I've just launched my first Rails 3.2.6 application to a production server. When someone goes to the home page this is handled by my IndexController and depending on the type of user logged in it might send it to an alternative URL.
Slightly simplified code example of what I have is this:
def index
path = new_user_session_url #default path
if current_user
path = users_admin_index_path #admin path
end
redirect_to path, :notice => flash[:notice], :alert => flash[:alert]
end
What I'm confused at, is I've been monitoring the logs for issues and it appears the redirect is going to random sites in Brazil for two IP addresses. Is this something that I should be worried about? Any information on helping me understand what's going on here would be very much appreciated.
See the log extract below where in the "Redirected to" URL, the domain is getting changed from what my site is to www.bradesco.com.br, www.bb.com.br or www.itau.com.br.
No one has reported any issues on the site, but I just wanted to try and understand this a little better.
Started GET "/" for 65.111.177.188 at 2012-08-10 00:20:10 -0400
Processing by Home::IndexController#index as HTML
Redirected to http://www.itau.com.br/home
Completed 302 Found in 2ms (ActiveRecord: 0.0ms)
Started GET "/" for 65.111.177.188 at 2012-08-10 00:20:10 -0400
Processing by Home::IndexController#index as HTML
Redirected to http://www.bradesco.com.br/home
Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
Started GET "/" for 65.111.177.188 at 2012-08-10 00:20:10 -0400
Processing by Home::IndexController#index as HTML
Redirected to http://www.bb.com.br/home
Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
Started GET "/" for 64.251.28.71 at 2012-08-09 22:00:20 -0400
Processing by Home::IndexController#index as HTML
Redirected to http://www.bradesco.com.br/home
Completed 302 Found in 1ms (ActiveRecord: 0.0ms)
I'm seeing the same thing with one of my Rails staging servers. I think the issue is that you need to reject all traffic that isn't for the expected domains.
Something like this in your nginx setup ( if you're using nginx ):
http://nginx.org/en/docs/http/server_names.html
server {
listen 80 default_server;
server_name _;
return 444;
}
Not sure what the point of this traffic is? Some sort of round-about new way of using someone else's Rails app as a phishing site, while sniffing network traffic? There seems to be too many variables for that to be an effective technique.