Et moi aussi. C'est très important de comprendre que laisser des services inutilisés active, ou des services utilisés sans les mettre à jour régulièrement est dangereux. ---------- Forwarded message ---------- Date: Tue, 30 Jan 2001 08:18:05 +0100 From: Pierre Keller - BCU Lausanne <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Unix Security -- The Ramen Worm Bonjour, Je fais suivre un message que j'ai reçu via le res- ponsable sécurité de l'Université de Lausanne. Je trouve l'article assez intéressant. -----Original Message----- From: ITworld Newsletters [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 25, 2001 8:30 PM To: [EMAIL PROTECTED] Subject: Unix Security -- The Ramen Worm UNIX SECURITY --- January 25, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters ________________________________________________________________________ HIGHLIGHTS * What makes the Ramen worm any worse than other worms? COMMUNITY DISCUSSION * Web Security: Share your knowledge of Web security tools. SERVICES * IT Job Spot: Mission-critical opportunities with marketplace winners * Search the entire software marketplace from your desk * Webcast: Think you know everything IT guru? Is that your final answer? ________________________________________________________________________ SPONSORED LINK WHAT APPLICATIONS CAN BE DEVELOPED UNDER UNIX? Find out by reading Kalman Saffran Associates' Understanding UNIX Application Development. Now available at ITworld.com's White Papers and Analyst Reports Database. http://ad.doubleclick.net/clk;2351441;4205933;x ________________________________________________________________________ Hackers Love Noodles By Dev Zaborav Earlier this month, a new worm was discovered roaming the internet. Named the Ramen virus (incorrectly, as this is not a virus) because of the file loaded onto the targeted computer and the worm�s effects on an infected system, the worm's payload (the program installed on a compromised system by the worm) presents an interesting departure from the previous malicious computer program standard. A worm reproduces and spreads on its own, a self-propagating program that spreads over a network through vulnerable systems -- unlike a virus, which infects a program and requires a user to spread it (i.e., by trading programs or sending files over email). The well-known I Love You virus, for instance, was both a worm *and* a virus; the virus component infected Microsoft's mail program, and the worm component allowed I Love You to spread itself to other computers through email. The Ramen worm targets Red Hat Linux systems specifically by searching the Internet, piece-by-piece, looking for vulnerable Red Hat boxes. When it finds one, it intrudes through a vulnerability in one of three Linux programs: the Remote Procedure Call service, the default file transfer protocol (FTP) service, or the print service. Once in, the worm installs a malicious program on the compromised server and spreads from there to other Red Hat computers. That sounds common enough. That's how all worms work -- targeting a specific vulnerability in a specific operating system. Once the worm is 'in the wild', or let loose on the Internet, it compromises as many computers running that operating system with that vulnerability as it can find. Most of the worm's actions -- patching the very holes that allowed the worm entrance, mailing the compromised server�s identity to an address coded in the worm, and installing a rootkit (another program that replaces key system files so the attacker could potentially get back in) -- are quite common. What makes Ramen unique though, is what the installed program does. Among other things, Ramen looks to overwrite the index.html files. No other worm has left such a public sign of its passing. Ramen places its calling card -- a Web page containing the words 'RameN Crew', a picture of a package of Ramen Noodles, and the words "Hackers loooooooooove noodles!" -- in plain view, and any Red Hat server compromised by the Ramen worm and running a Web server will display this Web page. Ramen�s hook holds particular importance to groups like Attrition.org, who track Web defacements and compile compromised server statistics on the Internet. These statistics can be extrapolated, giving some insight into the current state of Internet security. Groups like Attrition cannot possibly provide statistics on every computer broken into -- it's impossible. Attrition's staff members can only track what they see and, in general, only through defaced Web pages can anyone know a server has been compromised. The Ramen worm's tell-tale index.html file allows its progress to be tracked far more easily than any other worm in history; no longer is it necessary -- as in the case with the I Love You, Melissa virus, or even the famous Morris Worm of 1988 -- to rely exclusively on corporate damage reports to get an idea of how widely Ramen has spread. We�re already seeing an extraordinary leap in the number of compromised Red Hat systems since Ramen�s discovery in the wild. http://www.attrition.org/~munge/graphs/redhat.gif As an interesting side note, some evidence now shows active Web defacers modifying the Ramen worm for their own purposes. Groups who previously did not target Red Hat Linux systems have apparently altered Ramen's payload to display the defacer's logo instead of the standard RameN Crew page, and it mails the defacer instead of the email address that was originally coded into the Ramen worm. This signature change makes the worm�s progress harder to track; however, for