Article Title: Clear the worm program Ramen on Linux. Linux is a technology channel of the IT lab in China. There is a worm called Ramen in some basic classification Linux systems, such as desktop applications, Linux system management, kernel research, embedded systems, and open source systems. It may intrude thousands of servers running the RedHat 6.2/7.0 operating system. Ramen exploits two known Linux security vulnerabilities. It uses RPC first. statd and wu-FTP vulnerability scan servers that use RedHat 6.2/7.0 on the network, and then try to obtain system permissions. Once obtained, some general system services will be replaced, in addition, a program code called "root kit" is implanted into a security vulnerability. In addition, Ramen will replace the homepage on the site with the words "RameNCrew -- Hackers looooooooooooove noodles. At last, Ramen will send two emails to two email boxes and invade into other RedHat servers.
Ramen only targets RedHat, but it is not harmful, but the propagation speed is amazing. It can scan about 130,000 sites within 15 minutes.
Ramen is very kind. After the attack is completed, it will automatically fix the three vulnerabilities it attacked (Redhat 6.2 rpc. statd, wu-ftpd, Redhat7.0 lpd), but a process on the system will scan the following machine to occupy a large amount of network bandwidth. This may cause misunderstandings of other hosts and occupy a large amount of network bandwidth, paralyzing the system.
We can see that this program is not a virus, but a worm-like program that exploits security vulnerabilities. Randy Barrett, author of the program, also came up with a statement saying that this is just a security vulnerability, which exists on various network servers, he did not target Linux when writing the Ramen program.
The prevention method is very simple. Please upgrade your redhat 6.2 nfs-utils, wu-ftpd, and redhat 7.0 LPRng. For details, download it to ftp://updates.redhat.com /.
To check whether the system is intruded by this program, check whether/usr/src/is available /. the poop directory is created and port 27374 is enabled. If yes, it indicates that it has been infiltrated by Ramen.
Check whether a system is infected with the Ramen worm based on the following points:
1. the/usr/src/. poop directory exists.
2. The/sbin/asp file exists.
3. The local port 27374 is opened (run the netstat-an command)
You can use the following perl script to detect the vulnerability:
#! /Bin/perl
# Script that checks for signs of ramen infection
# Patrick Oonk patrick@security.nl
# Based on Daniel Martin's description
# Http://www.securityfocus.com/archive/75/156624
# No guarantees, do with this script whatever you like (BSD license)
$ Detected = 0;
Print "Ramen worm checker. \ nChecking... \ n ";
Open (F, "/etc/redhat-release ");
Print "You are running", <F>, "\ n ";;
Close (F );
@ Suspect = ("/usr/src/. poop", "/usr/src/. poop/ramen. tgz", "/tmp/ramen. tgz ");
Foreach (@ suspect ){
If (-e ){
Print "found $ _ \ n ";
$ Detected ++;
}
}
Open (N, "/bin/netstat-an |") or print "cocould not open/bin/netstat \ n"; while (<N> 〉){
If (//: 27374. * LISTEN /){
Print "Ramen webserver detected on port 27374 \ n ";
$ Detected ++;
Last;
}
}
Close (N );
If ($ detected ){
Print "$ detected telltale signs of ramen found. Get professional help \ n ";
} Else {
Print "Wheee! No ramen signs found! \ N ";
}
To clear the Ramen point, follow these steps:
1. Delete the/usr/src/. poop directory and/sbin/asp file.
2. If the/etc/xinetd. d/directory exists, delete/etc/xinetd. d/asp.
3. Delete the rows that involve/usr/src/. poop in the/etc/rc. d/rc. sysinit file.
4. Delete the rows that contain/sbin/asp in the/etc/inetd. conf file.
5. restart the system and manually kill the following processes: synscan, start. sh, scan. sh, hackl. sh, and hackw. sh.
6. Upgrade ftp, rpc. statd, lpr, and other programs.
Because Ramen is through wu-ftp, rpc. statd, lpr and other programs intrude into the system, so it is best to close these programs before upgrading these programs, this can effectively prevent Ramen infection.