Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Ramenfind Ramen detection and removal tool, v0.2

From: William Stearns <wstearns () pobox com>
Date: Tue, 23 Jan 2001 00:13:17 -0500
Good morning, all,
        I've spent the last few days working on a Ramen detection and
removal tool with the following goals:

        - It should be a shell script so it can be run from a single
floppy linux if the user chooses.
        - It should use standard utilities on a Redhat Linux system.
        - It should allow for either detection or detection and removal of
the worm.  By default, it should only detect and perform no action.
        - It should run as a non-root user, invoking sudo as necessary.
        - The user should be given the chance to confirm each command
before it is run.
        - The script should provide an option to archive the ramen files
for later analysis.

        The attached is an early test version (V0.2) at the above.  It's
generally feature complete, but has only very light testing as I have only
a single simulated system that has been infected.
        The current todo list contains generally cosmetic issues.
#TODO:
#- Testing on a number of infected, partially infected, and uninfected
systems.
#- Make commands optional; warn, but let it continue.
#- Handle or warn about leftover tail commands
#- Note that the /etc/ftpusers file has had "ftp" and "anonymous" added.

        This, and future versions of this script will soon be available at
the following URL's:
http://www.sans.org/y2k/ramen.htm
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.html

        Comments, suggestions, and improvements are certainly welcome!
Please let me know if it works or not for you.  Please CC: me on any
messages about this tool - thanks.
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "Architect: someone who knows the difference between what could be
done and what should be done".
        -- Larry McVoy <lm () bitmover com>
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at:                http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com
--------------------------------------------------------------------------

Attachment: ramenfind.v0.2.gz
Description: ramenfind.v0.2.gz

Previous By Date Next
Previous By Thread Next

Current thread: