Security Incidents mailing list archives
[ISN] Ramen Linux worm mutating, multiplying (fwd)
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Tue, 23 Jan 2001 10:50:45 -0800
Note the story below by Rob Lemos about mutating ramen. I was curious about this, not having see evidence of it myself, so I'd like to start a thread of watching and cataloging the mutations using dates and md5 checksums. We had a system get infected last night (with the original ramen worm). Here is the pertinent data: % date Tue Jan 23 10:35:08 PST 2001 % tar -tvzf ../ramen.tgz -rw-r--r-- root/root 267 2001-01-12 16:47 asp -rwxr-xr-x root/root 12546 2001-01-11 20:34 asp62 -rwxr-xr-x root/root 14180 2001-01-11 20:58 asp7 -rwxr-xr-x root/root 285 2001-01-13 11:40 bd62.sh -rwxr-xr-x root/root 213 2001-01-11 20:25 bd7.sh -rwxr-xr-x root/root 553 2001-01-11 20:26 getip.sh -rwxr-xr-x root/root 67 2001-01-13 12:34 hackl.sh -rwxr-xr-x root/root 67 2001-01-13 11:28 hackw.sh -rwxr-xr-x root/root 373 2001-01-13 11:10 index.html -rwxr-xr-x root/root 19632 2001-01-13 12:05 l62 -rwxrwxr-x root/root 21358 2001-01-13 13:10 l7 -rwxr-xr-x root/root 210 2001-01-13 11:26 lh.sh -rwxr-xr-x root/root 12331 2001-01-11 20:34 randb62 -rwxr-xr-x root/root 13973 2001-01-11 20:58 randb7 -rwxr-xr-x root/root 19619 2001-01-13 12:05 s62 -rwxrwxr-x root/root 21721 2001-01-13 13:13 s7 -rwxr-xr-x root/root 216 2001-01-11 20:26 scan.sh -rwxr-xr-x root/root 434 2001-01-11 20:49 start.sh -rwxr-xr-x root/root 112 2001-01-13 11:24 start62.sh -rwxr-xr-x root/root 112 2001-01-13 11:24 start7.sh -rwxr-xr-x root/root 25888 2001-01-11 20:37 synscan62 -rwxr-xr-x root/root 27076 2001-01-11 20:58 synscan7 -rwxr-xr-x root/root 34620 2001-01-13 12:05 w62 -rwxrwxr-x root/root 36706 2001-01-13 13:13 w7 -rwxr-xr-x root/root 35 2001-01-13 11:27 wh.sh -rwxr-xr-x root/root 34588 2001-01-11 20:28 wu62 % md5sum * c5d0472cb7ce21d526092fc265a10f5a asp 69be0c0b396a2ed31881613cc7dc8da5 asp62 63d9d9049e731704542dd27aa77e39a4 asp7 f9b9bed261853a2f81bb6c6dc543d610 bd62.sh 6aa4cb66d0bf204e440f416c3726c6c1 bd7.sh 43a0a292bf37eaedeaa3559782eef2ae getip.sh 23e57da4855ae75d0d83166dffd3ae80 hackl.sh 11c70c95a04af1447701a18809f2acf2 hackw.sh e5fa5577c277231124ef254575af8375 index.html a2cb325afc434d1199d87ed6ca0325e1 l62 ca778a2cc34a72a24e743d9bc915c11b l7 e80dbac8519afd944aa69a8e11597ee3 lh.sh e1b9d3adfdfaa5dc8b93f8bf3aae664d randb62 06fe14fcdc6dadcd3f78e14121fa7b8c randb7 4859f502b336a2f18367c94bda7c9bfc s62 0b7efd40e89c7a684fcf8950eda41a0d s7 50f3c66c6b72d70e2470b5dd8a1e23c1 scan.sh 71feec726591d84cea09c54743a830c9 start.sh 9145bbbc507a6e96218cadf1468e7291 start62.sh 9145bbbc507a6e96218cadf1468e7291 start7.sh 740f16e83bca92e21e579d3f596508e2 synscan62 e1ba71f6618ea60b52d3d5e77156fc59 synscan7 638a8cab9e68f79ea795cce3d3558305 w62 157461331922d8112b5bc7d33b2067e1 w7 1a2dd28245d6c47b9a279584a7209a21 wh.sh 4e15ddf3cfd4e4ae8d8a87e38757e532 wu62 % cat index.html <html> <head><title>Ramen Crew</title></head> <body bgcolor=white text=black> <font face=arial> <center><font size=+3>RameN Crew</font><center><br> <br> <br> <center>Hackers looooooooooooooooove noodles. <br><br><br><br><br><br><br><br><br><br><br><br> <font size=-1><b>This site powered by<b><br> <img src="http://www.nissinfoods.com/tr_oriental.jpg"> <body> </html> If anyone finds anything different, please note those differences. -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------- Forwarded message ---------- Date: Mon, 22 Jan 2001 23:55:12 -0600 Subject: [ISN] Ramen Linux worm mutating, multiplying From: InfoSec News <isn () C4I ORG> To: ISN () SECURITYFOCUS COM http://news.cnet.com/news/0-1003-201-4561189-0.html?tag=st.ne.1002.bgif.sf By Robert Lemos Special to CNET News.com