Worm Detected
New (3.1.4)
Impact
There is evidence that the system has been penetrated by
an Internet worm. Files or system information may have
been transmitted to remote parties, or unauthorized file
modifications may have taken place. Furthermore, it is
likely that the system is being used as a potential launching
point for further propogation of the worm across the
network.
Background
A worm
is a self-replicating program designed to spread across a
network without requiring any outside actions to take place.
The main difference between a worm and a virus is that a
virus relies on human actions, such as sending e-mail or
sharing files, to copy itself from one computer to another,
whereas a worm is able to do so independently, allowing
it to spread much faster.
The Problem
The Ramen worm spreads using Red Hat Linux 6.2 and 7.0
systems by exploiting well-known vulnerabilities in
wu-ftpd, rpc.statd,
and LPRng. When the Ramen worm installs
itself on a new host, it takes the following actions:
- Shuts off the services it uses to propogate, thereby
preventing other instances of the worm from re-infecting
the host
- If the host is running a web server, replaces the home
page with its own page
- Sends e-mail to an anonymous account, presumably the
author of the worm, for the purpose of tracking the worm's
spread
- Opens TCP port 27374 for the purpose of distributing
itself as a .tar file
- Scans a random block of addresses for vulnerable versions
of wu-ftpd, rpc.statd,
and LPRng, and if one is found, exploits
the vulnerability to retrieve and install itself on the target
host
Resolution
The paragraph below explains how to remove the Ramen worm
from an infected system. However, removal of the worm
does not solve the problem at its roots. The presence of
the worm is evidence that a critical vulnerability exists
on the host. The system should be taken offline until
it is certain that wu-ftpd, rpc.statd,
and LPRng are upgraded to the latest,
patched versions.
To remove the worm, follow these steps:
- Delete /usr/src/.poop and /sbin/asp.
- If it exists, remove /etc/xinetd.d/asp
- Remove all lines in /etc/rc.d/rc.sysinit
which refer to any file in /etc/src/.poop.
- Remove any lines in /etc/inetd.conf
referring to /sbin/asp.
- Reboot the system or manually kill any processes such
as synscan, start.sh,
scan.sh, hackl.sh,
or hackw.sh.
Where can I read more about this?
This worm was discussed in an
X-Force advisory and in the
Symantec AntiVirus Research Center.
For general information about worms and how they differ
from viruses, see the Symantec
AntiVirus Research Center.