Information about the Ramen Worm

Ramen is a worm that attacks Linux machines running vulnerable versions of rpc.statd, wuftpd and
LPRng. It have been compromised a lot of Red hat (6.2 and 7.0) systems since 2001.
A complete analyze of the Ramen can be found on the following links:
http://www.ossec.net/rootkits/studies/ramen1.txt
http://www.ossec.net/rootkits/studies/ramen2.txt

ramen.tgz 9d821646f740bdb06cf3ec4bcdca9930

Files to search:

• usr/lib/ldlibps.so
• usr/lib/ldlibns.so
• usr/lib/ldliblogin.so
• usr/src/.poop
• tmp/ramen.tgz
• etc/xinetd.d/asp

Openned ports used by Ramen:

• 27374

*All files with an "*" need to be search in all system
**If you have any more information, send to: mail1, or to mail2.




$RootCheck: ramen.php ,v 1.0 2003/12/01, Daniel B. Cid$