comopasta Gr
2012-Dec-08 23:00 UTC
Someone is redirecting my app to a fake page - sometimes
Hi, I have a site where I have noticed that a couple of times /#login is added automatically to the end of the url by someone/something. That displays a site called "Quizboard" and asks for a username and password inside our page. The first part of the url is the domain of my app. That has happened at least 2 times and it is intermittent, normally it ends up in the real application. The app is hosted at Heroku and uses CloudFlare to get the SSL protection. I have verified that when visiting that url it does not hit the heroku app at all. Anyone has an idea of what''s going on? Any recommendations? I''m currently checking the app with http://brakemanscanner.org/ trying to cover any even weak reports by the tool. Thanks. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Colin Law
2012-Dec-09 08:23 UTC
Re: Someone is redirecting my app to a fake page - sometimes
On 8 December 2012 23:00, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Hi, > > I have a site where I have noticed that a couple of times /#login is > added automatically to the end of the url by someone/something.What do you mean when you say it is added automatically to the end of the url? Where do you see it appear? Is it when you click a link in your app (in which case check the url in the source of the page containing the link) or does it just appear in the url bar of your browser as you are typing something, in which case it is just that at some point you have tried to visit that page and it is the type-ahead in the browser entering it.> That > displays a site called "Quizboard" and asks for a username and password > inside our page. The first part of the url is the domain of my app. > > That has happened at least 2 times and it is intermittent, normally it > ends up in the real application.What *exactly* has happened at least 2 times?> > The app is hosted at Heroku and uses CloudFlare to get the SSL > protection. > > I have verified that when visiting that url it does not hit the heroku > app at all. > > Anyone has an idea of what''s going on? Any recommendations? > > I''m currently checking the app with http://brakemanscanner.org/ trying > to cover any even weak reports by the tool.Is that relevant to the question? Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
comopasta Gr
2012-Dec-09 12:36 UTC
Re: Someone is redirecting my app to a fake page - sometimes
Colin Law wrote in post #1088369:> On 8 December 2012 23:00, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >> Hi, >> >> I have a site where I have noticed that a couple of times /#login is >> added automatically to the end of the url by someone/something. > > What do you mean when you say it is added automatically to the end of > the url? Where do you see it appear? Is it when you click a link in > your app (in which case check the url in the source of the page > containing the link) or does it just appear in the url bar of your > browser as you are typing something, in which case it is just that at > some point you have tried to visit that page and it is the type-ahead > in the browser entering it. >Added automatically means that I would enter http://mydomain.com and hit enter, then the url becomes http://mydomain.com/#login I have never tried to visit that url, the normal url is http://mydomain.com/login>> That >> displays a site called "Quizboard" and asks for a username and password >> inside our page. The first part of the url is the domain of my app. >> >> That has happened at least 2 times and it is intermittent, normally it >> ends up in the real application. > > What *exactly* has happened at least 2 times?What has happened exactly is that in the browser url I see http://mydomain.com/#login but the contents of the page are not from my app. It contains a site with a title "Quizboard" and two fields for username and password. I would call it a phishing site but it does not try to replicate our login UI.> >> to cover any even weak reports by the tool. > Is that relevant to the question? >Well maybe not. I had some XSS issues reported as weak by brakeman. But I don''t think those had anything to do with the issue. I have solved those weak issues now.> ColinI have not seen the issue in last two days but on Friday (for 15 minutes or so) typing http://mydomain.com/#login would end up not on our app but on that strange page. Then it stopped. Right now (and pretty much always) it goes correctly to our app. This has been seen by and another person in a different country (and machine obviously). Thanks Colin. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Colin Law
2012-Dec-09 12:50 UTC
Re: Re: Someone is redirecting my app to a fake page - sometimes
