After sending a ticket to my host, I get a response saying the
following:
Someone is exploiting the code on yoru site to run local things
in /tmp, not
sure how they're exploiting it, but they sit in the background,
and thus you
get the fork warning.
Being fairly new to RoR, I went through everything I could think of...
checking to make sure permissions are correct, looking through log
files, etc, and came up with nothing. I tried getting more info from
the host, to find out what was running and if there was any more
information I could get to try and stop it and this is what he says
back:
Not sure what they're running, whatever it is deletes the source
after it's
started. It hides itself as exim queue runners.
Has anyone had problems like this? I have no idea what I can do to
track this down or if it's something even caused by my rails site in
the first place. It's running v1.1.6 on CentOS 3.8 if any of that
helps. Through my searching I found this article:
but have no idea if that even has anything to do with the problems
that I am having now.
The immediate question is probably: how did they get in? If you
have a virtual host you haven't locked down then there are a huge
number of vectors for getting access.
You absolutely can't trust anything on that server anymore. You shoudl make a backup of your data and stuff you need and then wipe the server and reinstall. Once you are compromised you cannot trust the system any more period. The only safe thing to do is wipe clean and reinstall.
Any ideas how it happened in the first place? I'm fine with wiping it
clean, but I want to make sure that if it was something that I did, I
won't do it again. Or at least know what things to watch for.
Need more information. RoR itself is pretty secure if you haven't
inadvertently coded in any code/sql injection or XSS holes. Are you
treating user-provided input as SQL or ruby/system calls without
escaping it?
Maybe they got in another way? Are you passwords secure? If you have
sshd listening to port 22 and have very simple usernames and
passwords, you're liable to get hacked.