Seeing Novel Rails Hack Attempts

67 views
Skip to first unread message

Joshua Siler

unread,
Jan 5, 2015, 8:28:56 PM1/5/15
to rubyonra...@googlegroups.com
Hi,

We're getting some weird exceptions that look like hack attempts, and I'm hoping someone can help us understand them. It looks like an intentionally malformed URL is somehow causing unexpected behavior.

Here's what we're seeing. These URLS:


Will crash our system, and the trace doesn't include any files from our application (just framework code), trying to load a "Jobs" object that doesn't exist. 


will work correctly, hitting our controller and successfully redirect the user somewhere, and 


will also work correctly, using Job.find(params[:id]) to load a job (note object is Job not Jobs).

Something different is going on between: 


and I don't know what. None of the related routes have any fancy regex or anything unusual. Any insight would be appreciated.

Thanks for your help.
Josh


cntrytwist

unread,
Jan 6, 2015, 6:15:00 AM1/6/15
to rubyonra...@googlegroups.com
Josh,
Do you see any quit request types along with this? I see quit requests and it makes the web application complain that it doesn't know what kind of request that is.
Kent

Joshua Siler

unread,
Jan 6, 2015, 11:43:03 AM1/6/15
to rubyonra...@googlegroups.com
We do get a fair amount of requests to random HTTP verbs and file types, but the system usually handles that just fine (throwing an unknown request exception would be desired behavior.)  What concerns me about this is that I'm seeing unexpected behavior, based on the addition of a period in the URL. Something is getting parsed in an usual way somewhere in the stack...

Frederick Cheung

unread,
Jan 6, 2015, 11:50:03 AM1/6/15
to rubyonra...@googlegroups.com


On Tuesday, January 6, 2015 4:43:03 PM UTC, Joshua Siler wrote:
We do get a fair amount of requests to random HTTP verbs and file types, but the system usually handles that just fine (throwing an unknown request exception would be desired behavior.)  What concerns me about this is that I'm seeing unexpected behavior, based on the addition of a period in the URL. Something is getting parsed in an usual way somewhere in the stack...

 
So what does happen - you said crash in your original post - does that mean a segmentation fault, exception, something else?

Fred

Joshua Siler

unread,
Jan 6, 2015, 12:00:11 PM1/6/15
to rubyonra...@googlegroups.com
It's one of two exceptions. Either "RuntimeError: Circular dependency detected while autoloading constant Jobs" or "LoadError: Unable to autoload constant Jobs".  The trace includes no application files (only framework files), and we have no "Jobs" object defined in the system.

We do have a Jobs resource defined in routes for some specific URL behavior, but no Jobs object. It very well could be related to that... the question is why 


Triggers this, and


Does not.

Joshua Siler

unread,
Jan 6, 2015, 12:04:25 PM1/6/15
to rubyonra...@googlegroups.com
To clarify, 
Crashes with the exception "LoadError: Unable to autoload constant Jobs", while


Gives the "RuntimeError: Circular dependency detected while autoloading constant Jobs" exception.

Both traces include on Framework files not Application files. Both of these: 


work correctly, hitting our controller and redirecting the user as intended.

Colin Law

unread,
Jan 6, 2015, 12:11:57 PM1/6/15
to rubyonra...@googlegroups.com
On 6 January 2015 at 17:04, Joshua Siler <jos...@hiringthing.com> wrote:
> To clarify,
>
> https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,'load',h.onLoad),null==h||'none'
>
> Crashes with the exception "LoadError: Unable to autoload constant Jobs",
> while
>
> https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.before=b,e=
>
> Gives the "RuntimeError: Circular dependency detected while autoloading
> constant Jobs" exception.
>
> Both traces include on Framework files not Application files. Both of these:

Can you post one of the stack traces?