On 9 December 2012 12:36, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Colin Law wrote in post #1088369: >> On 8 December 2012 23:00, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >>> Hi, >>> >>> I have a site where I have noticed that a couple of times /#login is >>> added automatically to the end of the url by someone/something. >> >> What do you mean when you say it is added automatically to the end of >> the url? Where do you see it appear? Is it when you click a link in >> your app (in which case check the url in the source of the page >> containing the link) or does it just appear in the url bar of your >> browser as you are typing something, in which case it is just that at >> some point you have tried to visit that page and it is the type-ahead >> in the browser entering it. >> > Added automatically means that I would enter http://mydomain.com and hit > enter, then the url becomes http://mydomain.com/#login I have never > tried to visit that url, the normal url is http://mydomain.com/loginDo you have logging enabled in your app so that each request is shown? If so then what do you see in the log when you hit enter after entering mydomain.com? If not then enable it and see what happens.> > >>> That >>> displays a site called "Quizboard" and asks for a username and password >>> inside our page. The first part of the url is the domain of my app. >>> >>> That has happened at least 2 times and it is intermittent, normally it >>> ends up in the real application. >> >> What *exactly* has happened at least 2 times? > > What has happened exactly is that in the browser url I see > http://mydomain.com/#login but the contents of the page are not from my > app. It contains a site with a title "Quizboard" and two fields for > username and password. I would call it a phishing site but it does not > try to replicate our login UI. > >> >>> to cover any even weak reports by the tool. >> Is that relevant to the question? >> > Well maybe not. I had some XSS issues reported as weak by brakeman. But > I don''t think those had anything to do with the issue. I have solved > those weak issues now. > >> Colin > > I have not seen the issue in last two days but on Friday (for 15 minutes > or so) typing http://mydomain.com/#login would end up not on our app but > on that strange page. Then it stopped. Right now (and pretty much > always) it goes correctly to our app. This has been seen by and another > person in a different country (and machine obviously).You said earlier that you had never typed mydomain.com/#login, now you say you spent 15 mins doing so. Can you let us know your domain name so we can try it? Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
comopasta Gr
2012-Dec-09 13:44 UTC
Re: Re: Someone is redirecting my app to a fake page - sometimes
Colin Law wrote in post #1088392:> On 9 December 2012 12:36, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >>> containing the link) or does it just appear in the url bar of your >>> browser as you are typing something, in which case it is just that at >>> some point you have tried to visit that page and it is the type-ahead >>> in the browser entering it. >>> >> Added automatically means that I would enter http://mydomain.com and hit >> enter, then the url becomes http://mydomain.com/#login I have never >> tried to visit that url, the normal url is http://mydomain.com/login > > Do you have logging enabled in your app so that each request is shown? > If so then what do you see in the log when you hit enter after > entering mydomain.com? If not then enable it and see what happens. >Sure I can follow the logs in real time in Heroku and when visiting the app you can see the requests hitting the app. I can follow up any requests. When this "ghost" site has been active the application at Heroku is not hit, the app does not serve the content, nothing is seen in the logs.>> >> Well maybe not. I had some XSS issues reported as weak by brakeman. But >> I don''t think those had anything to do with the issue. I have solved >> those weak issues now. >> >>> Colin >> >> I have not seen the issue in last two days but on Friday (for 15 minutes >> or so) typing http://mydomain.com/#login would end up not on our app but >> on that strange page. Then it stopped. Right now (and pretty much >> always) it goes correctly to our app. This has been seen by and another >> person in a different country (and machine obviously). > > You said earlier that you had never typed mydomain.com/#login, now you > say you spent 15 mins doing so. >Yeah, it was a coincidence that I found it. Another guy found it in Spain and told me about. At that time I tried visiting the server but didn''t get "redirected" there. Then the next day it also happened to me. So I took note of the url and I was visiting it for about 15 minutes with the same result (the bad page), then it kind of died out and the same url would take to my app as expected.> Can you let us know your domain name so we can try it?I still have to push the latests changes I have which include update to Rails 2.3.8 and other stuff. But one thing that is now different is that I forces https in all the requests. So I don''t know if this will mitigate the problem. Anyway the app is at sharebi.com Btw I just found a screenshot of the bad page (attached). You can''t see the #login part but that was consistently taking me here on Friday. After the loading part the form I mentioned before is displayed.> > ColinAttachments: http://www.ruby-forum.com/attachment/7946/quiz.jpg -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Colin Law
2012-Dec-09 14:00 UTC
Re: Re: Re: Someone is redirecting my app to a fake page - sometimes
