[Snort-sigs] MISC ramen worm incoming
JAffeld at ...419...
Thu Mar 7 19:32:21 EST 2002
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen
worm incoming"; flags: A+; content: "GET "; depth: 8;
classtype:bad-unknown; sid:506; rev:1;)
Classification:Potentially Bad Traffic
Summary:Worm attacks Redhat6.2 and 7.0 servers via known holes in statd,
wu-ftp and lpr
Impact:Root access to unpatched RedHat servers. Variants could conceivably
compromise SuSe and FreeBSD by correcting paths to commands.
Detailed Information: This worm uses flaws in RPC statd and wu-ftp to
compromise RH 6.2 and lpr to compromise RH 7.0. It patches the holes it
used, then installs a root kit. If the server is a web server, the default
html page is replaced with one with the following message:" "RameN Crew --
Hackers looooooooooooove noodles."
Attack Scenarios: An unpatched Redhat server gets hit by the worm and starts
scanning for others to compromise. If you do not run RH, or have patched
it, you can relax.
Ease of Attack: Automatic - this is a worm that can rapidly scan enormous
numbers of IP addresses.
Recommended Action: Kill the worm processes, and remove /usr/src/.poop and
/sbin/asp. As the worm has been cloned and has mutated, it is possible that
a variant has installed a different rootkit (requiring different steps to
clear) than the standard Ramen worm. Consider reinstalling RH (and patch it
this time!). http://online.securityfocus.com/archive/75/156624
Fri Jan 11 21:59:49 2002
Sat Jan 19 23:01:56 2002
South Seattle Community College
More information about the Snort-sigs