statistical purposes, the change over time in the defacements of Red Hat servers is still valuable. How can the Ramen worm be stopped? The same way any other worm is stopped -- starve it. Administrators of all Linux and Unix-based systems (while the Ramen worm targets Red Hat, the exploited vulnerabilities appear in other Linux distributions and certain *BSD distributions) must take the time to secure all servers in their care. It's of paramount importance that administrators stop putting default installation Linux servers on the Internet -- basic hardening and security measures must be taken first. If Linux administrators cannot be more responsible in the future than those who are still running a vulnerable rpc.statd, then the Ramen worm will continue to flourish. Detailed information about the Ramen worm can be found at SecurityFocus (http://www.securityfocus.com/archive/75/156624). Information on securing a Red Hat Linux server can be found in many places on the Web, notably http://www.enteract.com/~lspitz/linux.html and http://www.securityfocus.com/focus/linux/articles/linux-securing.html. About the author(s) ---------------- Dev Zaborav has been involved in the internet since 1990, and has made internet security a profession since 1996. Dev is currently self- employed as a security consultant, volunteers for Attrition.org, and has written several whitepapers on various topics in computer security. ________________________________________________________________________ ADDITIONAL RESOURCES Ramen worm hits some Red Hat Linux servers http://www.unixinsider.com/jsw/unxsec_nl/swol-01-2001/swol-0123-securityspots.html#3 Ramen worm hits some Red Hat Linux servers Vulnerabilities previously publicized http://www.itworld.com/jitw/unxsec_nl/cma/ett_article_frame/0,,1_4010,00.html Website Security http://www.itworld.com/jitw/unxsec_nl/CDA/Video/ITW_BestPrac_Website_Security/0,3723,,00.html ________________________________________________________________________ COMMUNITY DISCUSSION Web Security Q&A Delve into the gory technical details of Web security in this discussion for security pros (and newbies) of all stripes. Moderated by Sandra Henry-Stocker and Dev Zaborav. http://www.itworld.com/jump/unxsec_nl/forums.itworld.com/webx?14@@.ee6d6fc.ee6b67b/118!skip=50 ________________________________________________________________________ IT JOB SPOT (TM) SECURITY EXPERTISE IN DEMAND Technology business trends are shifting, but job creation is still high. Put yourself in the right place where you'll gain from exciting technology developments and newly created jobs: LeadersOnline. Register with LeadersOnline and let our web-based recruiting service bring exceptional Security opportunities your way. With positions ranging from $75-200K, we work with the best companies on their mission- critical jobs. LeadersOnline is just what you�d expect from Heidrick & Struggles, the world's leading executive search firm -- a web-based recruiting service that maximizes your opportunities. It takes just 10 minutes to register and our service is free and confidential. http://ad.doubleclick.net/clk;2350712;4831248;b ________________________________________________________________________ ITWORLD.COM SERVICES SEARCH THE ENTIRE SOFTWARE MARKETPLACE FROM YOUR DESK At one time or another, everyone has had to buy software without being 100% sure that they've considered all their options. There's a better way. Spend a minute trying out KnowledgeStorm. It's free. And you can search more than 20,000 software products. http://www.knowledgestorm.com/registration.php?v=230 WEBCAST: Think you know everything IT guru? Is that your final answer? As an IT guru, you most likely fee as if you don't have enough time in your day. Forget trying to touch up on the IT skills and new technology that concern you. ITworld.com would like to invite you to view a new series of webcasts called Short Subjects. You can get quick, concise information on the topic of your choice, in 5 minutes, right at your desktop. For FREE! http://www.itworld.com/jdc/ewc/2329103;5346206;x ________________________________________________________________________ CUSTOMER SERVICE You can subscribe or unsubscribe from any newsletter by updating your form at: http://www.itworld.com/cgi-bin/subcontent12.cgi For subscription changes that cannot be handled via the web, please send an email to our customer service dept: [EMAIL PROTECTED] ________________________________________________________________________ CONTACTS * For editorial comments, write Andrew Santosusso, Associate Editor, Newsletters at: [EMAIL PROTECTED] * For advertising information, write Dan Chupka, Account Executive at: [EMAIL PROTECTED] * For recruitment advertising information, write Jamie Swartz, Eastern Regional Sales Manager at: [EMAIL PROTECTED] or Paul Duthie, Western Regional Sales Manager at: [EMAIL PROTECTED] * For all other inquiries, write Jodie Naze, Product Manager, Newsletters at: [EMAIL PROTECTED] ________________________________________________________________________ PRIVACY POLICY http://www2.itworld.com/CDA/ITW_Privacy_Policy Copyright 2001 ITworld.com, Inc., All Rights Reserved. http://www.itworld.com -- Pierre Keller <[EMAIL PROTECTED]> Bibliothèque cantonale et universitaire Université de Lausanne CH-1015 Lausanne Dorigny (Switzerland) WWW: http://www.unil.ch/BCU/docs/pkeller/ Clé PGP: http://www.unil.ch/BCU/docs/pkeller/Keller-PGP.key Tél.: 021/692 48 13 -- http://www-internal.alphanet.ch/linux-leman/ avant de poser une question. - Pour poster une annonce: [EMAIL PROTECTED]