January 22, 2001, 12:50 p.m. PT Online vandals may have modified the Ramen Linux worm discovered last week to automatically deface sites with their own Web pages, one expert said Monday. "Several (vandal) groups are suddenly switching to Red Hat," said Matt Dickerson, also known as "Munge," a staff member at security group Attrition.org. "We think they are modifying the HTML pages in the worm with their own text and graphics." He added that when groups switch to an operating system they haven't historically used--and seemingly know nothing about--that means they are using a new hacking tool to do their dirty work. As earlier reported, the Ramen worm is a self-spreading program that has been cobbled together from several such tools and focuses on versions 6.2 and 7.0 of Red Hat's Linux operating system. The flaws exploited by the worm, however, affect other Linux distributions and some Unix systems as well. Depending on the version of the operating system it's infecting, Ramen can use well-known flaws in Washington University's FTP server software, a component of the Remote Procedure Call services or the printing software LPrng. These programs are normally placed on servers during the default installation of Red Hat 6.2 and 7.0. Patches are available for all the flaws used by the worm. After the worm finds a vulnerable server, it uses the vulnerability to copy itself to the server, replace the front Web page with its own, and then starts scanning for other insecure servers. Ramen also eliminates the vulnerable programs from the server, thus protecting itself from other instances of the Ramen worm and other vandals using the same vulnerabilities. Last week, NASA, a Taiwanese motherboard maker and Texas A&M University all got infected by the worm, according to Attrition.org. After the worm was discovered early last week, the Computer Emergency Response Team at Carnegie Mellon University released an advisory describing the workings of the program. For the most part, the worm can be removed easily from servers. Several other organizations reportedly have been infected this week, including U.K.-based localization company Babel Media and the under-construction Siamstore.com. Other recent attacks and defacements on Red Hat servers are thought to be due to a modified version of the worm, even when the trademarked "RameN Crew" Web page is not displayed. Data from Attrition.org--the most complete source of hacker data on the Web--has shown a definite spike in attacks on Red Hat servers in the past couple of weeks. It's likely that the increase in activity is due to the worm, said Attrition's Dickerson. And more can be expected. At last count, there were more than 780,000 public servers on the Web running Red Hat 6.2 and 7.0, according to Web survey firm Netcraft. Since only 17 percent of Linux servers can be identified with the methods used by Netcraft, in practice the actual number of vulnerable servers could easily be in the millions. With that much growing space, the fear among experts is not that the current worm will spread but that nastier varieties will attempt to use the same flaws to gain access to online servers. "This worm doesn't do anything all that bad," Lance Spitzner, coordinator with the security group Honeynet Project, said in an interview last week. "It could be much, much worse." Spitzner hopes that the worm will make system administrators and everyday users who have systems on the Internet take another look at their security. "If you patched it, Red Hat can be as secure as anyone else," he said. "But you have to patch." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- [ISN] Ramen Linux worm mutating, multiplying (fwd) Dave Dittrich (Jan 23)