Someone is redirecting my app to a fake page - sometimes

Hi,

I have a site where I have noticed that a couple of times /#login is
added automatically to the end of the url by someone/something. That
displays a site called "Quizboard" and asks for a username and password
inside our page. The first part of the url is the domain of my app.

That has happened at least 2 times and it is intermittent, normally it
ends up in the real application.

The app is hosted at Heroku and uses CloudFlare to get the SSL
protection.

I have verified that when visiting that url it does not hit the heroku
app at all.

Anyone has an idea of what's going on? Any recommendations?

I'm currently checking the app with http://brakemanscanner.org/ trying
to cover any even weak reports by the tool.

Thanks.

Hi,

I have a site where I have noticed that a couple of times /#login is
added automatically to the end of the url by someone/something.

What do you mean when you say it is added automatically to the end of
the url? Where do you see it appear? Is it when you click a link in
your app (in which case check the url in the source of the page
containing the link) or does it just appear in the url bar of your
browser as you are typing something, in which case it is just that at
some point you have tried to visit that page and it is the type-ahead
in the browser entering it.

That
displays a site called "Quizboard" and asks for a username and password
inside our page. The first part of the url is the domain of my app.

That has happened at least 2 times and it is intermittent, normally it
ends up in the real application.

What *exactly* has happened at least 2 times?

The app is hosted at Heroku and uses CloudFlare to get the SSL
protection.

I have verified that when visiting that url it does not hit the heroku
app at all.

Anyone has an idea of what's going on? Any recommendations?

I'm currently checking the app with http://brakemanscanner.org/ trying
to cover any even weak reports by the tool.

Is that relevant to the question?

Colin

Colin Law wrote in post #1088369:

Hi,

I have a site where I have noticed that a couple of times /#login is
added automatically to the end of the url by someone/something.

What do you mean when you say it is added automatically to the end of
the url? Where do you see it appear? Is it when you click a link in
your app (in which case check the url in the source of the page
containing the link) or does it just appear in the url bar of your
browser as you are typing something, in which case it is just that at
some point you have tried to visit that page and it is the type-ahead
in the browser entering it.

Added automatically means that I would enter http://mydomain.com and hit
enter, then the url becomes http://mydomain.com/#login I have never
tried to visit that url, the normal url is http://mydomain.com/login

That
displays a site called "Quizboard" and asks for a username and password
inside our page. The first part of the url is the domain of my app.

That has happened at least 2 times and it is intermittent, normally it
ends up in the real application.

What *exactly* has happened at least 2 times?

What has happened exactly is that in the browser url I see
http://mydomain.com/#login but the contents of the page are not from my
app. It contains a site with a title "Quizboard" and two fields for
username and password. I would call it a phishing site but it does not
try to replicate our login UI.

to cover any even weak reports by the tool.

Is that relevant to the question?

Well maybe not. I had some XSS issues reported as weak by brakeman. But
I don't think those had anything to do with the issue. I have solved
those weak issues now.

Colin

I have not seen the issue in last two days but on Friday (for 15 minutes
or so) typing http://mydomain.com/#login would end up not on our app but
on that strange page. Then it stopped. Right now (and pretty much
always) it goes correctly to our app. This has been seen by and another
person in a different country (and machine obviously).

Thanks Colin.

Colin Law wrote in post #1088369:

Hi,

I have a site where I have noticed that a couple of times /#login is
added automatically to the end of the url by someone/something.

What do you mean when you say it is added automatically to the end of
the url? Where do you see it appear? Is it when you click a link in
your app (in which case check the url in the source of the page
containing the link) or does it just appear in the url bar of your
browser as you are typing something, in which case it is just that at
some point you have tried to visit that page and it is the type-ahead
in the browser entering it.

Added automatically means that I would enter http://mydomain.com and hit
enter, then the url becomes http://mydomain.com/#login I have never
tried to visit that url, the normal url is http://mydomain.com/login

Do you have logging enabled in your app so that each request is shown?
If so then what do you see in the log when you hit enter after
entering mydomain.com? If not then enable it and see what happens.

That
displays a site called "Quizboard" and asks for a username and password
inside our page. The first part of the url is the domain of my app.

That has happened at least 2 times and it is intermittent, normally it
ends up in the real application.

What *exactly* has happened at least 2 times?

What has happened exactly is that in the browser url I see
http://mydomain.com/#login but the contents of the page are not from my
app. It contains a site with a title "Quizboard" and two fields for
username and password. I would call it a phishing site but it does not
try to replicate our login UI.

to cover any even weak reports by the tool.

Is that relevant to the question?

Well maybe not. I had some XSS issues reported as weak by brakeman. But
I don't think those had anything to do with the issue. I have solved
those weak issues now.

