Pages

Sabtu, 12 November 2011

Clear Ramen worm on Linux

Linux系统中出现了一种称之为Ramen的蠕虫程序。 Linux systems there is a program called Ramen worm. 它可能会入侵数千台运行RedHat 6.2/7.0 操作系统的服务器。 It may invade thousands of computers running RedHat 6.2/7.0 operating system servers. Ramen利用了两个已知的Linux安全漏洞。 Ramen Linux using the two known security vulnerabilities. 它首先利用RPC.statd 和wu-FTP 的漏洞扫描网络上使用RedHat 6.2/7.0 的服务器,然后尝试取得系统权限,一旦取得之后,会将一些一般的系统服务加以替换,并且将一个称之为“root kit”的程序码植入安全漏洞中,此外Ramen 还会将站点上的首页给换成:“RameNCrew--Hackers looooooooooooove noodles”的字样。 It is the first to use RPC.statd and wu-FTP vulnerability scanner on the network server using RedHat 6.2/7.0, and then try to obtain system privileges, once obtained, after some general system services will be replaced, and a call " root kit "of the program code embedded security vulnerabilities, in addition to Ramen's home page on the site will be to replace:" RameNCrew - Hackers looooooooooooove noodles "message. 最后,Ramen会寄两封信给两个电子信箱,并且开始入侵其他的RedHat服务器。 Finally, Ramen will send two letters to two e-mail, and began to invade other RedHat server.

Ramen只针对RedHat来进行侵入,不过危害不大,但是传播的速度却惊人,15分钟内可以扫描约130,000 个站点。 Ramen to be penetrated only for RedHat, but there is little risk, but transmission speed is amazing, 15 minutes to scan about 130,000 sites.

Ramen是很善良的,在攻击完成后会自动把它攻击的3个漏洞给修补上(Redhat 6.2的rpc.statd、wu-ftpd,Redhat7.0的lpd),但是会在系统上起一个进程扫描下面的机器,会占去大量网络带宽。 Ramen is very good in attack after attack will automatically put it to fix three vulnerabilities on (Redhat 6.2 the rpc.statd, wu-ftpd, Redhat7.0 the lpd), but will be starting a process on the system scan The following machines will take up a lot of network bandwidth. 由此可能造成其他的主机的误会以及大量占用网络带宽,使系统瘫痪。 Which may result in a host of other misunderstandings and a lot of network bandwidth, the system is paralyzed.

我们可以看出,该程序其实并不能称为病毒,而是一个利用了安全漏洞的类似蠕虫的程序。 We can see that the program actually can not be called a virus, but a similar use of a security vulnerability the worm program. 该程序的作者Randy Barrett也站出来声明说,这只是一个安全漏洞,类似于这样的安全漏洞在各种网络服务器上都存在,他在写Ramen程序的时候也不是针对Linux的。 The program's author Randy Barrett said in a statement also points out, this is a security hole, similar to that in a variety of security vulnerabilities exist on a network server, the program he wrote Ramen is not the time for Linux.

防治的方法很简单,请升级你的redhat 6.2的nfs-utils , wu-ftpd , redhat 7.0的LPRng,具体下载可以到ftp://updates.redhat.com/。 Prevention is simple, please upgrade your redhat 6.2 of nfs-utils, wu-ftpd, redhat 7.0 of LPRng, you can download specific to ftp://updates.redhat.com/.

检查系统是否被该程序侵入的方法是,看看有没有/usr/src/.poop这个目录被建立,以及27374端口是否被打开,如果有的话就表明已经被Ramen侵入了。 Check whether the system is the invasive procedure is to see if there is no / usr / src / .poop this directory is created, and the 27374 port is not opened, if any, on the Ramen that has been invaded.

