This user agent is able to create a bad request for image assets that
is bypassing nginx. We are seeing these odd requests in our Rails
application (via Passenger) but they should either be 400s or serve
valid images. A quick google search turns up some interesting history
on this User-Agent, it seems that it has been compromised by some
Brazilian malware authors.
Here is an example exception from our application, does anyone see
anything strange? If I attempt to hit that url in a standard browser I
get an image, I do not see an accepts header, perhaps this is why
nginx passing the request on?:
A ActionController::RoutingError occurred in application#index:
No route matches "/images/ajax-loader.gif" with
{:subdomain=>"macchiato-assets2", :method=>:get,
:domain=>"onehub.com", :host=>"macchiato-assets2.onehub.com"}
[RAILS_ROOT]/vendor/rails/actionpack/lib/action_controller/routing/recognition_optimisation.rb:66:in
`recognize_path'
-------------------------------
Request:
-------------------------------
* URL : http://macchiato-assets2.onehub.com/images/ajax-loader.gif?1273194370
* IP address: 200.204.143.221
* Parameters: {"1273194370"=>nil}
* Rails root: /data/onehub/deploy_1
-------------------------------
Session:
-------------------------------
* session id: nil
* data: nil
-------------------------------
Environment:
-------------------------------
* CONTENT_LENGTH : 0
* DOCUMENT_ROOT : /data/onehub/current/public
* HTTP_CACHE_CONTROL : no-cache
* HTTP_CONNECTION : keep-alive
* HTTP_COOKIE :
_onehub_session_id=<snip>; remember_me=1
* HTTP_HOST : macchiato-assets2.onehub.com
* HTTP_USER_AGENT : GbPlugin
* HTTP_X_FORWARDED_FOR : 200.204.143.221
* PASSENGER_APP_SPAWNER_IDLE_TIME : -1
* PASSENGER_APP_TYPE : rails
* PASSENGER_ENVIRONMENT : production
* PASSENGER_FRAMEWORK_SPAWNER_IDLE_TIME : -1
* PASSENGER_SPAWN_METHOD : smart-lv2
* PASSENGER_USE_GLOBAL_QUEUE : true
* PATH_INFO :
/images/ajax-loader.gif?1273194370
* QUERY_STRING :
* RAW_REQUEST_URI :
/images/ajax%2Dloader.gif%3F1273194370
* REMOTE_ADDR : 10.250.18.33
* REMOTE_PORT : 48252
* REQUEST_METHOD : GET
* REQUEST_URI :
/images/ajax-loader.gif?1273194370
* SCGI : 1
* SCRIPT_NAME :
* SERVER_ADDR : 10.250.182.80
* SERVER_NAME : 10.250.182.80
* SERVER_PORT : 80
* SERVER_PROTOCOL : HTTP/1.1
* SERVER_SOFTWARE : nginx/0.7.65
* _ : _
* action_controller.request.path_parameters :
* action_controller.request.query_parameters : 1273194370
* action_controller.request.request_parameters:
* action_controller.rescue.request :
#<ActionController::Request:0x10175510>
* action_controller.rescue.response :
#<ActionController::Response:0x101678e8>
* rack.errors : #<IO:0x98afe18>
* rack.input :
#<PhusionPassenger::Utils::RewindableInput:0x10175ab0>
* rack.multiprocess : true
* rack.multithread : false
* rack.request.cookie_hash :
* rack.request.cookie_string :
_onehub_session_id=<snip>; remember_me=1
* rack.request.query_hash : 1273194370
* rack.request.query_string : 1273194370
* rack.run_once : false
* rack.session :
* rack.session.options : <snip>
* rack.url_scheme : http
* rack.version : 10
* Process: 27543
* Server : ip-10-250-182-80
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