On 9 December 2012 13:44, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> Colin Law wrote in post #1088392: >> On 9 December 2012 12:36, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >>>> containing the link) or does it just appear in the url bar of your >>>> browser as you are typing something, in which case it is just that at >>>> some point you have tried to visit that page and it is the type-ahead >>>> in the browser entering it. >>>> >>> Added automatically means that I would enter http://mydomain.com and hit >>> enter, then the url becomes http://mydomain.com/#login I have never >>> tried to visit that url, the normal url is http://mydomain.com/login >> >> Do you have logging enabled in your app so that each request is shown? >> If so then what do you see in the log when you hit enter after >> entering mydomain.com? If not then enable it and see what happens. >> > Sure I can follow the logs in real time in Heroku and when visiting the > app you can see the requests hitting the app. I can follow up any > requests. When this "ghost" site has been active the application at > Heroku is not hit, the app does not serve the content, nothing is seen > in the logs.I can only guess that it is/was a DNS issue so your request was intermittently getting routed to the wrong server. Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Colin Law
2012-Dec-09 14:06 UTC
Re: Re: Re: Someone is redirecting my app to a fake page - sometimes
On 9 December 2012 14:00, Colin Law <clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> On 9 December 2012 13:44, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >> Colin Law wrote in post #1088392: >>> On 9 December 2012 12:36, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >>>>> containing the link) or does it just appear in the url bar of your >>>>> browser as you are typing something, in which case it is just that at >>>>> some point you have tried to visit that page and it is the type-ahead >>>>> in the browser entering it. >>>>> >>>> Added automatically means that I would enter http://mydomain.com and hit >>>> enter, then the url becomes http://mydomain.com/#login I have never >>>> tried to visit that url, the normal url is http://mydomain.com/login >>> >>> Do you have logging enabled in your app so that each request is shown? >>> If so then what do you see in the log when you hit enter after >>> entering mydomain.com? If not then enable it and see what happens. >>> >> Sure I can follow the logs in real time in Heroku and when visiting the >> app you can see the requests hitting the app. I can follow up any >> requests. When this "ghost" site has been active the application at >> Heroku is not hit, the app does not serve the content, nothing is seen >> in the logs. > > I can only guess that it is/was a DNS issue so your request was > intermittently getting routed to the wrong server.Or possibly a Heroku issue, with your requests going to the wrong Heroku app. I don''t know whether that is possible. Colin> > Colin-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Colin Law
2012-Dec-09 14:13 UTC
Re: Re: Re: Someone is redirecting my app to a fake page - sometimes
On 9 December 2012 14:00, Colin Law <clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:> On 9 December 2012 13:44, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >> Colin Law wrote in post #1088392: >>> On 9 December 2012 12:36, comopasta Gr <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote: >>>>> containing the link) or does it just appear in the url bar of your >>>>> browser as you are typing something, in which case it is just that at >>>>> some point you have tried to visit that page and it is the type-ahead >>>>> in the browser entering it. >>>>> >>>> Added automatically means that I would enter http://mydomain.com and hit >>>> enter, then the url becomes http://mydomain.com/#login I have never >>>> tried to visit that url, the normal url is http://mydomain.com/login >>> >>> Do you have logging enabled in your app so that each request is shown? >>> If so then what do you see in the log when you hit enter after >>> entering mydomain.com? If not then enable it and see what happens. >>> >> Sure I can follow the logs in real time in Heroku and when visiting the >> app you can see the requests hitting the app. I can follow up any >> requests. When this "ghost" site has been active the application at >> Heroku is not hit, the app does not serve the content, nothing is seen >> in the logs. > > I can only guess that it is/was a DNS issue so your request was > intermittently getting routed to the wrong server.I notice that there are a number of html syntax errors on the page [1], I don''t see how that could cause the problem you are seeing but I would sort those out anyway. Always fix the errors you understand before worrying about ones you don''t. Colin [1] http://validator.w3.org/check?uri=sharebi.com&charset=%28detect+automatically%29&doctype=Inline&group=0 -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
comopasta Gr
2012-Dec-09 15:14 UTC
Re: Re: Re: Someone is redirecting my app to a fake page - sometimes
Colin Law wrote in post #1088403:> On 9 December 2012 14:00, Colin Law <clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote: >>>>> tried to visit that url, the normal url is http://mydomain.com/login >> >> I can only guess that it is/was a DNS issue so your request was >> intermittently getting routed to the wrong server. > > I notice that there are a number of html syntax errors on the page > [1], I don''t see how that could cause the problem you are seeing but I > would sort those out anyway. Always fix the errors you understand > before worrying about ones you don''t. > > Colin > > [1] >http://validator.w3.org/check?uri=sharebi.com&charset=%28detect+automatically%29&doctype=Inline&group=0 Yeah I should take care of those. Well I hope this was a temporary problem, I should keep a close eye on it. Thanks for your comments Colin. Especially since this was not a Rails thing, I wasn''t sure where I could get some opinions. Cheers. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.