Security Incidents mailing list archives
Ramenfind Ramen detection and removal tool, v0.2
From: William Stearns <wstearns () pobox com>
Date: Tue, 23 Jan 2001 00:13:17 -0500
Good morning, all, I've spent the last few days working on a Ramen detection and removal tool with the following goals: - It should be a shell script so it can be run from a single floppy linux if the user chooses. - It should use standard utilities on a Redhat Linux system. - It should allow for either detection or detection and removal of the worm. By default, it should only detect and perform no action. - It should run as a non-root user, invoking sudo as necessary. - The user should be given the chance to confirm each command before it is run. - The script should provide an option to archive the ramen files for later analysis. The attached is an early test version (V0.2) at the above. It's generally feature complete, but has only very light testing as I have only a single simulated system that has been infected. The current todo list contains generally cosmetic issues. #TODO: #- Testing on a number of infected, partially infected, and uninfected systems. #- Make commands optional; warn, but let it continue. #- Handle or warn about leftover tail commands #- Note that the /etc/ftpusers file has had "ftp" and "anonymous" added. This, and future versions of this script will soon be available at the following URL's: http://www.sans.org/y2k/ramen.htm http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.html Comments, suggestions, and improvements are certainly welcome! Please let me know if it works or not for you. Please CC: me on any messages about this tool - thanks. Cheers, - Bill --------------------------------------------------------------------------- "Architect: someone who knows the difference between what could be done and what should be done". -- Larry McVoy <lm () bitmover com> -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com --------------------------------------------------------------------------
Attachment:
ramenfind.v0.2.gz
Description: ramenfind.v0.2.gz
Current thread:
- Ramenfind Ramen detection and removal tool, v0.2 William Stearns (Jan 23)