17 Replies Latest reply on Aug 4, 2016 2:44 PM by DJDavid98

    'A=0 - hack attempt??

    WolfShade Level 4

      Hello, all,

       

      We've been seeing a lot of the following, recently, in our logs:

       

      http://www.domain.com/getfile.cfm?uuid{a CF uuid}'A=0

       

      When I entered this in my browser, I was presented with a dialogue to open or save "getfile.cfm".  My boss was in a bit of a panic, thinking that someone found a way to download our .cfm templates, thusly exposing all of our code.

       

      As it turns out, all it is really getting is the HTML generated on the fly by our CF server.  Okay.. no more sweating bullets.. but, still a concern.

       

      What is the best way to thwart attempts like this (harmless as they are)?  I've got form and URL scopes going through both Portcullis and canonicalize().  What else can I do?

       

      Much appreciated.

       

      V/r,

       

      ^_^

        • 1. Re: 'A=0 - hack attempt??
          WolfShade Level 4

          Four days, and over 40 views, but no one has encountered something like this?

           

          V/r,

           

          ^_^

          • 2. Re: 'A=0 - hack attempt??
            BKBK Adobe Community Professional & MVP

            That was likely an innocent visit by a bot. The webserver logs might give you more information. Use robots.txt to control how bots visit your site.

            • 3. Re: 'A=0 - hack attempt??
              haxtbh Level 4

              I get these as well quite frequently and BKBK is right, the IPs are usually Google IPs, so it must be the google bot doing something.

              1 person found this helpful
              • 4. Re: 'A=0 - hack attempt??
                WolfShade Level 4

                Hi, BKBK and haxtbh, thanks for replying.

                 

                I'm trying to find the email that my boss forwarded to me that contained the pertinent information.  I'll check the IP addresses; hopefully it's just a bot.  Normally I look at the user-agent info, but I'm drawing a blank on this one.

                 

                V/r,

                 

                ^_^

                • 5. Re: 'A=0 - hack attempt??
                  WolfShade Level 4

                  Found it.  It does not appear to be a bot.  It does, however, appear to be using a very old browser.

                   

                  HTTP_USER_AGENT Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) 
                  REMOTE_ADDR 95.85.87.13 
                  
                  
                  
                  


                  According to ARIN, the IP belongs to RIPE NCC in Amsterdam.  But the record hasn't been updated since 2009???


                  What do you guys think?  Isn't this a bit suspicious?  Or am I being overly paranoid?  (I'm paid to be paranoid; overly paranoid comes with a premium.)


                  V/r,


                  ^_^


                  UPDATE: Further research shows that the IP address belongs to someone in Sankt-Peterburg, ul. Gakkelevskaja (Russia).

                  • 6. Re: 'A=0 - hack attempt??
                    BKBK Adobe Community Professional & MVP

                    The jury is still out. A bot may be configured to fake any browser of choice.

                     

                    Does your site involve sensitive or confidential information, high traffic, trade or money? Then you need some paranoia.Check whether there were visits from other IPs in the range, 95.85.x.x.

                    • 7. Re: 'A=0 - hack attempt??
                      WolfShade Level 4

                      BKBK wrote:

                       

                      Does your site involve sensitive or confidential information, high traffic, trade or money? Then you need some paranoia.Check whether there were visits from other IPs in the range, 95.85.x.x.

                      The site, itself, does not contain any of those, or anything along those lines.  It's the new public site for USTRANSCOM.  If anyone is trying to hack that, it's most likely either A) bored script-kiddies, or B) hackers looking for a gap in the armor and hoping for lateral movement within the network.  I'm sure there are more possibilities, but those two are just off the top of my head.

                       

                      V/r,

                       

                      ^_^

                      • 8. Re: 'A=0 - hack attempt??
                        Steve Sommers Level 4

                        I see these quite regularly and most, maybe all have nothing to do with scanners. I've seen these for years and panicked when I first started seeing alerts referencing 'A=0. Like you, I have not found a valid explanation in all my googling. My current theory is that this is the result of a encoding error of some sort -- maybe a confused browser.

