Clear the Linux system's worm program Ramen

Source: Internet
Author: User
Tags perl script
Clear the worm program Ramen-Linux Enterprise Application-Linux server application information in the Linux operating system. The following is a detailed description. This article is for reference only.

In Linux, there is a worm called Ramen. It may intrude thousands of servers running the RedHat 6.2/7.0 operating system. Ramen exploits two known Linux security vulnerabilities. It uses RPC first. statd and wu-FTP vulnerability scan servers that use RedHat 6.2/7.0 on the network, and then try to obtain system permissions. Once obtained, some general system services will be replaced, in addition, a program code called "root kit" is implanted into a security vulnerability. In addition, Ramen will replace the homepage on the site with the words "RameNCrew -- Hackers looooooooooooove noodles. At last, Ramen will send two emails to two email boxes and invade into other RedHat servers.
Ramen only targets RedHat, but it is not harmful, but the propagation speed is amazing. It can scan about 130,000 sites within 15 minutes.

Ramen is very kind. After the attack is completed, it will automatically fix the three vulnerabilities it attacked (Redhat 6.2 rpc. statd, wu-ftpd, Redhat7.0 lpd), but a process on the system will scan the following machine to occupy a large amount of network bandwidth. This may cause misunderstandings of other hosts and occupy a large amount of network bandwidth, paralyzing the system.

We can see that this program is not a virus, but a worm-like program that exploits security vulnerabilities. Randy Barrett, author of the program, also came up with a statement saying that this is just a security vulnerability, which exists on various network servers, he did not target Linux when writing the Ramen program.

The prevention method is very simple. Please upgrade your redhat 6.2 nfs-utils, wu-ftpd, and redhat 7.0 LPRng. For details, download it to ftp://updates.redhat.com /.

To check whether the system is intruded by this program, check whether/usr/src/is available /. the poop directory is created and port 27374 is enabled. If yes, it indicates that it has been infiltrated by Ramen.

Check whether a system is infected with the Ramen worm based on the following points:

1. the/usr/src/. poop directory exists.

2. The/sbin/asp file exists.

3. The local port 27374 is opened (run the netstat-an command)

You can use the following perl script to detect the vulnerability:

#! /Bin/perl

# Script that checks for signs of ramen infection

# Patrick Oonk patrick@security.nl

# Based on Daniel Martin's description

# Http://www.securityfocus.com/archive/75/156624

# No guarantees, do with this script whatever you like (BSD license)

$ Detected = 0;

Print "Ramen worm checker. \ nChecking... \ n ";

Open (F, "/etc/redhat-release ");

Print "You are running", <F>, "\ n ";;

Close (F );

@ Suspect = ("/usr/src/. poop", "/usr/src/. poop/ramen. tgz", "/tmp/ramen. tgz ");

Foreach (@ suspect ){

If (-e ){

Print "found $ _ \ n ";

$ Detected ++;

}

}

Open (N, "/bin/netstat-an |") or print "cocould not open/bin/netstat \ n"; while (<N> 〉){

If (//: 27374. * LISTEN /){

Print "Ramen webserver detected on port 27374 \ n ";

$ Detected ++;

Last;

}

}

Close (N );

If ($ detected ){

Print "$ detected telltale signs of ramen found. Get professional help \ n ";

} Else {

Print "Wheee! No ramen signs found! \ N ";

}

To clear the Ramen point, follow these steps:

1. Delete the/usr/src/. poop directory and/sbin/asp file.

2. If the/etc/xinetd. d/directory exists, delete/etc/xinetd. d/asp.

3. Delete the rows that involve/usr/src/. poop in the/etc/rc. d/rc. sysinit file.

4. Delete the rows that contain/sbin/asp in the/etc/inetd. conf file.

5. restart the system and manually kill the following processes: synscan, start. sh, scan. sh, hackl. sh, and hackw. sh.

6. Upgrade ftp, rpc. statd, lpr, and other programs.

Because Ramen is through wu-ftp, rpc. statd, lpr and other programs intrude into the system, so it is best to close these programs before upgrading these programs, this can effectively prevent Ramen infection.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.