Is my Rails 3.2.13 app running on my development machine being hacked?

Question

I am using 'Thin' as my rails server in my development environment. I noticed something that alarmed me. I was taking a break... no keystrokes on my machine. The terminal window where Thin is running produced the following:

Started GET "/controller/method" for 127.0.0.1 at ...
Processing by ...Controller#method as HTML
Completed 401 Unauthorized in 58ms

Started GET "/users/sign_in" for 127.0.0.1 at 2013-08-16 11:47:02 -0400
Processing by Devise::SessionsController#new as HTML
...
Completed 200 OK in 178ms (Views: 22.3ms | ActiveRecord: 3.7ms)

Somewhere my development machine was responding to a request for a specific page that needed authorization and presented a log in screen to someone. It wasn't on my machine. No one else in my office has the technical ability, or the interest, to do a hack on my machine. So it must be coming from my wireless router or through our internet connection... i'm guessing.

In production I have an access log which gives an ip address for all those accessing our site. Is there something I can do to provide that kind of information? What can I do in my rails configuration to confirm that it was indeed a hack attempt?

I am addressing the rails process here. If there is a StackExchange site to address the security issues related to my router, internet connection and development machine? Which one(s) might it be?

Thanks.

Answer 1

It definitely seems like some automated hacking attempt. If you were running an older version of rails you could get it to execute arbitrary controller methods like that, or if you had set your routes file up improperly.

Just a reminder to set all of the controller methods you don't want to be visible to the outside world directly as private or protected. Also double check your routes file to ensure that you are avoiding less safe route definitions like match, if possible.

While this shouldn't entirely assuage your security concerns, being proactive about limiting the possible access attackers can gain will serve your project for the best. Additionally, you could set up thin to bind to 127.0.0.1 instead of 0.0.0.0, thereby preventing external requests (if possible).

Answer 2

Oh man... it was so simple. Can't believe it took me so long to figure out. Safari has the "top sites" feature. Whenever I open a new tab, top sites is the page that is displayed. Some of my top sites are fixed by dragging a url to the top sites icon. The remainder are composed of other pages that are among the most frequently displayed. After I alter code I frequently view the page to make sure there are no errors. Top sites is trying to display some of those pages. Viewing those pages requires authorization. Top sites is trying to hack my development server. :=]