I tried to ssh into a site that I have and was greeted with an error message: -bash: fork: Resource temporarily unavailable -bash-2.05b$ After sending a ticket to my host, I get a response saying the following: Someone is exploiting the code on yoru site to run local things in /tmp, not sure how they''re exploiting it, but they sit in the background, and thus you get the fork warning. Being fairly new to RoR, I went through everything I could think of... checking to make sure permissions are correct, looking through log files, etc, and came up with nothing. I tried getting more info from the host, to find out what was running and if there was any more information I could get to try and stop it and this is what he says back: Not sure what they''re running, whatever it is deletes the source after it''s started. It hides itself as exim queue runners. Has anyone had problems like this? I have no idea what I can do to track this down or if it''s something even caused by my rails site in the first place. It''s running v1.1.6 on CentOS 3.8 if any of that helps. Through my searching I found this article: http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure/ but have no idea if that even has anything to do with the problems that I am having now. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
The immediate question is probably: how did they get in? If you have a virtual host you haven''t locked down then there are a huge number of vectors for getting access. -faisal On May 9, 2007, at 8:11 PM, Josh wrote:> > I tried to ssh into a site that I have and was greeted with an error > message: > > -bash: fork: Resource temporarily unavailable > -bash-2.05b$ > > After sending a ticket to my host, I get a response saying the > following: > > Someone is exploiting the code on yoru site to run local things > in /tmp, not > sure how they''re exploiting it, but they sit in the background, > and thus you > get the fork warning. > > Being fairly new to RoR, I went through everything I could think of... > checking to make sure permissions are correct, looking through log > files, etc, and came up with nothing. I tried getting more info from > the host, to find out what was running and if there was any more > information I could get to try and stop it and this is what he says > back: > > Not sure what they''re running, whatever it is deletes the source > after it''s > started. It hides itself as exim queue runners. > > Has anyone had problems like this? I have no idea what I can do to > track this down or if it''s something even caused by my rails site in > the first place. It''s running v1.1.6 on CentOS 3.8 if any of that > helps. Through my searching I found this article: > http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and- > full-disclosure/ > but have no idea if that even has anything to do with the problems > that I am having now. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Also, if at all possible you want to take the site offline to do forensics, and possibly do a clean reinstall. -faisal On May 9, 2007, at 11:19 PM, Faisal N Jawdat wrote:> > The immediate question is probably: how did they get in? If you > have a virtual host you haven''t locked down then there are a huge > number of vectors for getting access. > > -faisal > > On May 9, 2007, at 8:11 PM, Josh wrote: > >> >> I tried to ssh into a site that I have and was greeted with an error >> message: >> >> -bash: fork: Resource temporarily unavailable >> -bash-2.05b$ >> >> After sending a ticket to my host, I get a response saying the >> following: >> >> Someone is exploiting the code on yoru site to run local things >> in /tmp, not >> sure how they''re exploiting it, but they sit in the background, >> and thus you >> get the fork warning. >> >> Being fairly new to RoR, I went through everything I could think >> of... >> checking to make sure permissions are correct, looking through log >> files, etc, and came up with nothing. I tried getting more info from >> the host, to find out what was running and if there was any more >> information I could get to try and stop it and this is what he says >> back: >> >> Not sure what they''re running, whatever it is deletes the source >> after it''s >> started. It hides itself as exim queue runners. >> >> Has anyone had problems like this? I have no idea what I can do to >> track this down or if it''s something even caused by my rails site in >> the first place. It''s running v1.1.6 on CentOS 3.8 if any of that >> helps. Through my searching I found this article: >> http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and- >> full-disclosure/ >> but have no idea if that even has anything to do with the problems >> that I am having now. >> >> >>> > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On May 9, 2007, at 5:11 PM, Josh wrote:> > I tried to ssh into a site that I have and was greeted with an error > message: > > -bash: fork: Resource temporarily unavailable > -bash-2.05b$ > > After sending a ticket to my host, I get a response saying the > following: > > Someone is