Seeing Novel Rails Hack Attempts

Rails
1

Hi,

We’re getting some weird exceptions that look like hack attempts, and
I’m
hoping someone can help us understand them. It looks like an
intentionally
malformed URL is somehow causing unexpected behavior.

Here’s what we’re seeing. These URLS:

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.before=b,e=
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.
https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,‘load’,h.onLoad),null==h||‘none’

Will crash our system, and the trace doesn’t include any files from our
application (just framework code), trying to load a “Jobs” object that
doesn’t exist.

https://gadgetco.hiringthing.com/admin/jobs/somerandomstring
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h

will work correctly, hitting our controller and successfully redirect
the
user somewhere, and

https://gadgetco.hiringthing.com/admin/jobs/1

will also work correctly, using Job.find(params[:id]) to load a job
(note
object is Job not Jobs).

Something different is going on between:

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.
(fails)
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h
(works
correctly)

and I don’t know what. None of the related routes have any fancy regex
or
anything unusual. Any insight would be appreciated.

Thanks for your help.
Josh

2

Josh,
Do you see any quit request types along with this? I see quit requests
and
it makes the web application complain that it doesn’t know what kind of
request that is.
Kent

3

We do get a fair amount of requests to random HTTP verbs and file types,
but the system usually handles that just fine (throwing an unknown
request
exception would be desired behavior.) What concerns me about this is
that
I’m seeing unexpected behavior, based on the addition of a period in the
URL. Something is getting parsed in an usual way somewhere in the
stack…

4

On Tuesday, January 6, 2015 4:43:03 PM UTC, Joshua S. wrote:

We do get a fair amount of requests to random HTTP verbs and file types,
but the system usually handles that just fine (throwing an unknown request
exception would be desired behavior.) What concerns me about this is that
I’m seeing unexpected behavior, based on the addition of a period in the
URL. Something is getting parsed in an usual way somewhere in the stack…

So what does happen - you said crash in your original post - does that
mean
a segmentation fault, exception, something else?

Fred

5

To clarify,

https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,'load
',h.onLoad),null==h||‘none’

Crashes with the exception “LoadError: Unable to autoload constant
Jobs”,
while

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.before=b,e=

Gives the “RuntimeError: Circular dependency detected while autoloading
constant Jobs” exception.

Both traces include on Framework files not Application files. Both of
these:

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h
HiringThing

work correctly, hitting our controller and redirecting the user as
intended.

6

On 6 January 2015 at 17:04, Joshua S. [email protected]
wrote:

constant Jobs" exception.

Both traces include on Framework files not Application files. Both of these:

Can you post one of the stack traces?

Colin

7

It’s one of two exceptions. Either “RuntimeError: Circular dependency
detected while autoloading constant Jobs” or “LoadError: Unable to
autoload
constant Jobs”. The trace includes no application files (only framework
files), and we have no “Jobs” object defined in the system.

We do have a Jobs resource defined in routes for some specific URL
behavior, but no Jobs object. It very well could be related to that…
the
question is why

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.

Triggers this, and

https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h

Does not.

