LinuxWorld: Stopping the Ramen wormFeb 06, 2001, 22:17 (8 Talkback[s])
(Other stories by Dev Zaborav)
"The Ramen worm targets Red Hat Linux systems specifically. It searches the Internet piece by piece, looking for vulnerable Red Hat boxes, and when it finds one it intrudes through a vulnerability in one of three Linux programs: the Remote Procedure Call service, the default file transfer protocol (FTP) service, or the print service. Once inside, the worm installs a malicious program on the compromised server, and spreads from there to other Red Hat computers."
"That sounds common enough. That's how all worms work -- a specific vulnerability in a specific operating system is targeted, and once a worm is let loose on the Internet, it compromises as many computers running the operating system with that vulnerability as it can find. What makes Ramen unique, though, is what the program it installs does. Among other things, Ramen looks for index.html files that it can overwrite."
"How can the Ramen worm be stopped? The same way any other worm is stopped: starve it. Administrators of all Linux and other Unix-based systems must take the time to secure all servers in their care. While the Ramen worm targets Red Hat, the vulnerabilities it exploits are present in other Linux distributions, as well as in certain *BSD distributions. It is of paramount importance that administrators stop putting Linux servers on the Internet in a default installation. Basic hardening and security measures must be taken first. If Linux administrators cannot be more responsible in the future than those who are still running a vulnerable rpc.statd, then the Ramen worm will continue to flourish."