Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Script Kiddies Violate Red Hat Servers

By Refrag in MLP
Wed Jan 17, 2001 at 03:48:46 PM EST
Tags: Security (all tags)
Security

There is a worm on the loose on the Net that is targeting computers running default installs of Red Hat Linux version 6.2 or 7.0. It assaults the server by way of RPC.statd and wu-FTP vulnerabilities.


The worm isn't destructive. It simply defaces the frontpage of the server's Web content. Once the worm gains access to a computer it installs a root kit which patches the holes and installs some utilities. The frontpage of the Website is then changed to say "Hackers looooooooooooove noodles." Finally, the worm sends e-mail to two addresses.

Once the worm starts scanning for more victims from its most recent host, it consumes much of the host's bandwidth.

Because of its ability to spread without any human intervention and because it targets servers based on Linux--a cousin of Unix--the Ramen worm resembles the Morris Worm that used a common e-mail service to spread through the Internet--then called the Arpanet--in early November 1988.
The Ramen worm is currently under study by CERT.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
What is your favorite flavor of Ramen noodles?
o Beef 22%
o Shrimp 16%
o Chicken 31%
o Other 28%

Votes: 66
Results | Other Polls

Related Links
o Red Hat
o RPC.statd
o wu-FTP
o CERT
o Also by Refrag


Display: Sort:
Script Kiddies Violate Red Hat Servers | 28 comments (22 topical, 6 editorial, 0 hidden)
Any Word (3.66 / 3) (#1)
by Captain_Tenille on Wed Jan 17, 2001 at 02:33:10 PM EST

If it affects any other distros?
----
/* You are not expected to understand this. */

Man Vs. Nature: The Road to Victory!

Re: Any Word (4.00 / 2) (#13)
by GreenHell on Wed Jan 17, 2001 at 03:03:46 PM EST

From what I understand, it could (with a little rewriting) affect any distro which has wu-FTP or RPC.stad installed without having fixed the vunerabilities.

That said, it doesn't affect any other distros in that it only scans for servers running Red Hat 6/7. I'm sure it's just a matter of time before someone changes it to search for any distro at all.

-GreenHell
This .sig was my last best hope to seem eloquent. It failed.
[ Parent ]
[OT] shrimp flavored ramen noodles (3.00 / 4) (#4)
by Anonymous 242 on Wed Jan 17, 2001 at 02:45:30 PM EST

The poll triggered a memory of an amusing anectdote.

A while ago a friend of mine did some grocery shopping for me. On my list was meatless ramen noodles. (For the record, I consider fish to be meat.) My friend came back with shrimp flavored ramen. I scanned the ingrediants and sure enough, no meat, shrimp, fish, or foul was contained within the shrimp flavored noodles. The next time I went to the store I examine the other flavors and all of the vegetable flavors (oriental vegetable, mushroom, etc.) contained animal fat or some other meat product.

So what artificial flavor tastes like shrimp?

Beef And Chicken Ramen (2.00 / 2) (#23)
by togdon on Wed Jan 17, 2001 at 06:25:42 PM EST

To take the tangent a step further... I don't think that the chicken or beef Ramen from most manufacturers have any animal in them either.

I found this out when I complained that my co-workers always bought meat Ramen (so they could hoard more for themselves), only to have one of them point out that at least according to the packaging these were just as vegetarian as a carrot.


-- Unix: Where /sbin/init is still Job 1
[ Parent ]

Didn't the Internet exist earlier?? (2.66 / 3) (#5)
by yankeehack on Wed Jan 17, 2001 at 02:48:37 PM EST

I *swear* that I participated in a message thread earlier this week which debated the "start" of the Internet. (and of course I can't find it to quote it now)

The point was made to me that the Internet came into existence when the TCP/IP protocol was deployed to connect different networks (the ARPAnet and the Defense Data Networks) in 1983. Thusly, I would imagine the quote about the Morris Worm infecting the ARPAnet would be inaccurate.

No one who was bad in bed has ever been good in life (i.e. liberals, I've never had sex with a liberal woman who knew how to use her body.) Keeteel :-P I'm *right*!

Good! (4.80 / 5) (#6)
by Seumas on Wed Jan 17, 2001 at 02:48:46 PM EST

I know this may sound a little cruel -- but look, the first thing you have to do after setting up any server is securing it. It really doesn't take a lot of time and there are decent HOW-TO's on the net to walk newbies through the process. One of the first things everybody should know is not to enable telnet (use SSH at least), FTP or even finger until you have configured them appropriately and are ready to make those services available on your server. Just like you set permissions for files and executables to nothing by default and only enable permissions and access to executables as specifically necessary, so should your services be disabled by default and only enabled when you are ready to use them and need them.

Perhaps something more or less benign like this will bring attention to the need to give security greater consideration for all admins -- even of personal systems at home (sure, it does a little damage and sucks up bandwidth, but nothing that sounds the death-knell for your system).