8

activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:464:in
load_missing_constant' activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:184:inconst_missing’
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:495:in
load_missing_constant' activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:184:inconst_missing’
activesupport (4.0.13.rc1)
lib/active_support/inflector/methods.rb:228:in const_get' activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:228:inblock in constantize’
activesupport (4.0.13.rc1)
lib/active_support/inflector/methods.rb:224:in each' activesupport (4.0.13.rc1) lib/active_support/inflector/methods.rb:224:ininject’
activesupport (4.0.13.rc1)
lib/active_support/inflector/methods.rb:224:in constantize' activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:535:inget’
activesupport (4.0.13.rc1) lib/active_support/dependencies.rb:566:in
constantize' actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:78:incontroller_reference’
actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:68:in
controller' actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:46:incall’
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:71:in
block in call' actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:59:ineach’
actionpack (4.0.13.rc1) lib/action_dispatch/journey/router.rb:59:in
call' actionpack (4.0.13.rc1) lib/action_dispatch/routing/route_set.rb:676:incall’
vendor/gems/rack-p3p/lib/rack-p3p.rb:12:in call' rack (1.5.2) lib/rack/etag.rb:23:incall’
rack (1.5.2) lib/rack/conditionalget.rb:25:in call' rack (1.5.2) lib/rack/head.rb:11:incall’
actionpack (4.0.13.rc1)
lib/action_dispatch/middleware/params_parser.rb:27:in call' actionpack (4.0.13.rc1) lib/action_dispatch/middleware/flash.rb:241:incall’
rack (1.5.2) lib/rack/session/abstract/id.rb:225:in context' rack (1.5.2) lib/rack/session/abstract/id.rb:220:incall’
actionpack (4.0.13.rc1) lib/action_dispatch/middleware/cookies.rb:486:in
call' activerecord (4.0.13.rc1) lib/active_record/query_cache.rb:36:incall’
activerecord (4.0.13.rc1)
lib/active_record/connection_adapters/abstract/connection_pool.rb:626:in
call' actionpack (4.0.13.rc1) lib/action_dispatch/middleware/callbacks.rb:29:inblock in call’
activesupport (4.0.13.rc1) lib/active_support/callbacks.rb:373:in
_run__838384711__call__callbacks' activesupport (4.0.13.rc1) lib/active_support/callbacks.rb:80:inrun_callbacks’
actionpack (4.0.13.rc1)
lib/action_dispatch/middleware/callbacks.rb:27:in call' rails-dev-tweaks (1.2.0) lib/rails_dev_tweaks/granular_autoload/middleware.rb:36:incall’
actionpack (4.0.13.rc1)
lib/action_dispatch/middleware/remote_ip.rb:76:in call' airbrake (4.1.0) lib/airbrake/rails/middleware.rb:13:incall’
actionpack (4.0.13.rc1)
lib/action_dispatch/middleware/debug_exceptions.rb:17:in call' actionpack (4.0.13.rc1) lib/action_dispatch/middleware/show_exceptions.rb:30:incall’
railties (4.0.13.rc1) lib/rails/rack/logger.rb:38:in call_app' railties (4.0.13.rc1) lib/rails/rack/logger.rb:20:inblock in call’
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:68:in
block in tagged' activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:26:intagged’
activesupport (4.0.13.rc1) lib/active_support/tagged_logging.rb:68:in
tagged' railties (4.0.13.rc1) lib/rails/rack/logger.rb:20:incall’
actionpack (4.0.13.rc1)
lib/action_dispatch/middleware/request_id.rb:21:in call' rack (1.5.2) lib/rack/methodoverride.rb:21:incall’
rack (1.5.2) lib/rack/runtime.rb:17:in call' activesupport (4.0.13.rc1) lib/active_support/cache/strategy/local_cache.rb:83:incall’
rack (1.5.2) lib/rack/lock.rb:17:in call' actionpack (4.0.13.rc1) lib/action_dispatch/middleware/static.rb:84:incall’
rack (1.5.2) lib/rack/sendfile.rb:112:in call' airbrake (4.1.0) lib/airbrake/user_informer.rb:16:in_call’
airbrake (4.1.0) lib/airbrake/user_informer.rb:12:in call' railties (4.0.13.rc1) lib/rails/engine.rb:511:incall’
railties (4.0.13.rc1) lib/rails/application.rb:97:in call' rack (1.5.2) lib/rack/content_length.rb:14:incall’
thin (1.2.8) lib/thin/connection.rb:84:in block in pre_process' thin (1.2.8) lib/thin/connection.rb:82:incatch’
thin (1.2.8) lib/thin/connection.rb:82:in pre_process' thin (1.2.8) lib/thin/connection.rb:57:inprocess’
thin (1.2.8) lib/thin/connection.rb:42:in receive_data' eventmachine (1.0.3) lib/eventmachine.rb:187:inrun_machine’
eventmachine (1.0.3) lib/eventmachine.rb:187:in run' thin (1.2.8) lib/thin/backends/base.rb:61:instart’
thin (1.2.8) lib/thin/server.rb:159:in start' rack (1.5.2) lib/rack/handler/thin.rb:16:inrun’
rack (1.5.2) lib/rack/server.rb:264:in start' railties (4.0.13.rc1) lib/rails/commands/server.rb:84:instart’
railties (4.0.13.rc1) lib/rails/commands.rb:76:in block in <top (required)>' railties (4.0.13.rc1) lib/rails/commands.rb:71:intap’
railties (4.0.13.rc1) lib/rails/commands.rb:71:in <top (required)>' bin/rails:4:inrequire’
bin/rails:4:in `’