14 Replies Latest reply: Nov 29, 2014 5:27 PM by jackhuang RSS

    Unexpected characters found in locale in log files

    ifsteve Community Member
      DateTimeSeverityThreadIDApplication Name
      Jul 10, 2013  8:17 AM  Warning  jrpp-0  CFADMIN 
      Unexpected characters found in locale.

       

      I recently noticed that I am getting this error repeated in my application logs... about 20 times per minute....

       

      any ideas what is causing this?

        • 1. Re: Unexpected characters found in locale in log files
          PwrSrg Community Member

          Same issue here.  Any info would be appreciated!

          • 2. Re: Unexpected characters found in locale in log files
            frogstarr78 Community Member

            Dito CF 9,0,1,274733  patch hf901-00010.jar

            • 3. Re: Unexpected characters found in locale in log files
              BobMei Community Member

              I'm getting the same thing since July 1st... It seems to correspond with the latest ColdFusion update. Any solution?

              • 4. Re: Unexpected characters found in locale in log files
                David-Smith Community Member

                Anyone found an answer yet?  I am also just experiencing this after upgrading to CF 10 ENT on IIS 7.5  Thanks.

                • 5. Re: Unexpected characters found in locale in log files
                  David-Smith Community Member

                  Anyone??  Adobe, are you out there?

                  • 6. Re: Unexpected characters found in locale in log files
                    Adam Cameron. Community Member

                    Yep, they are "out there", but they are not - as a rule - "in here". If you specifically want a response from Adobe, you need to raise a support ticket with them. Whilst occasionally an Adobe person will post here, I get the impression it is only when the question is one of the ones on their "script". The patrons here are just community members, on the whole.

                     

                    I've no idea what's causing your issue, but a few things:

                    * which precise log is this in?

                    * what locale is your site running under?

                    * do you have any code which will have non-ASCII characters in it?

                    * are they are any other log entries (if any other logs) made at the same time which might point you at some code that's causing this?

                     

                    --

                    Adam

                    • 7. Re: Unexpected characters found in locale in log files
                      David-Smith Community Member

                      Thanks, Adam.  I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

                       

                      To answer your questions:

                       

                      * This is being written to the application.log.  I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something.  These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

                       

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                      "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Unexpected characters found in locale."

                       

                      * I'm not sure what you mean by what "locale" my site is running under.  This is just normal US version.

                      * I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?), but in theory maybe someone (a hacker?) is trying to submit non-ASCII code into one of my forms or URL variables or something?  If so the URLScan utlity, among other things, should catch that, but again I'm not too sure.

                      * In the coldfusion-out.log I see something similar, like this, but I don't think it helps.  Coldfusion-out.log seems to collect just about everything being written to every other log.  No other logs have anything around this time.

                       

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                      Sep 5, 2013 07:56:53 AM Warning [ajp-bio-8012-exec-887] - Unexpected characters found in locale.

                       

                      The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

                       

                      "Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Element JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

                      "Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Element JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

                       

                      Thanks for any advice.  Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).

                      • 8. Re: Unexpected characters found in locale in log files
                        Adam Cameron. Community Member

                        David-Smith wrote:

                         

                        Thanks, Adam.  I was under the impression Adobe support would look at these threads from time to time, but if not, then okay.

                         

                         

                        They do. But "occasionally" and the people doing so seem to be only first-level support people, so working with mostly canned responses.

                         

                         

                         

                        * This is being written to the application.log.  I see dozens if not hundreds of them in a row, which make me feel a little bit like someone is trying to hack something.  These groupings show up randomly, there does not seem to be a pattern, and like i said they go on and on, this is just a snippet:

                         

                        "Warning","ajp-bio-8012-exec-887","09/05/13","07:56:53","CFADMIN","Une xpected characters found in locale."

                         

                         

                        OK, what about in your web server logs. Is there a pattern in there of what someone's (trying to ~) browse to?

                         

                         

                        * I'm not sure what you mean by what "locale" my site is running under.  This is just normal US version.

                        * I doubt I have actual ColdFusion code with non-ASCII characters in it (how would that even happen?),

                         

                        Well most of the people in the world live in locales that aren't USA ;-)

                         

                        Obviously one shoudl avoid hard-coded values in code files, but consider this:

                         

                        <cfset helloWorld = "привет мир">

                        <cfoutput>#helloWorld#</cfoutput>

                         

                        It's not uncommon to have non-ASCII characters in source code files.

                         

                         

                         

                        The only other thing I notice, which is what leads me to believe this is some sort of hack attempt, is that peppered in between these "Unexpected characters" groups are a few lines like this:

                         

                        "Error","ajp-bio-8012-exec-934","09/05/13","07:34:54","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

                        "Error","ajp-bio-8012-exec-934","09/05/13","07:35:19","cfadmin","Eleme nt JSCRIPT is undefined in ATTRIBUTES. The specific sequence of files included or processed is: C:\ColdFusion10\cfusion\wwwroot\CFIDE\adminapi\customtags\l10n.cfm, line: 129 "

                         

                        Thanks for any advice.  Btw, our CFIDE is not exposed to the public (i.e., outside of our firewall).

                         

                        On one hand you're saying CFIDE ain't externally exposed... on the other hand that log very clearly demonstrates that URLs within CFIDE are being called. So I think you better check that. You might not be as secure as you think.

                         

                        Or... this doesn't occur when you yourself are in CFAdmin, does it?


                        Or do you have code that uses the CFAdminAPI?

