LinuxSecurity.com: Ramen Linux Worm PropagationJan 22, 2001, 08:12 (0 Talkback[s])
(Other stories by Dave Wreski)
[ Thanks to Benjamin D. Thomas for this link. ]
"A self-propagating worm known as Ramen is currently exploiting well-known holes in unpatched Red Hat Linux 6.2 systems and in early versions of Red Hat 7.0. In addition to scanning for additional systems and propagating to vulnerable systems, the worm also defaces Web servers it encounters by replacing the "index.html" file. It may also interfere with some networks supporting multicasting."
"Ramen is currently known to attack Red Hat systems running vulnerable versions of wu-ftp, rpc.statd, and LPRng. New exploits can be added to the existing worm to expand its capabilities...."
"Ramen combines several known exploits and tools using a set of scripts. The initial attack starts with a scan for port 21 (FTP) and the retrieval of any FTP banners for any FTP services it encounters. The script uses this information to determine if it has contacted a system that may be vulnerable to one of its packaged exploits. Currently, Ramen uses the date encountered in the FTP banner of the system being scanned."