exploiting the code on yoru site to run local things > in /tmp, not > sure how they''re exploiting it, but they sit in the background, > and thus you > get the fork warning. >Josh- You absolutely can''t trust anything on that server anymore. You shoudl make a backup of your data and stuff you need and then wipe the server and reinstall. Once you are compromised you cannot trust the system any more period. The only safe thing to do is wipe clean and reinstall. Cheers- -- Ezra Zygmuntowicz -- Lead Rails Evangelist -- ez-NLltGlunAUd/unjJdyJNww@public.gmane.org -- Engine Yard, Serious Rails Hosting -- (866) 518-YARD (9273) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Any ideas how it happened in the first place? I''m fine with wiping it clean, but I want to make sure that if it was something that I did, I won''t do it again. Or at least know what things to watch for. Thanks for the reply Josh On May 10, 5:58 pm, Ezra Zygmuntowicz <ezmob...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On May 9, 2007, at 5:11 PM, Josh wrote: > > > > > > > I tried to ssh into a site that I have and was greeted with an error > > message: > > > -bash: fork: Resource temporarily unavailable > > -bash-2.05b$ > > > After sending a ticket to my host, I get a response saying the > > following: > > > Someone is exploiting the code on yoru site to run local things > > in /tmp, not > > sure how they''re exploiting it, but they sit in the background, > > and thus you > > get the fork warning. > > Josh- > > You absolutely can''t trust anything on that server anymore. You > shoudl make a backup of your data and stuff you need and then wipe > the server and reinstall. Once you are compromised you cannot trust > the system any more period. The only safe thing to do is wipe clean > and reinstall. > > Cheers- > > -- Ezra Zygmuntowicz > -- Lead Rails Evangelist > -- e...-NLltGlunAUd/unjJdyJNww@public.gmane.org > -- Engine Yard, Serious Rails Hosting > -- (866) 518-YARD (9273)--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Always worthwhile setting up Samhain (http://www.la-samhna.de/ samhain/) on a new box :-) On 2007/05/10, at 23:58, Ezra Zygmuntowicz wrote:> > > On May 9, 2007, at 5:11 PM, Josh wrote: > >> >> I tried to ssh into a site that I have and was greeted with an error >> message: >> >> -bash: fork: Resource temporarily unavailable >> -bash-2.05b$ >> >> After sending a ticket to my host, I get a response saying the >> following: >> >> Someone is exploiting the code on yoru site to run local things >> in /tmp, not >> sure how they''re exploiting it, but they sit in the background, >> and thus you >> get the fork warning. >> > > Josh- > > You absolutely can''t trust anything on that server anymore. You > shoudl make a backup of your data and stuff you need and then wipe > the server and reinstall. Once you are compromised you cannot trust > the system any more period. The only safe thing to do is wipe clean > and reinstall. > > Cheers- > > -- Ezra Zygmuntowicz > -- Lead Rails Evangelist > -- ez-NLltGlunAUd/unjJdyJNww@public.gmane.org > -- Engine Yard, Serious Rails Hosting > -- (866) 518-YARD (9273) > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Need more information. RoR itself is pretty secure if you haven''t inadvertently coded in any code/sql injection or XSS holes. Are you treating user-provided input as SQL or ruby/system calls without escaping it? Maybe they got in another way? Are you passwords secure? If you have sshd listening to port 22 and have very simple usernames and passwords, you''re liable to get hacked. On May 11, 7:17 am, Josh <jjkie...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Any ideas how it happened in the first place? I''m fine with wiping it > clean, but I want to make sure that if it was something that I did, I > won''t do it again. Or at least know what things to watch for. > > Thanks for the reply > > Josh > > On May 10, 5:58 pm, Ezra Zygmuntowicz <ezmob...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > On May 9, 2007, at 5:11 PM, Josh wrote: > > > > I tried to ssh into a site that I have and was greeted with an error > > > message: > > > > -bash: fork: Resource temporarily unavailable > > > -bash-2.05b$ > > > > After sending a ticket to my host, I get a response saying the > > > following: > > > > Someone is exploiting the code on yoru site to run local things > > > in /tmp, not > > > sure how they''re exploiting it, but they sit in the background, > > > and thus you > > > get the fork warning. > > > Josh- > > > You absolutely can''t trust anything on that server anymore. You > > shoudl make a backup of your data and stuff you need and then wipe > > the server and reinstall. Once you are compromised you cannot trust > > the system any more period. The only safe thing to do is wipe clean > > and reinstall. > > > Cheers- > > > -- Ezra Zygmuntowicz > > -- Lead Rails Evangelist > > -- e...-NLltGlunAUd/unjJdyJNww@public.gmane.org > > -- Engine Yard, Serious Rails Hosting > > -- (866) 518-YARD (9273)--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---