A couple starter HOW-TO's:
http://www.linuxworld.com/linuxworld/lw-1999-05/lw-05-ramparts.html
http://www.linuxworld.com/linuxworld/lw-1999-07/lw-07-ramparts.html

--
I just read K5 for the articles.

yegads! (3.42 / 7) (#9)
by Defect on Wed Jan 17, 2001 at 02:54:15 PM EST

God forbid a server come secure! That would be apalling! That would allow the most ignorant person the ability to *gasp* run a server! The nerve!

We can NOT have such things in our elitist world. All those who do not know what port 143 is off the top of their head must die!
defect - jso - joseth || a link
[ Parent ]
A little over the top. (4.50 / 4) (#16)
by Seumas on Wed Jan 17, 2001 at 03:16:43 PM EST

Yes, it would be nice if all distros came with a secure configuration by default. Hell, it would be nice if you just pressed a button, came back an hour later and found it had installed iteslf, built you a website and made your company go IPO. However, some things take patience and effort. I'm glad I had to learn about how to secure a server. I enjoyed learning it. And morever, I think it is important that anyone who intends to run their server also understand how to secure it.

On the other hand, having never used NetBSD, it's my understanding that it comes secured by default. Kudos to them -- I'm not sure why other distros don't do this, but I'm not going to complain too much about it.
--
I just read K5 for the articles.
[ Parent ]

I think you mean OpenBSD (4.00 / 1) (#25)
by leviathan on Thu Jan 18, 2001 at 11:18:53 AM EST

I can't be sure, as I've never looked into FreeBSD very much, but it's OpenBSD that's main selling point is that it comes secure straight out of the box.

The reason every distro isn't like OpenBSD is that OpenBSD is always a few iterations behind the rest. It takes time for them to review everything that goes on there so they can fix holes before they are exploited. It also means that a lot of the software you'd want on your boxen is unsupported (like ghostscript, tcsh for i386). They provide ports and packages, but they don't provide them as part of the distro (yet).

Most people just prefer to keep an eye on the security advisories so they can get their hands on the cool new stuff in the lasted distros.

--
I wish everyone was peaceful. Then I could take over the planet with a butter knife.
- Dogbert
[ Parent ]

"isn't destructive"? (3.33 / 3) (#8)
by Speare on Wed Jan 17, 2001 at 02:53:43 PM EST

The worm isn't destructive. It simply defaces the frontpage of ...

Technically, that IS destructive. ANY change to a system that replaces or deleted existing data in favor of different data is destructive.

In this case, it's not very destructive, but the kind of people who run a stock distro without securing the box are also the kind of people who don't do regular backups, for the most part.

I still say, lock the kiddies up until they wet the juvie beds.


[ e d @ h a l l e y . c c ]
Hate to say it... (4.00 / 3) (#14)
by mattx on Wed Jan 17, 2001 at 03:04:05 PM EST

But I was caught by this worm, got in through WU-FTPd. D'oh! Learned my lesson. Going to get all the latest RPM updates for RH6.2. : P

Matt

-- i fear that i am ordinary, just like everyone


e-mail (3.00 / 1) (#15)
by Refrag on Wed Jan 17, 2001 at 03:06:51 PM EST

What e-mail addresses does the worm send word back to?

Refrag

Kuro5hin: ...and culture, from the trenches
[ Parent ]

I don't know... (3.50 / 2) (#17)
by mattx on Wed Jan 17, 2001 at 03:38:14 PM EST

Couldn't tell you. I just wanted the damn thing out.

But I know it (if it IS the worm mentioned, I'm guessing so because the attack came from ANOTHER RH machine) made an entry into /etc/inetd.conf, that mapped some port to an application called /sbin/asp.
Of course I just deleted the app. I still have to reformat the damn thing.

-- i fear that i am ordinary, just like everyone


[ Parent ]
More to being an SA than finding the reset button (4.25 / 4) (#18)
by technik on Wed Jan 17, 2001 at 03:38:15 PM EST

I like this... a lot. There is a hell of a lot more involved in putting a server of any kind on a public network than just figuring out how to boot the install. I'm willing to bet that this little consciousness-raising exercise will put security in many people's heads for a few days and drive at least few to read a book or two before tumbling headlong into their next deployment.

I feel sorry for anyone who got burned, but not too sorry.


Oh, and a gratuitous plug for OpenBSD

Sad to say, but it isnt just Redhat (3.50 / 4) (#19)
by 42 on Wed Jan 17, 2001 at 04:03:51 PM EST

I run Debian. And I learned to my cost, that I shouldnt ignore the regular security advisories sent out by Debian. I did ignore the rpc.statd vulnerability and the patch which the Debian developers had provided to fix it and got hit by a hacker. It definitely was different from the attack quoted in the CERT advisory, but it was the same vulnerability that was exploited.

