A worm virus is on the loose. You say, “So what? Worms have been propagating since the dawn of IT.” However, this is no ordinary worm—this is a Linux worm! You read correctly. A hacker has finally managed to propagate a worm through the Linux operating system.
The worm is a simple conglomeration of previously created scripts that includes such popular hacker code as Root Kit and an IP scanner named synscan (modified version). The worm takes advantage of wu-ftp, rpc.statd, and LRPng to get into the system. It uses Root Kit to alter system commands and thereby renders the machine nearly useless. After altering system commands, the worm scans the network for another machine to slither to, kills the service that gave it access, and finally alters the machine’s main Web page to declaim, “Hackers looooooooooooove noodles” (with a RamN Crew signature). The worm is bulky because it takes up vast amounts of bandwidth (especially during its scanning phase), and it boasts numerous similarities to the Morris Worm of 1988.
Are you vulnerable?
The list of vulnerable Linux distributions is quite long, so we’ll go about this an easier way. Open a console window and type the command:
rpm -q wu-ftpd
If the results are anything earlier than 2.6.0-7, you need to upgrade immediately. Visit rpmfind and download the latest version of wu-ftpd (specific to your distribution, if necessary). The second check is for rpc.statd. This service is provided via nfs-utils and is a remote format string vulnerability. For this check, run the command:
rpm -q nfs-utils
If you come up with anything earlier than 0.1.9.1-4, you need to upgrade. Run the same routine you used for wu-ftpd. The last step is to check LPRng. This utility handles remote printing in many Linux systems and like rpc.statd, has format string vulnerabilities (only it’s user-defined). Run the command:
rpm -q LRPng
If you come up with anything earlier than 3.3.5-3, you’ll need to upgrade the entire LPRng package set to the latest versions. The LPRng package set consists of the following:
If you’re running one of the later Red Hat releases, you should run the Up2date utility on a monthly basis to keep your machine as current as possible.
We all knew it was going to happen sooner or later. Linux has enjoyed significant uptime without having to deal with virus control. With the Ramen Noodle, it looks like that era has ended. Fortunately, by taking the above precautions and employing a good firewall, you should be safe from eating noodles every night for dinner.
If you’d like to share your opinion, start a discussion below or send the editor an e-mail.