Colin

I have not seen the issue in last two days but on Friday (for 15 minutes
or so) typing http://mydomain.com/#login would end up not on our app but
on that strange page. Then it stopped. Right now (and pretty much
always) it goes correctly to our app. This has been seen by and another
person in a different country (and machine obviously).

You said earlier that you had never typed mydomain.com/#login, now you
say you spent 15 mins doing so.

Can you let us know your domain name so we can try it?

Colin

Colin Law wrote in post #1088392:

containing the link) or does it just appear in the url bar of your
browser as you are typing something, in which case it is just that at
some point you have tried to visit that page and it is the type-ahead
in the browser entering it.

Added automatically means that I would enter http://mydomain.com and hit
enter, then the url becomes http://mydomain.com/#login I have never
tried to visit that url, the normal url is http://mydomain.com/login

Do you have logging enabled in your app so that each request is shown?
If so then what do you see in the log when you hit enter after
entering mydomain.com? If not then enable it and see what happens.

Sure I can follow the logs in real time in Heroku and when visiting the
app you can see the requests hitting the app. I can follow up any
requests. When this "ghost" site has been active the application at
Heroku is not hit, the app does not serve the content, nothing is seen
in the logs.

Well maybe not. I had some XSS issues reported as weak by brakeman. But
I don't think those had anything to do with the issue. I have solved
those weak issues now.

Colin

I have not seen the issue in last two days but on Friday (for 15 minutes
or so) typing http://mydomain.com/#login would end up not on our app but
on that strange page. Then it stopped. Right now (and pretty much
always) it goes correctly to our app. This has been seen by and another
person in a different country (and machine obviously).

You said earlier that you had never typed mydomain.com/#login, now you
say you spent 15 mins doing so.

Yeah, it was a coincidence that I found it. Another guy found it in
Spain and told me about. At that time I tried visiting the server but
didn't get "redirected" there. Then the next day it also happened to me.
So I took note of the url and I was visiting it for about 15 minutes
with the same result (the bad page), then it kind of died out and the
same url would take to my app as expected.

Can you let us know your domain name so we can try it?

I still have to push the latests changes I have which include update to
Rails 2.3.8 and other stuff. But one thing that is now different is that
I forces https in all the requests. So I don't know if this will
mitigate the problem. Anyway the app is at sharebi.com

Btw I just found a screenshot of the bad page (attached). You can't see
the #login part but that was consistently taking me here on Friday.
After the loading part the form I mentioned before is displayed.

Colin

Attachments:
http://www.ruby-forum.com/attachment/7946/quiz.jpg

I can only guess that it is/was a DNS issue so your request was
intermittently getting routed to the wrong server.

Colin

Colin Law wrote in post #1088392:

containing the link) or does it just appear in the url bar of your
browser as you are typing something, in which case it is just that at
some point you have tried to visit that page and it is the type-ahead
in the browser entering it.

Added automatically means that I would enter http://mydomain.com and hit
enter, then the url becomes http://mydomain.com/#login I have never
tried to visit that url, the normal url is http://mydomain.com/login

Do you have logging enabled in your app so that each request is shown?
If so then what do you see in the log when you hit enter after
entering mydomain.com? If not then enable it and see what happens.

Sure I can follow the logs in real time in Heroku and when visiting the
app you can see the requests hitting the app. I can follow up any
requests. When this "ghost" site has been active the application at
Heroku is not hit, the app does not serve the content, nothing is seen
in the logs.

I can only guess that it is/was a DNS issue so your request was
intermittently getting routed to the wrong server.

Or possibly a Heroku issue, with your requests going to the wrong
Heroku app. I don't know whether that is possible.

Colin

I notice that there are a number of html syntax errors on the page
[1], I don't see how that could cause the problem you are seeing but I
would sort those out anyway. Always fix the errors you understand
before worrying about ones you don't.

Colin

[1] http://validator.w3.org/check?uri=sharebi.com&charset=(detect+automatically)&doctype=Inline&group=0

Colin Law wrote in post #1088403:

tried to visit that url, the normal url is http://mydomain.com/login

I can only guess that it is/was a DNS issue so your request was
intermittently getting routed to the wrong server.

I notice that there are a number of html syntax errors on the page
[1], I don't see how that could cause the problem you are seeing but I
would sort those out anyway. Always fix the errors you understand
before worrying about ones you don't.

Colin

[1]

http://validator.w3.org/check?uri=sharebi.com&charset=(detect+automatically)&doctype=Inline&group=0

Yeah I should take care of those.
Well I hope this was a temporary problem, I should keep a close eye on
it.

Thanks for your comments Colin. Especially since this was not a Rails
thing, I wasn't sure where I could get some opinions.

Cheers.