看一个系统是否感染了Ramen蠕虫,主要基于以下几点: To see whether a system is infected with the Ramen worm, mainly based on the following points:

1. 存在/usr/src/.poop目录 1 there is / usr / src / .poop directory

2. 存在/sbin/asp文件 (2) there is / sbin / asp file

3. 本地端口27374被打开(用netstat -an命令) 3 local port 27374 is opened (with netstat-an command)

可以用以下的perl脚本程序检测: Can detect the following perl script:

#!/bin/perl #! / Bin / perl

# Script that checks for signs of ramen infection # Script that checks for signs of ramen infection

# Patrick Oonk, patrick@security.nl # Patrick Oonk, patrick@security.nl

# based on Daniel Martin's description at # Based on Daniel Martin's description at

# http://www.securityfocus.com/archive/75/156624 # Http://www.securityfocus.com/archive/75/156624

# No guarantees, do with this script whatever you like (BSD license) # No guarantees, do with this script whatever you like (BSD license)

$detected = 0; $ Detected = 0;

print "Ramen worm checker.nChecking...n"; print "Ramen worm checker.nChecking ... n";

open(F,"/etc/redhat-release") ; open (F, "/ etc / redhat-release");

print "You are running ",〈F〉,"n";; print "You are running", , "n";;

close(F); close (F);

@suspect = ("/usr/src/.poop", "/usr/src/.poop/ramen.tgz","/tmp/ramen.tgz"); @ Suspect = ("/ usr / src / .poop", "/ usr / src / .poop / ramen.tgz", "/ tmp / ramen.tgz");

foreach (@suspect) { foreach (@ suspect) {

if(-e) { if (-e) {

print "found $_n"; print "found $ _n";

$detected++; $ Detected + +;

} }

} }

open(N, "/bin/netstat -an|") or print "Could not open /bin/netstatn"; open (N, "/ bin / netstat-an |") or print "Could not open / bin / netstatn";

while(〈N〉) { while () {

if (/:27374.*LISTEN/) { if (/: 27374 .* LISTEN /) {

print "Ramen webserver detected on port 27374n"; print "Ramen webserver detected on port 27374n";

$detected++; $ Detected + +;

last; last;

} }

} }

close(N); close (N);

if ($detected) { if ($ detected) {

print "$detected telltale signs of ramen found. Get professional helpn"; print "$ detected telltale signs of ramen found. Get professional helpn";

} else { } Else {

print "Wheee! No ramen signs found!n"; print "Wheee! No ramen signs found! n";

} }

清除Ramen蠕点的步骤: Ramen creeping points clear steps:

1. 删除/usr/src/.poop目录和/sbin/asp文件 1 Delete the / usr / src / .poop directory and / sbin / asp file

2. 如果存在/etc/xinetd.d/目录,则删除/etc/xinetd.d/asp 2 If there is / etc / xinetd.d / directory, then delete the / etc / xinetd.d / asp


3. 删除/etc/rc.d/rc.sysinit文件中涉及到/usr/src/.poop的行 3 Delete the / etc / rc.d / rc.sysinit file related to the / usr / src / .poop line

4. 删除/etc/inetd.conf文件中涉及到/sbin/asp的行 4 Delete the / etc / inetd.conf file related to the / sbin / asp line

5. 重新启动系统和手动杀掉以下进程synscan,start.sh, scan.sh, hackl.sh, hackw.sh 5 Restart the system and manually kill the following processes synscan, start.sh, scan.sh, hackl.sh, hackw.sh

6. 升级ftp, rpc.statd, lpr等程序 6 upgrade ftp, rpc.statd, lpr and other procedures

因为Ramen是通过wu-ftp, rpc.statd, lpr等程序侵入系统的,所以在对这几个程序升级前最好关闭这些程序,这样可以有效地防止被Ramen感染。 Because Ramen is wu-ftp, rpc.statd, lpr and other programs into the system, so a few of these procedures in the best close these programs before the upgrade, which can effectively prevent infection by Ramen.

Tidak ada komentar:

Posting Komentar