3

I've received a mail from somebody who pretends to have hacked my server, giving a few info about the server, and asking me to pay if I don't want the data to be posted online.

All the apps on the server are rails apps, and some of them were not up to date, courtesy of my laziness. So the obvious lead on how the dude got access to my server is through one of those rails vulnerabilities found during the last weeks.

I would like to know can I know for a fact if one of my apps were exploited this way. I tried grepping the logs for calls to system, marshalled objects in parameters, but no luck so far. I know I'm paying the price for my negligence, but I'd like to find for sure where was the exploit, in order to prevent myself against futures attacks.

Thanks a lot for your time!

Seb K
  • 31
  • 1
  • 1
    I am not qualified to provide an answer on this, so I would like to share a very good blog post on the topic. Hope it helps you now and in the future: http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ – Cezar Mar 22 '13 at 02:54

2 Answers2

1

I'd update to the latest version of Rails to eliminate as many vulnerabilities as possible. Branch your code and keep a copy of your old unpatched code and a backup of the data to ferret out the problem, but for now you want to eliminate any vector you can.

Once you're up to date take time to dig through your logs and your old code to see if you have any noticeable security holes. Limit access to data in your models using attr_accessible and attr_readonly to prevent mass assignments to key fields. Make sure your validations in your models reject data that doesn't meet your requirements.

Richard Brown
  • 11,346
  • 4
  • 32
  • 43
  • They're all upgraded or in the process to be. Considering the type of apps I'm talking about, I don't think security holes could lead to an exploit, though it could lead to data loss/corruption, so it'll be the next steps. I'd still would like to find out where he got through, though – Seb K Mar 16 '13 at 21:59
1

Contact your FBI field office and work that angle.

In terms of security, integrate your deployment with things like web applications firewalls (hardware or software), SQL proxies (if applicable), harden your OS (GRSecurity, SELinux), and have your software tested by professionals if it is hosting information you're worried about (or financially important to you).

Also, try out something like Brakeman to provide some further assurances to your code security.

Mark Stanislav
  • 979
  • 4
  • 11