Redhat worm touts instant noodles

What real hackers live on

By Kevin Poulsen • Get more from this author

Posted in Music and Media, 17th January 2001 22:06 GMT

Free whitepaper – Dell/EMC CX4 and Dell PowerEdge blades

An Internet worm cobbled together from pre-existing scripts is spreading rapidly through Redhat Linux systems, leaving in its wake a trail of defaced Web pages touting the virtues of instant Oriental noodles.

The so-called 'Ramen' worm is a bulky, but effective, collection of hacking tools rolled up into a package. A modified scanning program searches broad swaths of the Internet for Redhat Linux versions 6.2 and 7.0 installations. The scanner then launches attacks against those machines with publicly available exploits of three known vulnerabilities and spreads into each crackable box.

On Redhat 6.2 systems, the worm exploits vulnerabilities in wu-ftpd and rpc.statd. On version 7.0, it attacks LPRng. Detailed information on fixing all three holes can be found in the SecurityFocus vulnerability database.

The worm's strategy is not dissimilar to that employed by the 1988 Morris worm, the most successful self-propelled contagion to date. But unlike the Morris worm, on every system Ramen penetrates, it promptly kills the service that allowed it to break in-thus preventing the kind of multiple infection that caused the Morris worm to grind infected computers into seizure.

But while the Morris worm was an academic exercise gone horribly wrong, Raman serves a decidedly sophomoric end: On every Web server it infects, it replaces the main page with the message "Hackers looooooooooooove noodles," signed by the "RameN Crew."