EscapeCharacter
01-19-2001, 06:55 PM
does user friendliness reduce security? i just recieved an email from my local lug about a worm circulating in through redhat 6.2 and 7.0 systems. heres the email.
fyi
---------- Forwarded message ----------
Internet Security Systems Security Alert
January 18, 2000
Ramen Linux Worm Propagation
Synopsis:
A self-propagating worm known as Ramen is currently exploiting well-known
holes in unpatched Red Hat Linux 6.2 systems and in early versions of Red
Hat 7.0. In addition to scanning for additional systems and propagating to
vulnerable systems, the worm also defaces Web servers it encounters by
replacing the "index.html" file. It may also interfere with some networks
supporting multicasting.
Ramen is currently known to attack Red Hat systems running vulnerable
versions of wu-ftp, rpc.statd, and LPRng. New exploits can be added to the
existing worm to expand its capabilities.
Description:
Ramen combines several known exploits and tools using a set of scripts.
The initial attack starts with a scan for port 21 (FTP) and the retrieval
of any FTP banners for any FTP services it encounters. The script uses
this information to determine if it has contacted a system that may be
vulnerable to one of its packaged exploits. Currently, Ramen uses the date
encountered in the FTP banner of the system being scanned.
If a vulnerable system is detected, the worm starts a propagation script
based on what vulnerability is likely to be present. The propagation
scripts and exploits run in parallel with the scanning process.
Using one of the exploitable services, Ramen executes a command on the
target system that creates a working directory for itself,
"/usr/src/.poop". Ramen then requests a copy of itself, ramen.tgz, from
the attacking system using Linux web browser and the Web-like service it
installs on compromised systems.
When installed on the new system, Ramen attempts to set up very limited
Web-like service on port 27374 to provide for further
distribution of the Ramen package. The service uses port 27374 to provide
a copy of the ramen.tgz package to any connection with any request on that
port.
Ramen searches the entire system, including any remotely mounted file
systems, and replaces any file named "index.html" with a copy of its own
page. This not only defaces any web site that it encounters, but also
corrupts html based documentation files and possible working files in
personal directories.
E-mail messages are sent to two accounts, gb31337@hotmail.com and
gb31337@yahoo.com, from compromised systems. Owners of the systems where
the two addresses were hosted have been notified.
Ramen disables existing FTP services (in inetd on Red Hat 6.2 or in xinetd
on Red Hat 7.0) and disables rpc.statd. This action may be to prevent any
attempts to re-infect the systems with additional copies of the worm.
Ramen continues to propagate by using the newly compromised system to scan
Class B (/16) wide address spaces, searching for port 21 (FTP) and looking
for new vulnerable hosts.
On networks and ISPs supporting multicasting, the SYN scanning performed
by Ramen can disrupt network traffic when scanning the multicast network
range.
Ramen is driven by scripts that can be easily modified to attack other
versions of Linux or other Unix systems. The exploits included with Ramen
are known to work against other versions of these systems, even though
Ramen itself is not keyed to trigger on them.
Affected Systems:
Red Hat 6.2 for Intel not patched for wu-ftp or nfs.
Red Hat 7.0 First Edition for Intel not patched for LPRng.
Systems not known to be vulnerable:
Red Hat 7.0 for Intel Second Edition (Respin).
Previous versions of Red Hat Linux.
Non-Intel versions of Linux.
Non-Red Hat versions of Linux.
Any other versions of Unix.
Additional Information:
Ramen does not attempt to hide its presence or clean up after itself. It
can be detected on a system by the presence of the
directory /usr/src/.poop or by the presence of the file /sbin/asp.
To remove the Ramen Worm from your system, follow these steps:
1. Delete: /usr/src/.poop and /sbin/asp.
2. If it exists, remove: /etc/xinetd.d/asp
3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any
file in /etc/src/.poop.
4. Remove any lines in /etc/inetd.conf referring to /sbin/asp
5. Reboot the system or manually kill any processes such as synscan,
start.sh, scan.sh, hackl.sh, or hackw.sh.
6. ISS recommends that ftp, rpc.statd, or lpr are not enabled until
updates have been installed.
Due to the general-purpose exploits at the core of this worm, it is
advisable to implement the following safeguards to prevent successful
attacks from potential variations of this exploit.
Disable FTP if it is not a required service. FTP provides information that
can be exploited to identify vulnerable systems, even when FTP is not
vulnerable.
Do not permit outside network access to RPC services, including NFS.
Do not permit outside network access to LPR services.
