[Snort-sigs] MISC ramen worm incoming

Affeld, James JAffeld at ...419...
Thu Mar 7 19:32:21 EST 2002

alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen
worm incoming"; flags: A+; content: "GET "; depth: 8;
classtype:bad-unknown; sid:506; rev:1;) 

Classification:Potentially Bad Traffic 

Latest Revision:1

Summary:Worm attacks Redhat6.2 and 7.0 servers via known holes in statd,
wu-ftp and lpr
Impact:Root access to unpatched RedHat servers.  Variants could conceivably
compromise SuSe and FreeBSD by correcting paths to commands.  
Detailed Information: This worm uses flaws in RPC statd and wu-ftp to
compromise RH 6.2 and lpr to compromise RH 7.0.  It patches the holes it
used, then installs a root kit. If the server is a web server, the default
html page is replaced with one with the following message:" "RameN Crew --
Hackers looooooooooooove noodles." 
Attack Scenarios: An unpatched Redhat server gets hit by the worm and starts
scanning for others to compromise.  If you do not run RH, or have patched
it, you can relax.
Ease of Attack: Automatic - this is a worm that can rapidly scan enormous
numbers of IP addresses.   
False Positives:
False Negatives:
Recommended Action: Kill the worm processes, and remove /usr/src/.poop and
/sbin/asp.  As the worm has been cloned and has mutated, it is possible that
a variant has installed a different rootkit (requiring different steps to
clear) than the standard Ramen worm.  Consider reinstalling RH (and patch it
this time!). http://online.securityfocus.com/archive/75/156624


                     Date Added*:
                                       Fri Jan 11 21:59:49 2002 
                     Last Updated:
                                       Sat Jan 19 23:01:56 2002 

James Affeld
Network Administrator
South Seattle Community College
(206) 768-6872

More information about the Snort-sigs mailing list