I regularly make time to run some ad-hoc reports on the log files from our web servers to look for strange and unusual things. Thanks to the Interwebs, there are never a shortage of either to be found.
Each trip through the log files, I try to isolate at least one error or error message and find the root cause. Once I have that, I then look for ways to remedy or work around the issue. Sometimes I get lucky and it's something that I can actually put a fix in for, but most times I'm left with a more questions and fewer answers.
The symptom of today's journey of exploration was the addition of "/cache/<hex string>" to random URLs on the site that has been going on for some time now. It has been affecting Chrome users, and across several Chrome versions.
I had initially be scouring the JavaScript on the site to see if one of the 3rd party libraries had gone off the deep end and had a bug that only Chrome users hit, with no success. A few months ago, I went down the path of bad caching/acceleration software that was using a scheme like this to ... well, your guess is as good as mine.
Today, though, I got lucky: I found an answer.
What I was able to track down today is a report of similar problems on other sites that lead me to a Chrome bug report, as well as a one of many self-help malware remedy pages. It seems that people have installed an extension called "Browser Companion Helper" that sounds like it is anything but what the name would suggest.
Since knowing is half the battle, now the next trick is to figure what to do with this new information.
There does not appear to already be a way to detect the plugin and alert the user directly. Without infecting one of my systems with that malware, I can't figure out if there is a way to redirect the user to a removal page to clean up their system, as sometimes the erroneous URL is requested before a legitimate one, other times after.
It would be nice if Google could blacklist plugins like this and prevent the extension from running in a future release of Chrome. It looks like there was some work done mid-2012 in the extension blacklist corner of Chrome, but it is unclear what Google's policy is for shipping default blacklists in cases like this.
So I'm not sure just how much I might be able to do to remedy the real root cause and enable the user to get the malware off their system. In the mean time, I now know what causes these requests, and I can safely ignore them as a client-side issue, not something that the JavaScript on our pages is doing wrong.
No comments:
Post a Comment