Install and maintain all security fixes in a timely manner.
------------------
I like source it never *****es about dependencies
--Escchr 2000
fyi
---------- Forwarded message ----------
Internet Security Systems Security Alert
January 18, 2000
Ramen Linux Worm Propagation
Synopsis:
A self-propagating worm known as Ramen is currently exploiting well-known
holes in unpatched Red Hat Linux 6.2 systems and in early versions of Red
Hat 7.0. In addition to scanning for additional systems and propagating to
vulnerable systems, the worm also defaces Web servers it encounters by
replacing the "index.html" file. It may also interfere with some networks
supporting multicasting.
Ramen is currently known to attack Red Hat systems running vulnerable
versions of wu-ftp, rpc.statd, and LPRng. New exploits can be added to the
existing worm to expand its capabilities.
Description:
Ramen combines several known exploits and tools using a set of scripts.
The initial attack starts with a scan for port 21 (FTP) and the retrieval
of any FTP banners for any FTP services it encounters. The script uses
this information to determine if it has contacted a system that may be
vulnerable to one of its packaged exploits. Currently, Ramen uses the date
encountered in the FTP banner of the system being scanned.
If a vulnerable system is detected, the worm starts a propagation script
based on what vulnerability is likely to be present. The propagation
scripts and exploits run in parallel with the scanning process.
Using one of the exploitable services, Ramen executes a command on the
target system that creates a working directory for itself,
"/usr/src/.poop". Ramen then requests a copy of itself, ramen.tgz, from
the attacking system using Linux web browser and the Web-like service it
installs on compromised systems.
When installed on the new system, Ramen attempts to set up very limited
Web-like service on port 27374 to provide for further
distribution of the Ramen package. The service uses port 27374 to provide
a copy of the ramen.tgz package to any connection with any request on that
port.
Ramen searches the entire system, including any remotely mounted file
systems, and replaces any file named "index.html" with a copy of its own
page. This not only defaces any web site that it encounters, but also
corrupts html based documentation files and possible working files in
personal directories.
E-mail messages are sent to two accounts, gb31337@hotmail.com and
gb31337@yahoo.com, from compromised systems. Owners of the systems where
the two addresses were hosted have been notified.
Ramen disables existing FTP services (in inetd on Red Hat 6.2 or in xinetd
on Red Hat 7.0) and disables rpc.statd. This action may be to prevent any
attempts to re-infect the systems with additional copies of the worm.
Ramen continues to propagate by using the newly compromised system to scan
Class B (/16) wide address spaces, searching for port 21 (FTP) and looking
for new vulnerable hosts.
On networks and ISPs supporting multicasting, the SYN scanning performed
by Ramen can disrupt network traffic when scanning the multicast network
range.
Ramen is driven by scripts that can be easily modified to attack other
versions of Linux or other Unix systems. The exploits included with Ramen
are known to work against other versions of these systems, even though
Ramen itself is not keyed to trigger on them.
Affected Systems:
Red Hat 6.2 for Intel not patched for wu-ftp or nfs.
Red Hat 7.0 First Edition for Intel not patched for LPRng.
Systems not known to be vulnerable:
Red Hat 7.0 for Intel Second Edition (Respin).
Previous versions of Red Hat Linux.
Non-Intel versions of Linux.
Non-Red Hat versions of Linux.
Any other versions of Unix.
Additional Information:
Ramen does not attempt to hide its presence or clean up after itself. It
can be detected on a system by the presence of the
directory /usr/src/.poop or by the presence of the file /sbin/asp.
To remove the Ramen Worm from your system, follow these steps:
1. Delete: /usr/src/.poop and /sbin/asp.
2. If it exists, remove: /etc/xinetd.d/asp
3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any
file in /etc/src/.poop.
4. Remove any lines in /etc/inetd.conf referring to /sbin/asp
5. Reboot the system or manually kill any processes such as synscan,
start.sh, scan.sh, hackl.sh, or hackw.sh.
6. ISS recommends that ftp, rpc.statd, or lpr are not enabled until
updates have been installed.
Due to the general-purpose exploits at the core of this worm, it is
advisable to implement the following safeguards to prevent successful
attacks from potential variations of this exploit.
Disable FTP if it is not a required service. FTP provides information that
can be exploited to identify vulnerable systems, even when FTP is not
vulnerable.
Do not permit outside network access to RPC services, including NFS.
Do not permit outside network access to LPR services.
Install and maintain all security fixes in a timely manner.
------------------
I like source it never *****es about dependencies
--Escchr 2000