[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Ramen Linux Worm info

from ISS Alert newsletter (http://www.infowar.com)

Ramen Linux Worm

Affected Systems:

Red Hat 6.2 for Intel not patched for wu-ftp or nfs.
Red Hat 7.0 First Edition for Intel not patched for LPRng.

Systems not known to be vulnerable:

Red Hat 7.0 for Intel Second Edition (Respin).
Previous versions of Red Hat Linux.
Non-Intel versions of Linux.
Non-Red Hat versions of Linux.
Any other versions of Unix.

Additional Information:

Ramen does not attempt to hide its presence or clean up after itself. It
can be detected on a system by the presence of the
directory /usr/src/.poop or by the presence of the file /sbin/asp.

To remove the Ramen Worm from your system, follow these steps:

1.  Delete: /usr/src/.poop and /sbin/asp.
2.  If it exists, remove:  /etc/xinetd.d/asp
3.  Remove all lines in /etc/rc.d/rc.sysinit which refer to any
    file in /etc/src/.poop.
4.  Remove any lines in /etc/inetd.conf referring to /sbin/asp
5.  Reboot the system or manually kill any processes such as synscan,
    start.sh, scan.sh, hackl.sh, or hackw.sh.
6.  ISS recommends that ftp, rpc.statd, or lpr are not enabled until
    updates have been installed.

Due to the general-purpose exploits at the core of this worm, it is
advisable to implement the following safeguards to prevent successful
attacks from potential variations of this exploit.

Disable FTP if it is not a required service. FTP provides information that can be exploited to identify vulnerable systems, even when FTP is not vulnerable.

Do not permit outside network access to RPC services, including NFS.

Do not permit outside network access to LPR services.


-- 
Got something to say? Subscribe to tamil.com e-mail discussion
forums!

The teen mailing list:    mailto:teen-subscribe@xxxxxxxxxxxxxxx
Art discussions:          mailto:art-subscribe@xxxxxxxxxxxxxxx
Literary discussions:     mailto:books-subscribe@xxxxxxxxxxxxxxx
Infotech:                 mailto:it-subscribe@xxxxxxxxxxxxxxx
For 18 years and above:   mailto:sex-subscribe@xxxxxxxxxxxxxxx