!

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 11, 2013 8:25 AM   in reply to ifsteve

    Dito CF 9,0,1,274733  patch hf901-00010.jar

     
    |
    Mark as:
  • Currently Being Moderated
    Jul 12, 2013 6:46 AM   in reply to ifsteve

    I'm getting the same thing since July 1st... It seems to correspond with the latest ColdFusion update. Any solution?

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 25, 2013 5:33 PM   in reply to ifsteve

    Anyone found an answer yet?  I am also just experiencing this after upgrading to CF 10 ENT on IIS 7.5  Thanks.

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 5, 2013 6:49 AM   in reply to ifsteve

    Anyone??  Adobe, are you out there?

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 5, 2013 6:58 AM   in reply to David-Smith

    Yep, they are "out there", but they are not - as a rule - "in here". If you specifically want a response from Adobe, you need to raise a support ticket with them. Whilst occasionally an Adobe person will post here, I get the impression it is only when the question is one of the ones on their "script". The patrons here are just community members, on the whole.

     

    I've no idea what's causing your issue, but a few things:

    * which precise log is this in?

    * what locale is your site running under?

    * do you have any code which will have non-ASCII characters in it?

    * are they are any other log entries (if any other logs) made at the same time which might point you at some code that's causing this?

     

    --

    Adam

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 5, 2013 7:14 AM   in reply to Adam Cameron.

    Thanks, Adam.  I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

     

    To answer your questions:

     

    * This is being written to the application.log.  I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something.  These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

     

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

     

    * I'm not sure what you mean by what "locale" my site is running under.  This is just normal US version.

    * I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?), but in theory maybe someone (a hacker?) is trying to submit non-ASCII code into one of my forms or URL variables or something?  If so the URLScan utlity, among other things, should catch that, but again I'm not too sure.

    * In the coldfusion-out.log I see something similar, like this, but I don't think it helps.  Coldfusion-out.log seems to collect just about everything being written to every other log.  No other logs have anything around this time.

     

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

    Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

     

    The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

     

    "Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

    "Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

     

    Thanks for any advice.  Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 6, 2013 1:05 AM   in reply to David-Smith

    David-Smith wrote:

     

    Thanks, Adam.  I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

     

     

    They do. But "occasionally" and the people doing so seem to be only first-level support people, so working with mostly canned responses.

     

     

     

    * This is being written to the application.log.  I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something.  These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

     

    "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

     

     

    OK, what about in your web server logs. Is there a pattern in there of what someone's (trying to ~) browse to?

     

     

    * I'm not sure what you mean by what "locale" my site is running under.  This is just normal US version.

    * I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?),

     

    Well most of the people in the world live in locales that aren't USA ;-)

     

    Obviously one shoudl avoid hard-coded values in code files, but consider this:

     

    <cfset helloWorld = "привет мир">

    <cfoutput>#helloWorld#</cfoutput>

     

    It's not uncommon to have non-ASCII characters in source code files.

     

     

     

    The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

     

    "Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

    "Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

     

    Thanks for any advice.  Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).

     

    On one hand you're saying CFIDE ain't externally exposed... on the other hand that log very clearly demonstrates that URLs within CFIDE are being called. So I think you better check that. You might not be as secure as you think.

     

    Or... this doesn't occur when you yourself are in CFAdmin, does it?


    Or do you have code that uses the CFAdminAPI?

     

    --

    Adam

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 6, 2013 7:13 AM   in reply to Adam Cameron.

    Thanks again, Adam.  Yeah, I noticed the canned response stuff

     

    I have not corellated any of this with my raw IIS logs, but that is a good idea.  Okay, here is what I found in IIS log:

     

    • 2013-09-05 03:54:10 myIP GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.c fm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html& attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedCo ntent=htp 80 - 89.76.164.243 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 404 0 0 561

     

    • 2013-09-05 03:54:23 myIP GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.c fm&attributes.locale=it&attributes.var=it&attributes.jscript=false&att ributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode= end&thisTag.generatedContent=htp 443 - 95.130.9.89 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 404 0 0 405

     

    So this definitely explains the locale business.  A scanner of some kind it setting locale=it (Italy I assume) and while I don't know what this means or why, I can see how perhaps this is causing errors

     

    That said, both those IPs are NOT internal, quite the contrary, so I have to research and figure out how that is being accessed behind our firewall.  Example: https://www.projecthoneypot.org/ip_95.130.9.89

     

    Looks like my server is returning a 404, so that's good, but still worrisome.

     

    The question remains: what exactly does "Unexpected characters found in locale" mean, and why is it showing up as an error, and why should I care (not a rhetorical question), other than the fact some random IP is able to access my CFIDE?  Thanks!  You've helped set me in the right direction, and perhaps helped me uncover other issues I need to be looking at

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 6, 2013 7:57 AM   in reply to David-Smith

    Don't worry about the specific error message. it's someone trying to hack you on that URL, and they're passing bung data, so the code is erroring.

     

    It's the same as if you had a page expecting a parameter to be numeric and I passed a string: your page might error. This is not a sign of a problem beyond I'm passing the wrong info: garbage in, garbage out.

     

    DO really really worry about the fact your CFIDE is open. This is a serious problem.

     

    --

    Adam

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 18, 2013 6:20 AM   in reply to ifsteve

    I am fairly new to IIS 7, how do you deny .CFC (or any URL/template) from being executed by a browser vs. ColdFusion itself calling it?   For example, I tried using IIS7's built-in Request Filtering where you can put files and directories under the "Hidden Segments" tab to block a browser from accessing "CFIDE" but then that broke all my code where the page itself needs access (think CF's built-in  form validation or anything under ajax/scripts).  Is there another way?

     

    Btw, I noticed the FCKeditor probes, as well.  I just deleted the entire FCKeditor directory from ajax/scripts.  I use the latest CKEditor 4 with CF anyway.  The upgrade is really simple.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points