ActionController::UnknownFormat on Bugsnag

Question

We got this error on our staging site yesterday and the error is ActionController::UnknownFormat and it happened at users/sessions#new. Here's the request that Bugsnag shows:

headers: {
           "Version": "HTTP/1.0",
           "Host": [Our site's IP],
           "X-Forwarded-Proto": "https",
           "X-Forwarded-For": "128.14.209.154",
           "Connection": "close",
           "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
           "Accept": "../../../../../../../../../../etc/services{{",
           "Accept-Encoding": "gzip"
         }

httpMethod: GET

params: {
          "controller": "users/sessions",
          "action": "new"
        }

railsAction: users/sessions#new

referer: null

requestId: 6ecd71ba-31c8-4d55-9199-8e45e3d86246

url: [Our site's IP]

user_id: 128.14.209.154

No one really knows what is going on and as far as we were aware, no one was doing anything on that site at the moment.

A few things struck me as odd:

• This Accept in the headers: "Accept": "../../../../../../../../../../etc/services{{"
• The url/host: The url/host is our site's IP address instead of the site itself.
• The user_id: user_id: 128.14.209.154
• The User-Agent, specifically this: (Windows NT 10.0; Win64; x64). We all use Macbooks at our place, so no one should be attempting to access the site on a Windows computer.

Are we getting attacked by a malicious person? If so, what are they trying to do and what is our best course of action to handle this?

We are running on Rails 5.2.1 and nginx 1.10.3 (Ubuntu). Please let me know what other information I could provide. Thank you.

Answer 1

Are we getting attacked by a malicious person?

Someone's taking potshots. It's likely it's an automated attack.

Just make sure you're updated to the latest. This is probably related to CVE-2019-5418.