******casting my electrons to the solar winds .... ****** Hi gang, I usually dont post anything like this warning to any group, but I have a user ( shouldersurfing) he isn't a linux user YET, adn is now very worried **Worms **------------------------------------------------------------------------ **-- **Linux.Ramen.Worm Very Low [1] **Linux ** **Linux.Ramen is a Linux worm that attacks machines running the Linux Red **Hat 6.2 or 7.0 operating system. This worm does not execute on systems **running Microsoft Windows. The worm attempts to use unpatched versions **of **rpc.statd, wuftpd, and LPRng. ** **An email message is also sent to an anonymous Yahoo! and Hotmail email **account specifying the IP address of the attacked machine. Most likely, **these email accounts belong to the author of this worm allowing the **author to keep track of machines that are infected ** **To remove Linux.Ramen.Worm: ** **1. Delete the files detected by Norton AntiVirus. **2. Install the patches that will fix these mentioned vulnerabilities. ** These patches are already available for download at the Red Hat ** website at the following locations: ** **RedHat 7.0 Security Advisories **- http://www.redhat.com/support/errata/rh7-errata-security.html **RedHat 6.2 Security Advisories **- http://www.redhat.com/support/errata/rh62-errata-security.html ** **http://service1.symantec.com/sarc/sarc.nsf/html/Linux.Ramen.Worm.html ** **by: Patrick Martin and Eric Chien **SARC, USA & EMEA. this is apparently a "real" attack w/ a "worm" however low , and yet another reason to keep security patches up to date... ANyone heard or seen any such attacks ( the info on the web pages says the guy is actually attacking websites and defacing them w/a picture pakage or ramen noodles and says this page powered by .. He also alters teh index.html file on the computers atacked ( well , that makse sense, sorta.. anyone have any pacifying ideas or info ( other than we aren't usiing Red Hat???? >G>) j afterthought: Allen's Law: Almost anything is easier to get into than out of.
Hi, from what I heard/read this is just an automated exploit of long known vulnerabities. It was said that RH ships software that has vulnerabities that are known to be exploitable for more than half a year. This should be only dangerous to fresh installed RH systems that have not been updated als RH recommends. The same could be possible with SuSE 7.1 that still has no updated Bind (IIRC), but we all know to immediatly apply the recommended security updates after installing a new system. If you do not do this, it was possible to create some script to automate a break in. mike
participants (2)
-
jfweber@eternal.net -
Thomas Michael Wanka