jeudi 19 janvier 2017

Someone tried to hack a Rails website using invalid character in the url

Yesterday someone has tried hacking the website as there were around 200 requests which had byte sequence in it and were fired in less than 3 minutes from different urls of our own website.

We have one section of our website which is open to everyone without login and to proceed further one must login.

The error trace had this in most of the mails:

An ArgumentError occurred in #:

  invalid byte sequence in UTF-8
  vendor/bundle/ruby/2.1.0/gems/activesupport-3.2.14/lib/active_support/inflector/methods.rb:79:in `gsub!'


-------------------------------
Request:
-------------------------------

  * URL        : http://ift.tt/2jEZ59V
  * HTTP Method: GET
  * IP address : 182.19.8.82
  * Parameters : {"controller"=>"..\xC0\xAF..\xC0\xAF..\xC0\xAF..\xC0\xAF..\xC0\xAF..\xC0\xAF..\xC0\xAF..\xC0\xAFetc/passwd/io/vb", "action"=>"someurl_in_website"}
  * Timestamp  : 2017-01-19 17:30:47 +0000
  * Server : server
  * Rails root : /var/www/app
  * Process: 29648

-------------------------------
Session:
-------------------------------

  * session id: [FILTERED]
  * data: {"input_device_type"=>"MOUSE",
   "hover_supported"=>true,
   "incorrect_attempts"=>1,
   "locked"=>"false",
   "user"=>"qfswwjws",
   "flash_message"=>
    "Invalid User or Password !! Please note that your profile will be locked after 2 incorrect login attempts.",
   "session_id"=>"3774991d25843f57c90c2853712185a9"}

The data shown below is for sure sent by the user in the request as the URL which is being tried is not the login URL.

* data: {"input_device_type"=>"MOUSE",
   "hover_supported"=>true,
   "incorrect_attempts"=>1,
   "locked"=>"false",
   "user"=>"qfswwjws",
   "flash_message"=>
    "Invalid User or Password !! Please note that your profile will be locked after 2 incorrect login attempts.",
   "session_id"=>"3774991d25843f57c90c2853712185a9"}

Some other URL's from which the request came:

http://ift.tt/2iQ7p2h
http://ift.tt/2jEYd4W

The user was unable to hack into the website but how can we stop such attacks which can increase the server load for no reason?

How can we permanently block such users?

Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)