copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» ESB-2001.029 -- ISS Security Alert -- Ramen Linux Worm
ESB-2001.029 -- ISS Security Alert -- Ramen Linux Worm
Date:
22 January 2001
References
:
ESB-2001.136
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.029 -- ISS Security Alert Ramen Linux Worm 22 January 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Operating System: Red Hat 6.2 Red Hat 7.0 (First Edition) Linux Unix Platform: Intel Impact: Root Compromise Access Required: Remote - - --------------------------BEGIN INCLUDED TEXT-------------------- - - -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert January 18, 2000 Ramen Linux Worm Propagation Synopsis: A self-propagating worm known as Ramen is currently exploiting well-known holes in unpatched Red Hat Linux 6.2 systems and in early versions of Red Hat 7.0. In addition to scanning for additional systems and propagating to vulnerable systems, the worm also defaces Web servers it encounters by replacing the "index.html" file. It may also interfere with some networks supporting multicasting. Ramen is currently known to attack Red Hat systems running vulnerable versions of wu-ftp, rpc.statd, and LPRng. New exploits can be added to the existing worm to expand its capabilities. Description: Ramen combines several known exploits and tools using a set of scripts. The initial attack starts with a scan for port 21 (FTP) and the retrieval of any FTP banners for any FTP services it encounters. The script uses this information to determine if it has contacted a system that may be vulnerable to one of its packaged exploits. Currently, Ramen uses the date encountered in the FTP banner of the system being scanned. If a vulnerable system is detected, the worm starts a propagation script based on what vulnerability is likely to be present. The propagation scripts and exploits run in parallel with the scanning process. Using one of the exploitable services, Ramen executes a command on the target system that creates a working directory for itself, "/usr/src/.poop". Ramen then requests a copy of itself, ramen.tgz, from the attacking system using Linux web browser and the Web-like service it installs on compromised systems. When installed on the new system, Ramen attempts to set up very limited Web-like service on port 27374 to provide for further distribution of the Ramen package. The service uses port 27374 to provide a copy of the ramen.tgz package to any connection with any request on that port. Ramen searches the entire system, including any remotely mounted file systems, and replaces any file named "index.html" with a copy of its own page. This not only defaces any web site that it encounters, but also corrupts html based documentation files and possible working files in personal directories. E-mail messages are sent to two accounts, gb31337@hotmail.com and gb31337@yahoo.com, from compromised systems. Owners of the systems where the two addresses were hosted have been notified. Ramen disables existing FTP services (in inetd on Red Hat 6.2 or in xinetd on Red Hat 7.0) and disables rpc.statd. This action may be to prevent any attempts to re-infect the systems with additional copies of the worm. Ramen continues to propagate by using the newly compromised system to scan Class B (/16) wide address spaces, searching for port 21 (FTP) and looking for new vulnerable hosts. On networks and ISPs supporting multicasting, the SYN scanning performed by Ramen can disrupt network traffic when scanning the multicast network range. Ramen is driven by scripts that can be easily modified to attack other versions of Linux or other Unix systems. The exploits included with Ramen are known to work against other versions of these systems, even though Ramen itself is not keyed to trigger on them. Affected Systems: Red Hat 6.2 for Intel not patched for wu-ftp or nfs. Red Hat 7.0 First Edition for Intel not patched for LPRng. Systems not known to be vulnerable: Red Hat 7.0 for Intel Second Edition (Respin). Previous versions of Red Hat Linux. Non-Intel versions of Linux. Non-Red Hat versions of Linux. Any other versions of Unix. Additional Information: Ramen does not attempt to hide its presence or clean up after itself. It can be detected on a system by the presence of the directory /usr/src/.poop or by the presence of the file /sbin/asp. To remove the Ramen Worm from your system, follow these steps: 1. Delete: /usr/src/.poop and /sbin/asp. 2. If it exists, remove: /etc/xinetd.d/asp 3. Remove all lines in /etc/rc.d/rc.sysinit which refer to any file in /etc/src/.poop. 4. Remove any lines in /etc/inetd.conf referring to /sbin/asp 5. Reboot the system or manually kill any processes such as synscan, start.sh, scan.sh, hackl.sh, or hackw.sh. 6. ISS recommends that ftp, rpc.statd, or lpr are not enabled until updates have been installed. Due to the general-purpose exploits at the core of this worm, it is advisable to implement the following safeguards to prevent successful attacks from potential variations of this exploit. Disable FTP if it is not a required service. FTP provides information that can be exploited to identify vulnerable systems, even when FTP is not vulnerable. Do not permit outside network access to RPC services, including NFS. Do not permit outside network access to LPR services. Install and maintain all security fixes in a timely manner. Support to detect both the rpc.statd and the wu-ftp vulnerabilities is available to ISS Internet Scanner customers in X-Press Update 4.4. ISS RealSecure support to detect both the rpc.statd vulnerability and the wu-ftp vulnerability is available in X-Press Update SR 1.1. ISS X-Force plans to make support available for the LPrng vulnerability for both Internet Scanner and RealSecure in an upcoming X-Press Update release. ISS RealSecure customers can configure a Connection Event on port 27374 to detect activity associated with the propagation of this worm and may use the following User Defined signature to detect outbound emails originating from machines infected with the Ramen Worm: - - - From the Sensor window: 1. Right-click on the sensor and select 'Properties'. 2. Choose a policy you want to use, and click 'Customize'. 3. Select the 'User Defined Events' tab. 4. Click 'Add' on the right hand side of the dialog box. 5. Create 2 User Defined Events, one for Hotmail the other Yahoo. 6. Type in a name of each event, such as 'Ramen Hotmail' and 'Ramen Yahoo'. 7. In the 'Context' field for each event, select 'Email_Receiver'. In the 'String' field, type the following for each event: gb31337@hotmail.com gb31337@yahoo.com 8. Click 'Save', and then 'Close'. 9. Click 'Apply to Sensor' or 'Apply to Engine', depending on the version of RealSecure you are using. Credits: The material contained in this advisory was researched by Michael Warfiled of ISS X-Force. For additional information refer to the INCIDENTS and VULN-DEV mailing lists hosted at SecurityFocus.com as well as mailing lists hosted on RedHat.com. ____ About Internet Security Systems (ISS) Internet Security Systems, Inc. (ISS) (NASDAQ: ISSX) is the leading global provider of security management solutions for the Internet. By combining best of breed products, security management services, aggressive research and development, and comprehensive educational and consulting services, ISS is the trusted security advisor for thousands of organizations around the world looking to protect their mission critical information and networks. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. - - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOmeafTRfJiV99eG9AQF/rAQAoDPfyrtkzuhO60rvs2rylKAawE4N/1Yz ncMjWZduF4jv8DWWD3nL+cG5Hd6axVpf+5uDID2IfMcZviPm62AVY1GGTz4FcP3o TJfPaLBff/MEnSndFQrPne5r89oBH5jhSIzAqRn6Q8xYohOCagCHDu/t2ZC4rXSo mkSsQHbv80o= =FswQ - - -----END PGP SIGNATURE----- - - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOm/y4Ch9+71yA2DNAQH1lQP/XMx3KO+5KsjP2mkKKjgLvpYdwAXi1lYj 0B5LCFm/bwRj8FG4HqS9sCkMxl75XTKtmiHvBuXYdBf1A2PQljTjWcJSo+/Fe2GY 5BzLMGd/Z6Mp5DGsKkVIzCfQNyXZuWOmXYpat7fPQ+K/s5mB2HDfwqTbltg1hnfG fOHQdTZzxyM= =/DHl -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1139