Security Incidents mailing list archives

Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)]

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 18 Jan 2001 11:21:43 +1300

On Wed, 17 Jan 2001 18:14:13 +0100 Bernhard Rosenkraenzer
<bero () REDHAT DE> wrote:

On Wed, 17 Jan 2001, Douglas P. Brown wrote:

There's a bug in this analysis of the worm:

All I see is it adding the lines "ftp" and "anonymous" to /etc/ftpusers.
Maybe the creator just wants ftp sites.


If so, the creator is badly mistaken about the meaning of /etc/ftpusers.
ftpusers is the list of users who may *not* log in.
Considering he's also replacing index.html files with nonsense, it's most
likely part of a denial of service attack, intentionally closing anonftp.


No he is securing the machine against another compromise.

This worm exploits the site exec bug, (please correct me if I am
wrong) to do this you need to be logged into ftp, either anonymously or
as a real user.  By adding "ftp" and "anonymous" to /etc/ftpusers he
effectively disables anonymous ftp and thus stops anyone else from
exploiting the bug.

We had several machines attacked and the attack succeeded only against
those machines with anonymous ftp.

Cheers, Russell

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Current thread:

Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] Bernhard Rosenkraenzer (Jan 17)
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] slim bones (Jan 17)
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] Jeffrey F. Lawhorn (Jan 17)
- Re: [Fwd: Re: Ramen worm . More details on it. ( found a password ande-mails crypted inside it)] Russell Fulton (Jan 17)