The reality is that bad actors scan the pubic Internet for exploitable servers all the time. It's easy, it's cheap, and it's a very effective way to grow your botnet. If you're on the Internet, it doesn't matter how obscure you are: someone will eventually probe you.
> I think we have to warm all RoR developers...
Every time I touch a new project it's in need of security updates. Any time a site gets owned, there's no accountability or logging or anything. Any time a security issue does manage to get found it's as if it's a rare new thing. "Wow, who would have thought that could happen." Well, let's see, the developers of the software you're using, and anyone that pays attention to them.
Also http://getshrubbery.com/home which is free, but seemed mildly broken when I tried it (it seemed to forget some of my actually outdated packages when I tried it).
Regardless, it's an absolute must read for anyone even thinking about using rails.
I.e., they have been grossly negligient in their server maintenance for most of this year.
[Edit: although at least one mentions 3.2.11, which should have that particular vulnerability fixed, so it will probably at least sometimes be someting else.]
Sign up at my landing page to here more when I'm closer to launch
Try it now.
My preference would be to upload that Gemfile.lock to a location, and then it could be scanned as and when new vulnerabilities were detected.
Making this automatic is the key part - if you don't get burned very often, you'll eventually forget to do the right thing manually and open yourselves to badness.
The IRC server is cvv4you.ru:6667 #rails
There are currently 2164 idling bots on there. Holy fuck. Its run by a guy with the handle "ryan".
Connect to it and see for yourself: http://chat.mibbit.com/
- Both IRC servers are currently down (connection refused).
- The C code is full of bugs, but they're probably only exploitable if you can get either a nick more than 1024 characters or a full line more than 4096 characters (in the latter case, aside from there being an off-by-one error, the data after 4096 characters will be treated as a command, so you could spoof a privmsg and cause the bot to execute a shell command).
NICK <nick> = Changes the nick of the client
SERVER <server> = Changes servers
KILL = Kills the client
GET <http address> <save as> = Downloads a file off the web and saves it onto the hd
HELP = Displays this
IRC <command> = send_msgs this command to the server
SH <command> = Executes a command
I'm a little light on IRC proxies right now - anyone care to test if you can kill all 2,164 bots in one easy peasy MIRC script?
ryan is one of its lead members. Other evidence is the fact that "starfall.cu.cc" is one domain being used to grab this script: http://starfall.cu.cc/chips.txt
Starfall is another one of their members.
They're the people who breached Linode, MIT, nmap, and a few other places recently. See: http://www.exploit-db.com/papers/25306/
I'm surprised no one's thought of mass exploiting all those RoR servers months ago, unless those have all been there for months.
How come these guys are even operational?
If I had to guess, I'd assume that Hacker News is frequented by a lot of programmers running startups who don't have and don't know any operations/infrastructure people. Here's a budget item: You can't afford to not have and not know any ops/infra people. Those people should be part of your team from the beginning so that they can put their foot down when you want to roll something that won't scale or want to avoid updating software versions because it might break something and you're crunching. If you think you can get away with those things, you're setting yourself up for a fall, and your customers' data will be exposed when you fall. If more VCs did diligence at the technical level, would more founders be likely to pay attention to infrastructure and operations as anything besides an expense that "can't be that difficult" to avoid by DIY?
(to be used as an initializer)
If you're using Rails externally and you haven't upgraded it, it's only a matter of time till it gets hacked.
Could be the most obvious statement ever, but there you have it.
I also started using Gemnasium which does a good job of notifying me about security patches in my app's dependencies along with keeping me up to date with gem releases.
slowly and carefully move only non-executable files over (uploaded images, post-inspection database dumps).
if you deployed using git checkouts and the like you will also have to manually go through all the commits/branches to make sure they didnt muck about with your code to install a backdoor.