Forum: Ruby on Rails Is my site getting hacked?

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
66d1d0df01e4bbb82674a353ea68d6ee?d=identicon&s=25 Josh Kieschnick (jjkiesch)
on 2007-05-10 02:12
(Received via mailing list)
I tried to ssh into a site that I have and was greeted with an error

-bash: fork: Resource temporarily unavailable

After sending a ticket to my host, I get a response saying the

    Someone is exploiting the code on yoru site to run local things
in /tmp, not
    sure how they're exploiting it, but they sit in the background,
and thus you
    get the fork warning.

Being fairly new to RoR, I went through everything I could think of...
checking to make sure permissions are correct, looking through log
files, etc, and came up with nothing. I tried getting more info from
the host, to find out what was running and if there was any more
information I could get to try and stop it and this is what he says

    Not sure what they're running, whatever it is deletes the source
after it's
    started. It hides itself as exim queue runners.

Has anyone had problems like this? I have no idea what I can do to
track this down or if it's something even caused by my rails site in
the first place. It's running v1.1.6 on CentOS 3.8 if any of that
helps. Through my searching I found this article:
but have no idea if that even has anything to do with the problems
that I am having now.
0ab6a5abab167b409f58d280dc59a229?d=identicon&s=25 Faisal N Jawdat (Guest)
on 2007-05-10 05:20
(Received via mailing list)
The immediate question is probably:  how did they get in?  If you
have a virtual host you haven't locked down then there are a huge
number of vectors for getting access.

0ab6a5abab167b409f58d280dc59a229?d=identicon&s=25 Faisal N Jawdat (Guest)
on 2007-05-10 05:23
(Received via mailing list)
Also, if at all possible you want to take the site offline to do
forensics, and possibly do a clean reinstall.

6076c22b65b36f5d75c30bdcfb2fda85?d=identicon&s=25 Ezra Zygmuntowicz (Guest)
on 2007-05-11 01:00
(Received via mailing list)
On May 9, 2007, at 5:11 PM, Josh wrote:

>     Someone is exploiting the code on yoru site to run local things
> in /tmp, not
>     sure how they're exploiting it, but they sit in the background,
> and thus you
>     get the fork warning.


  You absolutely can't trust anything on that server anymore. You
shoudl make a backup of your data and stuff you need and then wipe
the server and reinstall. Once you are compromised you cannot trust
the system any more period. The only safe thing to do is wipe clean
and reinstall.


-- Ezra Zygmuntowicz
-- Lead Rails Evangelist
-- Engine Yard, Serious Rails Hosting
-- (866) 518-YARD (9273)
66d1d0df01e4bbb82674a353ea68d6ee?d=identicon&s=25 Josh Kieschnick (jjkiesch)
on 2007-05-11 01:17
(Received via mailing list)
Any ideas how it happened in the first place? I'm fine with wiping it
clean, but I want to make sure that if it was something that I did, I
won't do it again. Or at least know what things to watch for.

Thanks for the reply

58e87dd3aaaecd0d99a59985e3ca49f3?d=identicon&s=25 Lourens Naude (Guest)
on 2007-05-11 01:40
(Received via mailing list)
Always worthwhile setting up Samhain (
samhain/)  on a new box :-)
8bc543795b502900b5333aea73ad5533?d=identicon&s=25 Eden Li (edenli)
on 2007-05-12 09:24
(Received via mailing list)
Need more information.  RoR itself is pretty secure if you haven't
inadvertently coded in any code/sql injection or XSS holes.  Are you
treating user-provided input as SQL or ruby/system calls without
escaping it?

Maybe they got in another way?  Are you passwords secure?  If you have
sshd listening to port 22 and have very simple usernames and
passwords, you're liable to get hacked.
This topic is locked and can not be replied to.