Re: [Sheflug] Ramen worm

[Matt Fairtlough <nospam [at] blueyonder.co.uk>]

Barrie Bremner wrote:

>  > but Web and email traffic to my machine?  Clearly I need to take urgent
>  > action.
>
> Ah...I missed this bit when I responded earlier.

> <lots of helpful advice deleted>

> Only then reconnect to a network and go and get all the errata and
> install them.
>
> You're using Gentu aren't you?
> If you want I can burn you a RH6.2 or RH7 disks, and most, if not all
> the of errata, plus latest kernel sources (2.2.18 and 2.4.1) and nmap.

Baz, that would be just great.   I doubt I'd use 2.4.1 but everything else I would
use.

The version I am running is based on RH7 I think (Abit do not acknowledge the sources
of course) as Ramen came in through the lpd [thinks: I really should have twigged what
was going on with the heavy network traffic and the loss of the printer daemon, but
this is my first infection with electronic pathogens, and I mean to make it my last].
However I am not sure if RH will install on my machine, because of the Abit problem.
RH 6.2 failed to.  This may be a problem with my HPT UDMA disk controller instead, in
which case if there are drivers in RH7 things might be ok.  As far as I can tell
however, Ramen does not have a virus component, so that no further damage is done
after infection.  Supposedly there is a vulnerability installed to reinfection, but I
think standard measures should stop that too.  Following the link you suggested, I
have found an article giving detailed instructions on how to remove the infection, and
a complete re-install is perhaps not necessary.

In view of the relative lack of virulence of Ramen, I do wonder if its net effect is
beneficial rather than destructive.  Something like a vaccine, but potent enough to
reinfect.  The articles I've read suggest that it is a weakened combination of
existing pathogens.  The worst is the mutation danger though, which I understand has
happened in some cases.  There is an analogy with the polio vaccine that sometimes
regains its ability to infect and can then recover virulence via mutation.  The odd
thing is that this only happens when the vaccination programme is not thorough
enough.  On this reasoning, we should spread Ramen as much as possible until immunity
is widespread!  Good, I've talked myself into not feeling quite as reckless and
irresponsible as I did.  But I know I was.

> Paul, I'm not entirely sure what your email scanner is picking up
> (probably my dodgy mailserver config...). From all the information
> I've read (security portal, redhat, etc, etc) Ramen scans class B
> networks for new hosts - and then attacks suceptable hosts that my -
> not via email.

Wasn't it the specific HTML code I sent originally that caused the problem?  Sorry if
I've inadvertently caused alarm.

--
 --------------------------------------------
| Matt Fairtlough       22 Harley Road       |
| Sheffield S11 9SE UK  tel. 0114 236 2067   |
 --------------------------------------------



---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.