Linux system with a program called Ramen worm.
It may run invasion thousands RedHat 6.2/7.0 operating system of the server. Ramen utilizes two known Linux security vulnerabilities. It first with RPC.statd and wu-FTP vulnerability scanning network using RedHat 6.2/7.0 server, and then try to obtain system privileges, once achieved, makes some general system services to be replaced, and the one called "root kit" of program code into security vulnerabilities in addition Ramen also site Home to swap: RameNCrew--Hackers looooooooooooove noodles "". Finally, the Ramen two letters will be sent to both e-mail and start to invade other RedHat server. Ramen only for RedHat to invade, but not much harm, but propagation speed is amazing, 15 minutes to scan some 130,000 site. Ramen is very good, the attack is completed automatically put it attacks three vulnerabilities to the patch (the rpc.statd, wu-ftpd Redhat6.2, Redhat7.0 LPD), but in a process on the system scans the following machines, will take up large amounts of network bandwidth. This may cause other host misunderstanding and intensive network bandwidth, the system crashes. We can see that the program is not called a virus, which is an advantage of security vulnerabilities in programs similar to worms. The program's author RandyBarrett also came the statement says that this is a security vulnerability that is similar to that of security vulnerabilities in a wide variety of network servers are present, he is writing Ramen program when it was not designed for Linux. Control is simple, please upgrade your redhat6.2-nfs-utils, wu-ftpd, the LPRng, specific redhat7.0 downloads can to ftp://updates.redhat.com/. Check if the system is that the program violated method is to see if this directory is created/usr/src/.poop and 27374 port is opened, if so indicated has been invaded by Ramen. Take a look at a system is infected with Ramen worm, based primarily on the following points: 1.2. exist/usr/src/.poop directory exists/sbin/asp file 3. local port 27374 is open (used netstat-an command) can use the following perl script detect: #!/bin/perl # Scriptthatchecksforsignsoframeninfection # PatrickOonk, & nbsppatrick@security.nl # basedonDanielMartin'sdescriptionat # http://www.securityfocus.com/archive/75/156624 # Noguarantees, dowiththisscriptwhateveryoulike (BSDlicense) $ detected = 0; print"Ramenwormchecker.\nChecking...\n"; open(F,"/etc/redhat-release"); print"Youarerunning",〈F〉,"\n";; close(); @suspect =("/usr/src/.poop","/usr/src/.poop/ramen.tgz","/tmp/ramen.tgz"); foreach@suspect) { if(-e){ print"found$_\n"; $detected++; } } open(N,"/bin/netstat-an|") orprint"Couldnotopen/bin/netstat\n"; while(〈N〉){ if(/:27374.*LISTEN/){ print"Ramenwebserverdetectedonport27374\n"; $detected++; last; } } close(N); if($detected){ print"$detectedtelltalesignsoframenfound.Getprofessionalhelp\n"; }else{ print"Wheee!Noramensignsfound!\n"; } Clear steps for Ramen worm points: 1. delete the directory and file/usr/src/.poop/sbin/asp. 2. If there is a directory, remove/etc/xinetd.d//etc/xinetd.d/asp. 3. remove/etc/rc.d/rc.sysinit file involves/usr/src/.poop rows. 4. delete the/etc/inetd.conf file involves/sbin/asp rows. 5. reboot the system and manually kill the following process synscan, start.sh, scan.sh,hackl.sh,hackw.s。 6. upgrade ftp, rpc.statd, lpr, and other programs. Since Ramen is wu-ftp, rpc.statd, lpr, and other program into the system, so that several program upgrade best close these programs, which can effectively prevent infection by Ramen.
No comments:
Post a Comment