Colin
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/rubyonrails-talk/63505801-1cc6-4b6c-afd6-5f3c856de844%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

Joshua Siler

unread,
Jan 6, 2015, 12:18:15 PM1/6/15
to rubyonra...@googlegroups.com
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:464:in `load_missing_constant'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:184:in `const_missing'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:495:in `load_missing_constant'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:184:in `const_missing'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:228:in `const_get'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:228:in `block in constantize'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:in `each'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:in `inject'
activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:in `constantize'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:535:in `get'
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:566:in `constantize'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:78:in `controller_reference'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:68:in `controller'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:46:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:71:in `block in call'
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:59:in `each'
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:59:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:676:in `call'
vendor/gems/rack-p3p/lib/rack-p3p.rb:12:in `call'
rack (1.5.2) lib/rack/etag.rb:23:in `call'
rack (1.5.2) lib/rack/conditionalget.rb:25:in `call'
rack (1.5.2) lib/rack/head.rb:11:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/params_parser.rb:27:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/flash.rb:241:in `call'
rack (1.5.2) lib/rack/session/abstract/id.rb:225:in `context'
rack (1.5.2) lib/rack/session/abstract/id.rb:220:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/cookies.rb:486:in `call'
activerecord (4.0.13.rc1) lib/active_record/query_cache.rb:36:in `call'
activerecord (4.0.13.rc1) lib/active_record/connection_adapters/abstract/connection_pool.rb:626:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
activesupport (4.0.13.rc1) lib/active_support/callbacks.rb:373:in `_run__838384711__call__callbacks'
activesupport (4.0.13.rc1) lib/active_support/callbacks.rb:80:in `run_callbacks'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/callbacks.rb:27:in `call'
rails-dev-tweaks (1.2.0) lib/rails_dev_tweaks/granular_autoload/middleware.rb:36:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/remote_ip.rb:76:in `call'
airbrake (4.1.0) lib/airbrake/rails/middleware.rb:13:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/debug_exceptions.rb:17:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/show_exceptions.rb:30:in `call'
railties (4.0.13.rc1) lib/rails/rack/logger.rb:38:in `call_app'
railties (4.0.13.rc1) lib/rails/rack/logger.rb:20:in `block in call'
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:68:in `block in tagged'
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:26:in `tagged'
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:68:in `tagged'
railties (4.0.13.rc1) lib/rails/rack/logger.rb:20:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/request_id.rb:21:in `call'
rack (1.5.2) lib/rack/methodoverride.rb:21:in `call'
rack (1.5.2) lib/rack/runtime.rb:17:in `call'
activesupport (4.0.13.rc1) lib/active_support/cache/strategy/local_cache.rb:83:in `call'
rack (1.5.2) lib/rack/lock.rb:17:in `call'
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/static.rb:84:in `call'
rack (1.5.2) lib/rack/sendfile.rb:112:in `call'
airbrake (4.1.0) lib/airbrake/user_informer.rb:16:in `_call'
airbrake (4.1.0) lib/airbrake/user_informer.rb:12:in `call'
railties (4.0.13.rc1) lib/rails/engine.rb:511:in `call'
railties (4.0.13.rc1) lib/rails/application.rb:97:in `call'
rack (1.5.2) lib/rack/content_length.rb:14:in `call'
thin (1.2.8) lib/thin/connection.rb:84:in `block in pre_process'
thin (1.2.8) lib/thin/connection.rb:82:in `catch'
thin (1.2.8) lib/thin/connection.rb:82:in `pre_process'
thin (1.2.8) lib/thin/connection.rb:57:in `process'
thin (1.2.8) lib/thin/connection.rb:42:in `receive_data'
eventmachine (1.0.3) lib/eventmachine.rb:187:in `run_machine'
eventmachine (1.0.3) lib/eventmachine.rb:187:in `run'
thin (1.2.8) lib/thin/backends/base.rb:61:in `start'
thin (1.2.8) lib/thin/server.rb:159:in `start'
rack (1.5.2) lib/rack/handler/thin.rb:16:in `run'
rack (1.5.2) lib/rack/server.rb:264:in `start'
railties (4.0.13.rc1) lib/rails/commands/server.rb:84:in `start'
railties (4.0.13.rc1) lib/rails/commands.rb:76:in `block in <top (required)>'
railties (4.0.13.rc1) lib/rails/commands.rb:71:in `tap'
railties (4.0.13.rc1) lib/rails/commands.rb:71:in `<top (required)>'
bin/rails:4:in `require'
bin/rails:4:in `<main>'
Reply all
Reply to author
Forward
0 new messages