[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Ramen worm

To: Sheflug <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Ramen worm
From: Alex Hudson <nospam [at] alexhudson.com>
Date: 07 Feb 2001 21:09:25 +0000
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: Alex Hudson <alexhu [at] alexhudson.com>
Sender: sheflug-bounce [at] vuw.ac.nz

On 07 Feb 2001 20:33:48 +0000, Barrie Bremner wrote:
> You should really (I do it when config'ing the machine after install)
> shutdown every service/server running on your box.
> It should close up most of the common holes found on boxen.

It doesn't close up any holes, it papers over cracks :) I think you're
thinking of the BOfH system of security:

    "No service, therefore, no denial"

Hmm :)

> Download nmap as well - use that to portscan your own machine once you
> have finished.

Which will not show any holes either :) 'lpd is running'. Yes, I need to
print. You run the services you need. Those you don't you can turn off.
Turning off all services is a little bit weak really, it's possibly the
starting of a security overhaul, but nothing like the middle or the end
:)

> I'm not sure exactly which files Ramen modifies - but unless someone
> else contradicts me - I'd be looking at doing a clean install.

Worth doing. You hope it's Ramen, it might not be. I think Paul's email
scanner is entirely sensible - I certainly suspect that sendmail et al
would also be good targets for a Ramen-like worm, and there's nothing
like a wolf in sheep's clothing.

> Take the machine offline - physically disconnect it from any networks.
>  If you have any other RedHat machines on a LAN - ensure that they
> haven't been infected too.

And either get all the updates & install them or get a proper distro
(ducks :)

> Only then reconnect to a network and go and get all the errata and
> install them.

I'd do it the other way around. Bring it down. Download the updates (+
MD5 if you're paranoid). Reformat. Re install. Update. Then bring up. 

> Paul, I'm not entirely sure what your email scanner is picking up
> (probably my dodgy mailserver config...). From all the information
> I've read (security portal, redhat, etc, etc) Ramen scans class B
> networks for new hosts - and then attacks suceptable hosts that my -
> not via email.

Yep, Ramen only attacks via ftpd pretty much. People also say it
exploits lpd, but I don't know if that's an entry system for it. It's
most likely that the worm / virus in question is Ramen, but it could be
a variant, you never know. You don't know who's going to have been
messing with it. 

Cheers,

Alex.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Follow-Ups:
- Re: [Sheflug] Ramen worm
  - From: "Barrie Bremner" <TheEnglishman [at] ecosse.net>
- Re: [Sheflug] Ramen worm
  - From: Matt Fairtlough <fairtlough [at] blueyonder.co.uk>

References:
- RE: [Sheflug] printing post cable modem
  - From: "French, Alastair" <Alastair.French [at] racalinst.co.uk>
- Re: [Sheflug] printing post cable modem
  - From: Matt Fairtlough <fairtlough [at] blueyonder.co.uk>
- Re: [Sheflug] printing post cable modem
  - From: Alex Hudson <home [at] alexhudson.com>
- [Sheflug] Ramen worm
  - From: Matt Fairtlough <fairtlough [at] blueyonder.co.uk>
- [Sheflug] Ramen worm
  - From: "Barrie Bremner" <TheEnglishman [at] ecosse.net>

Prev by Date: Re: [Sheflug] Networking again
Next by Date: Re: [Sheflug] Parallel IDE CD-ROM frustrations
Prev by thread: Re: [Sheflug] Ramen worm
Next by thread: Re: [Sheflug] Ramen worm
Index(es):
- Date
- Thread