Security Question - Is someone trying to hack my site?

16 views
Skip to first unread message

Casey Li

unread,
Apr 16, 2013, 10:23:09 AM4/16/13
to ogre...@googlegroups.com
Hey everybody,

So when I got started with Rails a couple of years ago, I create this Open Mic community website called Capo.
I've since made it open source:


You can see the actual app running at www.capoapp.ca.

Anyway - recently, I've been seeing a lot of weird activity on the site, and I'm wondering if anybody can think of what's happening.
I'm suspecting foul play - but I'm am the farthest thing from a security expert, so I'm wondering if anybody has any weigh in on this.

Here's what's happening.

I have a resource called Open Mic.
Its "New" page is public, and can be seen here, http://www.capoapp.ca/open_mics/new
Regular users can create an open mic with all the fields except for "Published", which is reserved for admin users.

Basically - it allows people to submit open mics, and then admin users go in a publish them.
When published, the data is then used on the show page like this, http://www.capoapp.ca/open_mics/1

I haven't really been doing anything with the site, but recently, there's been an unusual amount of gibberish submissions for open_mics.
So I started browsing the data, and although I can't exactly tell what - it looks like someone might be trying to hack my site. Gibberish always seems to signal that.

Most of the fields are filled out with just gibberish, but the Postal Code field seems to have some URLs.
For example, one entry has this Postal Code:
"pncqfdbqpbqq, <a href="http://www.lvjfmyzfrp.com">plbsdizfgt</a> , [url=http://www.bzauwbnulf.com]ybcaxbcupe[/url], http://www.vjouswgaos.com plbsdizfgt"

Now, here's the way I see it:

1) Either someone is just trying out the website to see what it can do
2) Someone is actively trying to create some malicious attack on my site
3) Someone is running a bot that is submitting open mics

The only thing I can think of right now is adding a CAPTCHA check.

But I was wondering if anybody has any insight as to what someone might be trying to do. I don't recognize the attack if it is one.
I'm not particularly worried because 1) - All my presentation of the data is escaped because I'm using ERB to present my data, 2) I'm not publishing any of these entries.

I just thought I'd post because it would be very interesting to learn about some of these malicious attacks.

Thanks.

   -cli23 

Christopher Saunders

unread,
Apr 16, 2013, 10:54:37 AM4/16/13
to ogre...@googlegroups.com
Someone probably is.  It could be attempts to do SQL injection, though from what I'm seeing I'd say it's closer to someone trying to pull off CSRF/XSS.

If you want, I'd say setup a whitelist of permitted HTML (it could even be empty) then just sanitize your input (for XSS).

As long as you aren't directly interpreting user input via SQL, you should be fine on that front. I'm pretty sure rails comes with some decent SQL injection protection.



--
--
You received this message because you are subscribed to the Ottawa Group of Ruby Enthusiasts [OGRE].
To post to this group, send email to ogre...@googlegroups.com
To unsubscribe from this group, send email to
ogre-list+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/ogre-list?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Ottawa Ruby" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ogre-list+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
Christopher Saunders
http://christophersaunders.ca/

Geoff Longman

unread,
Apr 16, 2013, 11:18:41 AM4/16/13
to ogre...@googlegroups.com
google one of the domains you listed and you'll find them in comment spam all over the internet so it doesn't appear to be a directed attack against your site in particular. also, I tried using curl on the domains which failed as they don't resolve to addresses for me.

looks like someone's bot works with your site.
Geoff

Michael Richardson

unread,
Apr 16, 2013, 11:24:22 AM4/16/13
to ogre...@googlegroups.com

I agree. Someone is running a XSS attack, hoping that you'll publish
their code. They are further hoping that you might be a wiki.

Since you have an authenticity token in your page, it seems that your
attacker must be pulling your page each time, so your logs should easily
show where the attack(s) are coming from. I suggest simply rejecting
any IP address which submits more than 1 open mic per minute/hour/day
(as you wish)

>>>>> "Christopher" == Christopher Saunders <c.saun...@gmail.com> writes:
Christopher> Someone probably is. It could be attempts to do SQL
Christopher> injection, though from
Christopher> what I'm seeing I'd say it's closer to someone trying
Christopher> to pull off CSRF/XSS.

> For example, one entry has this Postal Code:
> "pncqfdbqpbqq, <a href="http://www.lvjfmyzfrp.com">plbsdizfgt</a> , [url=
> http://www.bzauwbnulf.com]ybcaxbcupe[/url], http://www.vjouswgaos.complbsdizfgt"
>

--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [

Casey Li

unread,
Apr 25, 2013, 4:04:34 PM4/25/13
to ogre...@googlegroups.com
Hey All,

Thanks for all the advice.

In case anyone was curious, I was able to stop the attacks for now.
I just added reCaptcha to my site, and it seems to have stopped them for now.

If it continues, I'll probably move on to implementing some of the stuff that you guys have suggested.

Thanks again!

   -cli23
Reply all
Reply to author
Forward
0 new messages