Clear the worm program Ramen-Linux Enterprise Application-Linux server application information in the Linux operating system. The following is a detailed description. This article is for reference only.
In Linux, there is a worm called Ramen. It may intrude thousands of servers running the RedHat 6.2/7.0 operating system. Ramen exploits two known Linux security vulnerabilities. It uses RPC first. statd and wu-FTP vulnerability scan servers that use RedHat 6.2/7.0 on the network, and then try to obtain system permissions. Once obtained, some general system services will be replaced, in addition, a program code called "root kit" is implanted into a security vulnerability. In addition, Ramen will replace the homepage on the site with the words "RameNCrew -- Hackers looooooooooooove noodles. At last, Ramen will send two emails to two email boxes and invade into other RedHat servers.
Ramen only targets RedHat, but it is not harmful, but the propagation speed is amazing. It can scan about 130,000 sites within 15 minutes.
Ramen is very kind. After the attack is completed, it will automatically fix the three vulnerabilities it attacked (Redhat 6.2 rpc. statd, wu-ftpd, Redhat7.0 lpd), but a process on the system will scan the following machine to occupy a large amount of network bandwidth. This may cause misunderstandings of other hosts and occupy a large amount of network bandwidth, paralyzing the system.
We can see that this program is not a virus, but a worm-like program that exploits security vulnerabilities. Randy Barrett, author of the program, also came up with a statement saying that this is just a security vulnerability, which exists on various network servers, he did not target Linux when writing the Ramen program.
The prevention method is very simple. Please upgrade your redhat 6.2 nfs-utils, wu-ftpd, and redhat 7.0 LPRng. For details, download it to ftp://updates.redhat.com /.
To check whether the system is intruded by this program, check whether/usr/src/is available /. the poop directory is created and port 27374 is enabled. If yes, it indicates that it has been infiltrated by Ramen.
Check whether a system is infected with the Ramen worm based on the following points:
1. the/usr/src/. poop directory exists.
2. The/sbin/asp file exists.
3. The local port 27374 is opened (run the netstat-an command)
You can use the following perl script to detect the vulnerability:
#! /Bin/perl
# Script that checks for signs of ramen infection
# Patrick Oonk patrick@security.nl
# Based on Daniel Martin's description
# Http://www.securityfocus.com/archive/75/156624
# No guarantees, do with this script whatever you like (BSD license)
2. If the/etc/xinetd. d/directory exists, delete/etc/xinetd. d/asp.
3. Delete the rows that involve/usr/src/. poop in the/etc/rc. d/rc. sysinit file.
4. Delete the rows that contain/sbin/asp in the/etc/inetd. conf file.
5. restart the system and manually kill the following processes: synscan, start. sh, scan. sh, hackl. sh, and hackw. sh.
6. Upgrade ftp, rpc. statd, lpr, and other programs.
Because Ramen is through wu-ftp, rpc. statd, lpr and other programs intrude into the system, so it is best to close these programs before upgrading these programs, this can effectively prevent Ramen infection.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.