------- Weitergeleitete Nachricht / Forwarded message -------
Von: "Phillip Higgins" <MAIL/HIGGINS>
Organisation: PROUT AG
An: labahn
Datum: Thu, 18 Jan 2001 13:45:51 +0100
Betreff: linux worm on the loose
A worm Wednesday burrowed its way into hundreds -- possibly thousands -- of
servers running the Red Hat 6.2 or 7.0 flavors of Linux, installing root kits and
plastering Web servers' index.html files with the imaginative slogan "RameN Crew--
Hackers looooooooooooove noodles."
The so-called Ramen worm's code, pieced together from tools generally available on
cracker sites, exploits security vulnerabilities for which Red Hat published fixes in
early October 2000.
The worm targets Red Hat 6.2 systems running an exploitable RPC.statd service or a
vulnerable wu-FTP, and Red Hat 7.0 systems running a vulnerable LPRng.
The worm does not appear to be dangerous. It spreads by using synscan to scan the
Internet for Red Hat 6.2 and 7.0-based servers and then uses two common exploits
to gain access. Once in, it establishes a minimal HTTP/0.9 server on port 27374 -- a
common Windows trojan port -- to serve out copies of itself and then determines its
IP address. It then removes the vulnerable services it used to spread itself. After
replacing any index.html files, the worm patches the security hole used to gain entry.
Finally, the worm sends an e-mail message to two Web-based e-mail accounts --
one at Hotmail, the other at Yahoo! -- before booting up and scanning the Internet
again.
Daniel Martin, a programmer connected with the Honeynet Project, described the
Ramen worm in detail {HYPERLINK
"http://members.home.net/dtmartin24/ramen_worm.tx"}here.
------- Ende der weitergeleiteten Nachricht / End of forwarded message -------
----------------------------------
Dietmar G. Labahn, Dipl. Inf.
Professional Services Organisation (PSO)
PROUT AG
Tel.: +49 (0)6151-930877
Fax : +49 (0)6151-930859
Mail: [EMAIL PROTECTED]
-----------------------------------------------------------------------------
YOU MUST BE A LIST MEMBER IN ORDER TO POST TO THE LPRNG MAILING LIST
The address you post from MUST be your subscription address
If you need help, send email to [EMAIL PROTECTED] (or lprng-requests
or lprng-digest-requests) with the word 'help' in the body. For the impatient,
to subscribe to a list with name LIST, send mail to [EMAIL PROTECTED]
with: | example:
subscribe LIST <mailaddr> | subscribe lprng-digest [EMAIL PROTECTED]
unsubscribe LIST <mailaddr> | unsubscribe lprng [EMAIL PROTECTED]
If you have major problems, send email to [EMAIL PROTECTED] with the word
LPRNGLIST in the SUBJECT line.
-----------------------------------------------------------------------------
