RubyGems in recovery mode after site hack

Volunteers at  RubyGems.org are scrambling to recover the software repository after it was compromised yesterday.

An unknown user uploaded a malicious code package to RubyGems that executed on its server, threatening the integrity of hundreds of thousands of sites that use software from the site.

RubyGems is the software package repository for Ruby programming language applications, including the Ruby on Rails framework that is used by popular sites such as Twitter, Github, Yammer, Scribd, Groupon, and Shopify. 

Currently, the incident is not thought to have affected any other site than RubyGems.

Michael Koziarski, a maintainer of Ruby On Rails (RoR) told iTnews that the incident affected the framework in the sense that the vast majority of Rails users download it and associated libraries from RubyGems.

"While the situation was still unfolding it was possible that people could have been downloading compromised versions of their libraries; this does not appear to have happened," Koziarski said.

Koziarski advised RoR users to review what's running on their servers after the incident.

"Ensure that you have a full list of all the applications you're running on any of your servers," he said.

"That list should include the versions of Rails, the webservers and any other key pieces of infrastructure. Then finally go through each of those applications and ensure you're subscribed to the security announcement lists for everything that matters."

Due to the incident, cloud platform-as-a-service provider Heroku which supports Ruby, disabled deploys for the programming language.

After an extensive review of the RubyGems archive, Heroku has now re-enabled gem fetching. However, RubyGems still has partially degraded functionality.

RubyGems has set up a Google Docs document with status updates for the incident recovery and a webpage that shows which services are up currently.

The volunters are working on verifying all the gems packages at the moment to ensure they're free from malicious code.

In January this year, security researchers warned that Ruby on Rails had criticial vulnerabilities that allowed remote exploitation and the execution of arbitrary code. 

The current attack used a variation of the vulnerabilities found in January.