January 18, 2001
Someone posted information concerning a Redhat Linux Server being hacked to SecurityFocus.com newsgroup. This is from their posting:
"They got in through "lpd" printer service which "yes" on all our production servers is disabled. They then ran ./hack.sh and Synscan"
Redhack Linux has had an update to the LPRng package since 04-Oct-2000 that would have patched this vulnerability. The updated package is available at their web site: http://www.redhat.com
It seems that someone has created a Worm that searches Redhat Linux servers still running the vulnerable LPRng package. Here is the information I have found concerning this:
Note: RHP Studios clients who are running Redhat Linux v6.2 or 7.0 are NOT affected by this worm or vulnerability. Those running the LPRng package that this worm exploits have been patched since the fix was issued by Redhat Linux on October 04, 2000. Those clients running stand-alone/dedicated Web Servers do not have the LPRng package installed on the Web Servers. As with any computer system connected to any network, you should only install software/services that are needed for the systems functions to reduce the possibility of exploits in services or software that is not used. Regular updates should be performed by running up2date. RHP Studios checks for any needed updates daily and applies them for each of our clients. LPRng package is not needed on a dedicated web server. Because this information/exploit is due to a worm, this information will also be posted on the Virus News.
If you are not a RHP Studios client, you should update your Redhat Linux Packages by either running up2date after su to root, or by clicking on the next two links (one for Redhat Linux version 6.2 and the other for Redhat Linux version 7.0).
Redhat Linux v6.2 Updates - http://www.redhat.com/support/errata/rh62-errata-security.html
Redhat Linux v7.0 Updates - http://www.redhat.com/support/errata/rh7-errata-security.html
More Information can be found below concerning this exploit and worm:
Redhat worm touts instant noodles
An Internet worm cobbled together from pre-existing scripts is spreading rapidly through Redhat Linux systems, leaving in its wake a trail of defaced Web pages touting the virtues of instant Oriental noodles.
LPRng is almost certainly vulnerable to remote-root compromise on account of a format string bug. The flaw is almost identical to the rpc.statd one I found; namely a faulty syslog() wrapper. This is becoming a very common flaw.
F-SECURE VIRUS DESCRIPTIONS: RAMEN - ALIAS: LINUX.RAMEN,LINUX/RAMEN - LINUX WORM
"Ramen affects systems running a default installations of Red Hat Linux 6.2 and 7.0. It attempts to infect the system by exploiting two known security vulnerabilities."
BBC NEWS: LINUX VIRUS INFECTION FEARS; RAMEN HITS RED HAT
"The webmasters who have had to deal with the problem are those running sites using Redhat Linux. Servers have been invaded by a worm that replaces the site's main page with one showing an image of a Ramen instant noodle packet."
LINUXPLANET: RAMEN AND THE DANGER OF DEFAULT LINUX CONFIGURATIONS
The security field is all aflutter about a worm that takes advantage of well-known security lapses in Red Hat Linux -- lapses that most experienced Linux system administrators addressed back in September 2000. And while the so-called Ramen worm doesn't do a whole lot of damage to Linux systems, it does point out the need for constant awareness to security issues -- beginning with the default configurations offered by most Linux distributions. Kevin Reichard reports.