A worm Wednesday burrowed its way into hundreds — possibly thousands — of servers running the Red Hat 6.2 or 7.0 flavors of Linux, installing root kits and plastering Web servers’ index.html files with the imaginative slogan “RameN Crew–Hackers looooooooooooove noodles.”
The so-called Ramen worm’s code, pieced together from tools generally available on cracker sites, exploits security vulnerabilities for which Red Hat published fixes in early October 2000.
The worm targets Red Hat 6.2 systems running an exploitable RPC.statd service or a vulnerable wu-FTP, and Red Hat 7.0 systems running a vulnerable LPRng.
The worm does not appear to be dangerous. It spreads by using synscan to scan the Internet for Red Hat 6.2 and 7.0-based servers and then uses two common exploits to gain access. Once in, it establishes a minimal HTTP/0.9 server on port 27374 — a common Windows trojan port — to serve out copies of itself and then determines its IP address. It then removes the vulnerable services it used to spread itself. After replacing any index.html files, the worm patches the security hole used to gain entry. Finally, the worm sends an e-mail message to two Web-based e-mail accounts — one at Hotmail, the other at Yahoo! — before booting up and scanning the Internet again.
Daniel Martin, a programmer connected with the Honeynet Project, described the Ramen worm in detail here.