Clear the Linux worm program Ramen-Linux Enterprise Application-Linux server application information. For more information, see. In Linux, there is a worm called Ramen. It may intrude thousands of servers running the RedHat 6.2/7.0 operating system. Ramen exploits two known Linux security vulnerabilities. It uses RPC first. statd and wu-FTP vulnerability scan servers that use RedHat 6.2/7.0 on the network, and then try to obtain system permissions. Once obtained, some general system services will be replaced, in addition, a program code called "root kit" is implanted into a security vulnerability. In addition, Ramen will replace the homepage on the site with the words "RameNCrew -- Hackers looooooooooooove noodles. At last, Ramen will send two emails to two email boxes and invade into other RedHat servers.
Ramen only targets RedHat, but it is not harmful, but the propagation speed is amazing. It can scan about 130,000 sites within 15 minutes.
Ramen is very kind. After the attack is completed, it will automatically fix the three vulnerabilities it attacked (Redhat 6.2 rpc. statd, wu-ftpd, Redhat7.0 lpd), but a process on the system will scan the following machine to occupy a large amount of network bandwidth. This may cause misunderstandings of other hosts and occupy a large amount of network bandwidth, paralyzing the system.
We can see that this program is not a virus, but a worm-like program that exploits security vulnerabilities. Randy Barrett, author of the program, also came up with a statement saying that this is just a security vulnerability, which exists on various network servers, he did not target Linux when writing the Ramen program.
The prevention method is very simple. Please upgrade your redhat 6.2 nfs-utils, wu-ftpd, and redhat 7.0 LPRng. For details, download it to ftp://updates.redhat.com /.
To check whether the system is intruded by this program, check whether/usr/src/is available /. the poop directory is created and port 27374 is enabled. If yes, it indicates that it has been infiltrated by Ramen.
Check whether a system is infected with the Ramen worm based on the following points:
1. the/usr/src/. poop directory exists.
2. The/sbin/asp file exists.
3. The local port 27374 is opened (run the netstat-an command)
You can use the following perl script to detect the vulnerability: