GbPlugin

This user agent is able to create a bad request for image assets that
is bypassing nginx. We are seeing these odd requests in our Rails
application (via Passenger) but they should either be 400s or serve
valid images. A quick google search turns up some interesting history
on this User-Agent, it seems that it has been compromised by some
Brazilian malware authors.

Here is an example exception from our application, does anyone see
anything strange? If I attempt to hit that url in a standard browser I
get an image, I do not see an accepts header, perhaps this is why
nginx passing the request on?:

A ActionController::RoutingError occurred in application#index:

No route matches “/images/ajax-loader.gif” with
{:subdomain=>“macchiato-assets2”, :method=>:get,
:domain=>“onehub.com”, :host=>“macchiato-assets2.onehub.com”}
[RAILS_ROOT]/vendor/rails/actionpack/lib/action_controller/routing/recognition_optimisation.rb:66:in
`recognize_path’


Request:


Session:

  • session id: nil
  • data: nil

Environment:

  • CONTENT_LENGTH : 0

  • DOCUMENT_ROOT :
    /data/onehub/current/public

  • HTTP_CACHE_CONTROL : no-cache

  • HTTP_CONNECTION : keep-alive

  • HTTP_COOKIE :
    _onehub_session_id=; remember_me=1

  • HTTP_HOST :
    macchiato-assets2.onehub.com

  • HTTP_USER_AGENT : GbPlugin

  • HTTP_X_FORWARDED_FOR : 200.204.143.221

  • PASSENGER_APP_SPAWNER_IDLE_TIME : -1

  • PASSENGER_APP_TYPE : rails

  • PASSENGER_ENVIRONMENT : production

  • PASSENGER_FRAMEWORK_SPAWNER_IDLE_TIME : -1

  • PASSENGER_SPAWN_METHOD : smart-lv2

  • PASSENGER_USE_GLOBAL_QUEUE : true

  • PATH_INFO :
    /images/ajax-loader.gif?1273194370

  • QUERY_STRING :

  • RAW_REQUEST_URI :
    /images/ajax%2Dloader.gif%3F1273194370

  • REMOTE_ADDR : 10.250.18.33

  • REMOTE_PORT : 48252

  • REQUEST_METHOD : GET

  • REQUEST_URI :
    /images/ajax-loader.gif?1273194370

  • SCGI : 1

  • SCRIPT_NAME :

  • SERVER_ADDR : 10.250.182.80

  • SERVER_NAME : 10.250.182.80

  • SERVER_PORT : 80

  • SERVER_PROTOCOL : HTTP/1.1

  • SERVER_SOFTWARE : nginx/0.7.65

  • _ : _

  • action_controller.request.path_parameters :

  • action_controller.request.query_parameters : 1273194370

  • action_controller.request.request_parameters:

  • action_controller.rescue.request :
    #ActionController::Request:0x10175510

  • action_controller.rescue.response :
    #ActionController::Response:0x101678e8

  • rack.errors : #IO:0x98afe18

  • rack.input :
    #PhusionPassenger::Utils::RewindableInput:0x10175ab0

  • rack.multiprocess : true

  • rack.multithread : false

  • rack.request.cookie_hash :

  • rack.request.cookie_string :
    _onehub_session_id=; remember_me=1

  • rack.request.query_hash : 1273194370

  • rack.request.query_string : 1273194370

  • rack.run_once : false

  • rack.session :

  • rack.session.options :

  • rack.url_scheme : http

  • rack.version : 10

  • Process: 27543

  • Server : ip-10-250-182-80

Mystery solved, it is a poorly configured client that URI encodes the
query string ?

“GET /images/icons/folder_read_16x16.png%3F1273194370 HTTP/1.1”

This should be:

“GET /images/icons/folder_read_16x16.png?1273194370 HTTP/1.1”