Lesson learned. My attitude before the attack reminds me of smokers. They seem to think that they have some God-given invulnerability to cancer and other consequences of smoking. I was aware of all the perils of not securing one's box but my thinking was - why the heck would a hacker target harmless little me. The answer of course is : they dont need a reason.

same worm? (4.50 / 2) (#20)
by Refrag on Wed Jan 17, 2001 at 04:19:48 PM EST

Was this the Ramen worm that attacked your box, or did a script kiddie just use the same RPC.statd exploit as Ramen uses?

The reason I ask is because it was my understanding that Ramen simply targets computers running Red Hat 6.2 or 7.0 even though it's exploits may work with other distros as well.

Refrag

Kuro5hin: ...and culture, from the trenches
[ Parent ]

Same exploit (3.50 / 2) (#22)
by 42 on Wed Jan 17, 2001 at 04:55:15 PM EST

Dont know if it was a worm or not. But definitely the same rpc.statd vulnerability . Actually, come to think of it, the attack struck me on 01/04 once and two days later, they retried (after I fixed the vulnerablity) 3 or 4 times. I think that is more consistent with a script kiddie rather than a worm. But what do I know?

[ Parent ]

So why are people using Wu-FTP? (4.20 / 5) (#21)
by kostya on Wed Jan 17, 2001 at 04:41:53 PM EST

Ok, first I'll admit that I haven't "looked myself". That is to say, that I have not actually compared ProFTPD to WU-FTPD.

Disclaimers aside, how long have the people at SecurityPortal been saying that WU-FTP is just a bad idea? A real long time, is the answer. They have taken flack over it, but there reason time and time again is that WU-FTPD is just a disaster area at the code level. That's what leads to all these exploits. They argue for ProFTPD, because it is purported to have a better code base. Now, I can't speak to whether that is true or not, but I can say that WU seems to have an abnormal amount of exploits.

Which leads to my question: why are people using WU? Does it have more platforms or more features? Is it just sentimental? Why?

This also leads to another good question: when is it time to rewrite from scratch? I think of sendmail and how most people choose another MTA because of similar problems.

As for those who are not running production systems, naughty you! First, where's your firewall?!? Second, why are you running statd or ftpd exposed to the world?!? I trust neither. I use a one-way filter to send mail out via sendmail and inbound ftpd connections are not supported either.



----
Veritas otium parit. --Terence
Getting ProFTPD (4.00 / 2) (#24)
by mattyb77 on Wed Jan 17, 2001 at 10:20:20 PM EST

For those folks wishing to use ProFTPD there are RPM's available that will, of course, work with Red Hat 6.2 or 7.0.

ftp://ftp.proftpd.net/pub/proftpd/RPMS/

--
"I bestow upon myself the `Doctorate of Cubicism', for educators are ignorant of Nature's Harmonic Time Cube Principle and cannot bestow the prestigious honor of wisdom upon the wisest human ever." -- Gene Ray, the wisest human ever
[ Parent ]

Media backlash (4.00 / 1) (#26)
by fluffy grue on Fri Jan 19, 2001 at 01:49:42 AM EST

Of course, I'm just waiting for the media backlash against Linux's security now (you can already see plenty of sheeple backlash in the ZDNet Talkback forums). "Linux isn't as secure as they claim!"

Of course, this is ignoring the fact that both WUftpd and rpc.statd aren't part of Linux, but are third-party software which just happen to be installed on a lot of Linux systems, whereas a large portion of the Windows exploits are against the OS itself (such as the whole NetBus crap, the IPX/SPX protocol-layer holes which allow people arbitrary access to SMB shares even if the shares are protected and the IPX/SPX protocol drivers are removed, and all the other fun things courtesy of Windows Scripting Host).

BTW, anyone who runs Debian and keeps their distributions reasonably up-to-date (apt-get upgrade every couple of weeks) should be safe, since the Debian folks have proven to be very good about making security fixes apt-gettable very quickly. And anyone who runs WUftpd or rpc.statd without needing them deserves whatever they get.
--
"Is not a quine" is not a quine.
I have a master's degree in science!

[ Hug Your Trikuare ]

it's mutated! (none / 0) (#27)
by Refrag on Mon Jan 22, 2001 at 06:34:48 PM EST

You can see the news <A HREF="http://dailynews.yahoo.com/h/zd/20010122/tc/vandals_mutate_ramen_linux_worm_1.html">here</A>.

Refrag

Kuro5hin: ...and culture, from the trenches

it's mutated! (none / 0) (#28)
by Refrag on Mon Jan 22, 2001 at 06:34:59 PM EST

You can see the news here.

Refrag

Kuro5hin: ...and culture, from the trenches

Script Kiddies Violate Red Hat Servers | 28 comments (22 topical, 6 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!