                         

                        --

                        Adam

                        • 9. Re: Unexpected characters found in locale in log files
                          David-Smith Community Member

                          Thanks again, Adam.  Yeah, I noticed the canned response stuff

                           

                          I have not corellated any of this with my raw IIS logs, but that is a good idea.  Okay, here is what I found in IIS log:

                           

                          • 2013-09-05 03:54:10 myIP GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=U TF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 80 - 89.76.164.243 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 404 0 0 561

                           

                          • 2013-09-05 03:54:23 myIP GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale =it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charse t=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 443 - 95.130.9.89 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 404 0 0 405

                           

                          So this definitely explains the locale business.  A scanner of some kind it setting locale=it (Italy I assume) and while I don't know what this means or why, I can see how perhaps this is causing errors

                           

                          That said, both those IPs are NOT internal, quite the contrary, so I have to research and figure out how that is being accessed behind our firewall.  Example: https://www.projecthoneypot.org/ip_95.130.9.89

                           

                          Looks like my server is returning a 404, so that's good, but still worrisome.

                           

                          The question remains: what exactly does "Unexpected characters found in locale" mean, and why is it showing up as an error, and why should I care (not a rhetorical question), other than the fact some random IP is able to access my CFIDE?  Thanks!  You've helped set me in the right direction, and perhaps helped me uncover other issues I need to be looking at

                          • 10. Re: Unexpected characters found in locale in log files
                            Adam Cameron. Community Member

                            Don't worry about the specific error message. it's someone trying to hack you on that URL, and they're passing bung data, so the code is erroring.

                             

                            It's the same as if you had a page expecting a parameter to be numeric and I passed a string: your page might error. This is not a sign of a problem beyond I'm passing the wrong info: garbage in, garbage out.

                             

                            DO really really worry about the fact your CFIDE is open. This is a serious problem.

                             

                            --

                            Adam

                            • 11. Re: Unexpected characters found in locale in log files
                              ifsteve Community Member

                              More on this, its a scan for a hack attempt on the patches that were released earlier this year:

                               

                              xxx.xxx.xxx.xxx GET /CFIDE/adminapi/administrator.cfc method=login&adminpassword=&rdsPasswordAllowed=true 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 404 7 0 5381 227 249

                               

                              xxx.xxx.xxx.xxx GET /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/connector.cfm Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 9449 272 405

                               

                              xxx.xxx.xxx.xxx GET /CFIDE/Administrator/logging/settings.cfm locale=../../../../menu.js%00en 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 200 0 0 9752 215 499

                               

                              xxx.xxx.xxx.xxx GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale =it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charse t=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 8761 419 405

                               

                              I took a suggested approach of using a web.config to deny .CFC from being executed by a web browser.  It seems that the first call gives a user direct access to the administrator without having to authenticate (that was one of the fixes)... the rest are followup commands where they try to get access to the file manager and such.

                              • 12. Re: Unexpected characters found in locale in log files
                                DCwebGuy Community Member

                                I am fairly new to IIS 7, how do you deny .CFC (or any URL/template) from being executed by a browser vs. ColdFusion itself calling it?   For example, I tried using IIS7's built-in Request Filtering where you can put files and directories under the "Hidden Segments" tab to block a browser from accessing "CFIDE" but then that broke all my code where the page itself needs access (think CF's built-in  form validation or anything under ajax/scripts).  Is there another way?

                                 

                                Btw, I noticed the FCKeditor probes, as well.  I just deleted the entire FCKeditor directory from ajax/scripts.  I use the latest CKEditor 4 with CF anyway.  The upgrade is really simple.

                                • 13. Re: Unexpected characters found in locale in log files
                                  ifsteve Community Member

                                  forgive me for not remembering the web address of the blog, but they posted a web.config file to place in the cfide folder.  The contents were something similar to this:

                                   

                                  <configuration>

                                     <system.webServer>

                                        <security>

                                           <requestFiltering>

                                              <!-- block all file extensions except cfm,js,css,html, gif png and xml -->

                                              <fileExtensions allowUnlisted="false" applyToWebDAV="true">

                                                 <add fileExtension=".cfm" allowed="true" />

                                                 <add fileExtension=".js" allowed="true" />

                                                 <add fileExtension=".css" allowed="true" />

                                                 <add fileExtension=".html" allowed="true" />

                                                 <add fileExtension=".gif" allowed="true" />

                                                 <add fileExtension=".png" allowed="true" />

                                                 <add fileExtension=".xml" allowed="true" />

                                              </fileExtensions>

                                              <!-- hide configuration dir -->

                                              <hiddenSegments applyToWebDAV="true">

                                                 <add segment="configuration" />

                                              </hiddenSegments>

                                              <!-- limit post size to 10mb, query string to 256 chars, url to 1024 chars -->

                                              <requestLimits maxQueryString="256" maxUrl="1024" maxAllowedContentLength="102400000" />

                                              <!-- only allow GET,POST verbs -->

                                              <verbs allowUnlisted="false" applyToWebDAV="true">

                                                 <add verb="GET" allowed="true" />

                                                 <add verb="POST" allowed="true" />

                                              </verbs>

                                           </requestFiltering>

                                        </security>

                                     </system.webServer>

                                  </configuration>

                                   

                                  I believe the reasonining is that Coldfusion itself doesnt go through IIS when accessing its own resources within those folders, and only web browsers call through IIS, so blocking with the above web.config provides a patch.

                                  • 14. Re: Unexpected characters found in locale in log files
                                    jackhuang Community Member

                                    Hi ifsteve,  did you or anyone got this resolved by putting the web.config?  I run CF9 on Linux Apache and it seems that whenever I sign in the CFADMIN it's giving that error.  I think it could be me but I am not 100% sure.  The CFIDE is protected so I don't think it's an attack.  This error is driving me crazy.  Any help is appreciated.  Thank you.