VanLUG Email Archive
Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate
Bill Unruh (unruh@physics.ubc.ca)
Fri, 19 Jan 2001 14:39:29 -0800 (PST)
> Subject: Re: Linux security - Ramen worm!
> Andrew Daviel wrote:
> >
> > Now we (Linux users) can stop looking so smug!
> >
> > We have just had a machine hit by the Ramen Worm, which targets
> > RedHat 6.2 and 7.0 systems.
> >
> > Infected systems run a webserver on port 27374 and start SYN scans and ftp
> > attacks against randomly generated subnets, so there is a huge amount of
> > outgoing ftp traffic. It's a bit like the Windows VBS/Netlog.worm
> > or QAZ virus. It doesn't seem to pick addresses out of netstat or anything
> > so the infection is more-or-less random across the net rather than
> > following trust relationships like a person might.
> >
> > For exhaustive detail see
> > http://members.home.net/dtmartin24/ramen_worm.txt
>
> Would my LinkSys blue box firewall be a useful defense against this kind
> of malicious attack? Currently I only allow SSH (port 22) IDENT (port 113)
> and HTTPS/SSL(port 443) through my LinkSys blue box firewall/router/switch.
>
The main defence would be to make sure that you keep up to date on the
security updates. The holes which this "worm" uses were all closed last
fall already, if you kept up to date with the security updates.
Firewalls may help as well, but they are no panacea.
This attack is a very standard stack smashing attack against bugs in a
few Redhat internet daemons. Attacks like this have been going on at
least since the Morris worm attacked sendmail aeons(ie>10 years) ago.
Any Linux user who looks smug, rather than keeping up to
date, should definitely stop.
--
William G. Unruh Canadian Institute for Tel: +1(604)822-3273
Physics&Astronomy Advanced Research Fax: +1(604)822-5324
UBC, Vancouver,BC Program in Cosmology unruh@physics.ubc.ca
Canada V6T 1Z1 and Gravity http://axion.physics.ubc.ca/
For step by step instructions about setting up ppp under Linux, see
http://axion.physics.ubc.ca/ppp-linux.html
This archive was generated by hypermail 2.0b3 on Tue 03 Jul 2001 - 18:31:58