[Snort-sigs] (no subject)

Affeld, James JAffeld at ...419...
Thu Mar 7 19:32:18 EST 2002


alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm
outgoing"; flags: A+; content: "GET "; depth: 8;
nocase;reference:arachnids,461;classtype:bad-unknown; sid:514; rev:1;) 

Classification:Potentially Bad Traffic 

Latest Revision:1

Summary:Worm attacks Redhat6.2 and 7.0 servers via known holes in statd,
wu-ftp and lpr
                                        
Impact:Root access
                                        
Detailed Information: This worm uses flaws in RPC statd and wu-ftp to
compromise RH 6.2 and lpr to compromise RH 7.0.  It patches the holes it
used, then installs a root kit. If the server is a web server, the default
html page is replaced with one with the following message:" "RameN Crew --
Hackers looooooooooooove noodles." 
                                        
Attack Scenarios: An unpatched Redhat server gets hit by the worm and starts
scanning for others to compromise. 
                                        
Ease of Attack: Automatic - this is a worm that can rapidly scan enormous
numbers of IP addresses.   
                                        
False Positives:
                                        
False Negatives:
                                        
Recommended Action: Kill the worm processes, and remove /usr/src/.poop and
/sbin/asp.  As the worm has been cloned and has mutated, it is possible that
a variant has installed a different rootkit (requiring different steps to
clear) than the standard Ramen worm.  Consider reinstalling RH (and patch it
this time!). http://online.securityfocus.com/archive/75/156624
http://www.iss.net/security_center/alerts/advise71.php


                                        
                      
                     References:
                                       arachnids
                                               460

                     Date Added*:
                                       Fri Jan 11 21:59:49 2002 
                     Last Updated:
                                       Sat Jan 19 23:01:56 2002 
                      
                     Credit:
                     Changelog:

James Affeld
Network Administrator
South Seattle Community College
(206) 768-6872




More information about the Snort-sigs mailing list