No subject


Thu Nov 23 16:36:19 EST 2017


Distribution:
Ports: 27374
Target of infection: Redhat Linux 6.2, 7.0

Technical description:
Linux.Ramen is a worm that is in the wild. It spreads over the Internet onto
machines running Red Hat 6.2 or Red Hat 7.0. Since this worm only operates
on the Linux operating system, users of Microsoft Windows will be largely
unaffected.

The worm starts by running a shell script called start.sh. This script calls
a random number generator that returns a random class B subnet IP address.
The worm will attempt to copy itself to these IP addresses. The worm then
starts an HTTP server on port 27374 to serve out itself to newly infected
machines and also patches the exploits that it used to gain access to the
system.

By plugging these holes, the worm will not reinfect the machine. In
addition, as an indirect effect, other hackers will not be able to gain
access to these machines using these exploits.

The worm uses a tool called synscan which has been modified to fit its
needs. Using this tool, the worm contacts a randomly generated IP address
and checks the FTP banner to determine if the machine is running Red Hat
Linux 6.2 or Red Hat Linux 7.0. For machines running Red Hat 6.2, the worm
will attempt to exploit a vulnerable rpc.statd or wuftpd service. For Red
Hat 7.0, the worm tries to exploit an LPRng bug to gain access to the
system.

Once the worm gains access to the system using the above exploits, the worm
copies itself as a tar.gz package onto the newly compromised system. The
worm does so by downloading the tar.gz package from the infecting machine by
means of the worm-created HTTP service running on port 27374.

The worm extracts the contents of this package into the tmp directory on the
attacked machine and executes start.sh, activating the worm on the newly
infected machine.

An email message is also sent to an anonymous Yahoo! and Hotmail email
account specifying the IP address of the attacked machine. Most likely,
these email accounts belong to the author of this worm allowing the author
to keep track of machines that are infected.

Finally, the worm replaces Index.html to show the following contents:

RameN Crew
Hackers looooooooooooooooove noodles.T

This site powered by
>pic of ramen noodle pack<

Removal instructions:
To remove Linux.Ramen.Worm:

1. Delete the files detected by Norton AntiVirus.
2. Install the patches that will fix these mentioned vulnerabilities. These
patches are already available for download at the Red Hat website at the
following locations:
RedHat 7.0 Security Advisories -
http://www.redhat.com/support/errata/rh7-errata-security.html
RedHat 6.2 Security Advisories -
http://www.redhat.com/support/errata/rh62-errata-security.html


AVP wasn't much help today...  :P
Warning: MySQL Connection Failed: Can't connect to local MySQL server
through socket '/tmp/mysql.sock' (111) in /softwin/httpd/html/avx/avxvb.php
on line 110
Warning: MySQL Connection Failed: Can't connect to local MySQL server
through socket '/tmp/mysql.sock' (111) in /softwin/httpd/html/avx/avxvb.php
on line 111
Warning: MySQL: A link to the server could not be established in
/softwin/httpd/html/avx/avxvb.php on line 111
Warning: MySQL Connection Failed: Can't connect to local MySQL server
through socket '/tmp/mysql.sock' (111) in /softwin/httpd/html/avx/avxvb.php
on line 141
Warning: -1 is not a MySQL link index in /softwin/httpd/html/avx/avxvb.php
on line 141
Warning: 0 is not a MySQL result index in /softwin/httpd/html/avx/avxvb.php
on line 144
Warning: 0 is not a MySQL link index in /softwin/httpd/html/avx/avxvb.php on
line 154





More information about the Snort-users mailing list