Clear Linux worm Ramen

Source: Internet
Author: User
Tags perl script
Clear the Linux worm program Ramen-Linux Enterprise Application-Linux server application information. For more information, see. In Linux, there is a worm called Ramen. It may intrude thousands of servers running the RedHat 6.2/7.0 operating system. Ramen exploits two known Linux security vulnerabilities. It uses RPC first. statd and wu-FTP vulnerability scan servers that use RedHat 6.2/7.0 on the network, and then try to obtain system permissions. Once obtained, some general system services will be replaced, in addition, a program code called "root kit" is implanted into a security vulnerability. In addition, Ramen will replace the homepage on the site with the words "RameNCrew -- Hackers looooooooooooove noodles. At last, Ramen will send two emails to two email boxes and invade into other RedHat servers.

Ramen only targets RedHat, but it is not harmful, but the propagation speed is amazing. It can scan about 130,000 sites within 15 minutes.

Ramen is very kind. After the attack is completed, it will automatically fix the three vulnerabilities it attacked (Redhat 6.2 rpc. statd, wu-ftpd, Redhat7.0 lpd), but a process on the system will scan the following machine to occupy a large amount of network bandwidth. This may cause misunderstandings of other hosts and occupy a large amount of network bandwidth, paralyzing the system.

We can see that this program is not a virus, but a worm-like program that exploits security vulnerabilities. Randy Barrett, author of the program, also came up with a statement saying that this is just a security vulnerability, which exists on various network servers, he did not target Linux when writing the Ramen program.

The prevention method is very simple. Please upgrade your redhat 6.2 nfs-utils, wu-ftpd, and redhat 7.0 LPRng. For details, download it to ftp://updates.redhat.com /.

To check whether the system is intruded by this program, check whether/usr/src/is available /. the poop directory is created and port 27374 is enabled. If yes, it indicates that it has been infiltrated by Ramen.

Check whether a system is infected with the Ramen worm based on the following points:

1. the/usr/src/. poop directory exists.

2. The/sbin/asp file exists.

3. The local port 27374 is opened (run the netstat-an command)

You can use the following perl script to detect the vulnerability:

  
QUOTE:
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.