GbPlugin
W. Andrew Loe III
andrew at andrewloe.com
Fri May 7 21:15:12 MSD 2010
This user agent is able to create a bad request for image assets that
is bypassing nginx. We are seeing these odd requests in our Rails
application (via Passenger) but they should either be 400s or serve
valid images. A quick google search turns up some interesting history
on this User-Agent, it seems that it has been compromised by some
Brazilian malware authors.
Here is an example exception from our application, does anyone see
anything strange? If I attempt to hit that url in a standard browser I
get an image, I do not see an accepts header, perhaps this is why
nginx passing the request on?:
A ActionController::RoutingError occurred in application#index:
No route matches "/images/ajax-loader.gif" with
{:subdomain=>"macchiato-assets2", :method=>:get,
:domain=>"onehub.com", :host=>"macchiato-assets2.onehub.com"}
[RAILS_ROOT]/vendor/rails/actionpack/lib/action_controller/routing/recognition_optimisation.rb:66:in
`recognize_path'
-------------------------------
Request:
-------------------------------
* URL : http://macchiato-assets2.onehub.com/images/ajax-loader.gif?1273194370
* IP address: 200.204.143.221
* Parameters: {"1273194370"=>nil}
* Rails root: /data/onehub/deploy_1
-------------------------------
Session:
-------------------------------
* session id: nil
* data: nil
-------------------------------
Environment:
-------------------------------
* CONTENT_LENGTH : 0
* DOCUMENT_ROOT : /data/onehub/current/public
* HTTP_CACHE_CONTROL : no-cache
* HTTP_CONNECTION : keep-alive
* HTTP_COOKIE :
_onehub_session_id=<snip>; remember_me=1
* HTTP_HOST : macchiato-assets2.onehub.com
* HTTP_USER_AGENT : GbPlugin
* HTTP_X_FORWARDED_FOR : 200.204.143.221
* PASSENGER_APP_SPAWNER_IDLE_TIME : -1
* PASSENGER_APP_TYPE : rails
* PASSENGER_ENVIRONMENT : production
* PASSENGER_FRAMEWORK_SPAWNER_IDLE_TIME : -1
* PASSENGER_SPAWN_METHOD : smart-lv2
* PASSENGER_USE_GLOBAL_QUEUE : true
* PATH_INFO :
/images/ajax-loader.gif?1273194370
* QUERY_STRING :
* RAW_REQUEST_URI :
/images/ajax%2Dloader.gif%3F1273194370
* REMOTE_ADDR : 10.250.18.33
* REMOTE_PORT : 48252
* REQUEST_METHOD : GET
* REQUEST_URI :
/images/ajax-loader.gif?1273194370
* SCGI : 1
* SCRIPT_NAME :
* SERVER_ADDR : 10.250.182.80
* SERVER_NAME : 10.250.182.80
* SERVER_PORT : 80
* SERVER_PROTOCOL : HTTP/1.1
* SERVER_SOFTWARE : nginx/0.7.65
* _ : _
* action_controller.request.path_parameters :
* action_controller.request.query_parameters : 1273194370
* action_controller.request.request_parameters:
* action_controller.rescue.request :
#<ActionController::Request:0x10175510>
* action_controller.rescue.response :
#<ActionController::Response:0x101678e8>
* rack.errors : #<IO:0x98afe18>
* rack.input :
#<PhusionPassenger::Utils::RewindableInput:0x10175ab0>
* rack.multiprocess : true
* rack.multithread : false
* rack.request.cookie_hash :
* rack.request.cookie_string :
_onehub_session_id=<snip>; remember_me=1
* rack.request.query_hash : 1273194370
* rack.request.query_string : 1273194370
* rack.run_once : false
* rack.session :
* rack.session.options : <snip>
* rack.url_scheme : http
* rack.version : 10
* Process: 27543
* Server : ip-10-250-182-80
More information about the nginx
mailing list