                        1 person found this helpful
                        • 9. Re: 'A=0 - hack attempt??
                          WolfShade Level 4

                          Well, whether done manually or by automated script, the 'A=0 is intentionally placed at the end of the query string; and it results in the on-the-fly generated HTML from the CF server being offered for save or open in FF or IE, using the serving document name as the name to be saved or opened.  It's not coming from any code that I or my team have written.  It's most likely someone just testing the waters, seeing what is produced as a result.  OR, it could be an automated script to grab pages in HTML that can be saved and re-purposed for someone else's site.  Either way, it's still a bit unnerving, esp. given the client that I am working for (USG DoD).

                           

                          V/r,

                           

                          ^_^

                          • 10. Re: 'A=0 - hack attempt??
                            Steve Sommers Level 4

                            For me, still the same. I get about a half dozen of these a day with one of the sites I monitor. I sure wish I knew where these were coming from or at least confirm my encoding suspicion.

                            • 11. Re: 'A=0 - hack attempt??
                              haxtbh Level 4

                              I noticed the requests come from really old version of Firefox / Mozilla. We recently blocked the user agent string for these really old versions and we haven't had any of these requests since. Must just be some bots somewhere using an old build of firefox to check for websites with holes in.

                              1 person found this helpful
                              • 12. Re: 'A=0 - hack attempt??
                                lora3677

                                I get these, too... I know it's been a while since this thread was active. Hopefully with our upgrade this weekend and new encoding for the affected application... they will go away!

                                • 13. Re: 'A=0 - hack attempt??
                                  WolfShade Level 4

                                  I wanted to put some code in the application.cfc that would look for and remove 'A=0 from all URL parameters, but the boss nixed the idea because it might escalate things if it did turn out to be a hack attempt instead of a bot.

                                   

                                  V/r,

                                   

                                  ^_^

                                  • 14. Re: 'A=0 - hack attempt??
                                    lora3677 Level 1

                                    well... we did our upgrade... i did receive one of these errors on a page last night... googled the ip and it shows up on a the anti-hacker-alliance on the google results... I'm not sure how legit that site is, so I'm not clicking on it. HA!

                                     

                                    For now, I think I'll be monitoring and see if anyone else says anything about a way to block... it was mozilla 5.0    

                                    • 15. Re: 'A=0 - hack attempt??
                                      m.patrick40759440

                                      I work on a government web site - purely informational - no confidential files, etc.

                                      I see this 'hack' almost everyday.  I have researched the IPs associated with the log entries and discovered that the majority of these are linked back to the Russian Federation, although they sometimes appear to be coming from other countries via open proxies. They always seem to come in waves of six identical queries, attempting to piggy-back on the page numbering system on our site.

                                       

                                      IP: 2.62.33.149 - Query: [[p=34'A=0]] - OJSC Rostelecom, Russian Federation - Novosibirsk

                                      IP: 79.173.65.89 - Query: [[p=67'A=0]] - Russian Federation

                                      IP: 94.19.237.172 - Query: [[p=34'A=0]] - Russian Federation

                                      IP: 77.94.56.2 - Query: [[p=67'A=0]] - Belarus

                                      IP: 46.159.45.142 - Query: [p=180'A=0] - Russian Federation

                                       

                                      For our site, this hack gives the requester nothing but an empty HTML page - markup, but no content whatsoever.

                                      Not sure what the Russians are looking for but......

                                       

                                      M. Patrick

                                      • 16. Re: 'A=0 - hack attempt??
                                        WolfShade Level 4

                                        Ditto on the "six in a row" attempts.  A block of six approximately every half hour, now.  And, like your situation, most are coming from Russia.  We also see the Baidu search engine.

                                         

                                        V/r,

                                         

                                        ^_^

                                         

                                        UPDATE:  We just got our first from Belarus.

                                        • 17. Re: 'A=0 - hack attempt??
                                          DJDavid98

                                          To anyone looking for the solution the answer was posted on Stack Overflow on 6th July 2016 here: encoding - Strange URL, contains A=0 or 0=A