[Snort-sigs] (no subject)
JAffeld at ...419...
Thu Mar 7 19:32:18 EST 2002
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm
outgoing"; flags: A+; content: "GET "; depth: 8;
nocase;reference:arachnids,461;classtype:bad-unknown; sid:514; rev:1;)
Classification:Potentially Bad Traffic
Summary:Worm attacks Redhat6.2 and 7.0 servers via known holes in statd,
wu-ftp and lpr
Detailed Information: This worm uses flaws in RPC statd and wu-ftp to
compromise RH 6.2 and lpr to compromise RH 7.0. It patches the holes it
used, then installs a root kit. If the server is a web server, the default
html page is replaced with one with the following message:" "RameN Crew --
Hackers looooooooooooove noodles."
Attack Scenarios: An unpatched Redhat server gets hit by the worm and starts
scanning for others to compromise.
Ease of Attack: Automatic - this is a worm that can rapidly scan enormous
numbers of IP addresses.
Recommended Action: Kill the worm processes, and remove /usr/src/.poop and
/sbin/asp. As the worm has been cloned and has mutated, it is possible that
a variant has installed a different rootkit (requiring different steps to
clear) than the standard Ramen worm. Consider reinstalling RH (and patch it
this time!). http://online.securityfocus.com/archive/75/156624
Fri Jan 11 21:59:49 2002
Sat Jan 19 23:01:56 2002
South Seattle Community College
More information about the Snort-sigs