Re: Redhat Worm Notification

Thu, 18 Jan 2001 16:37:24 -0800 

Hi
A posting to BugTraq seems to indicate that the Ramen worm is exploiting
format bugs in glibc.
Apparently, the bugs in turn appear to compromise eg, wuftp, rpc.statd, LPRng
The posting also has links to a patch by Immunix..... interestingly, the 
patch was implemented by WireX which is the company of the person who did 
the Bugtraq posting...

http://msgs.securepoint.com/cgi-bin/get/bugtraq0101/183.html

regards,
Robyn Mills


At 07:15 PM 18-01-01 -0500, Paul D. Robertson wrote:
>On Thu, 18 Jan 2001, -- neil -- wrote:
>
> >
> > Within the last couple of days this worm has been rearing its ugly head.
> > Its seems to be infecting mainly Redhat 6.2 and 7.0 unpatched machines.
> > Specifically its using wuftp and nfsd. The link below is to a guy that
> > reversed engineered it.
>
>There's also code that seems to exploit an LPRng bug.  There *appears* to
>be an IRC vector of some sort- I'm not sure if it's a comm. channel or
>inoperable since I haven't had the time or resources to do the depth of
>investigation that I'd like.
>
>Turning off FTP is a generally good idea, and helps tremendously in this
>case because the SYN scanner seems to look for FTP servers before
>iterating through its attacks.
>
>It seems to be confirmed as in the wild and legitimately viral.
>
>Updating systems is still important, and I expect we'll see the usual home
>user and default install cases being the predominance of vulnerability.
>It'll probably also run on systems that have Linux emulation and run x86
>code- which may cover *BSD and Linux/Alpha with em86 (or whatever it's
>called, it's been a while since I had an Alpha desktop.)
>
>BTW: I think the first reports of infection were almost two weeks ago.
>
>Monitoring bandwidth utilization will help for boxes with Ethernet
>adapters, as the thing SYN scans like hell once it's running if it doesn't
>think it's on a ppp link.
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson      "My statements in this message are personal opinions
>[EMAIL PROTECTED]      which may have no basis whatsoever in fact."
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to