Security Alert:

sdawes@xxxxxxxxxxxxxxxxx (Stephen Dawes) · Fri, 26 Jan 2001 08:21:32 -0700

Here is an article that I just received in my E-mail.  It is an article on a
recent problem with a known virus under Linux.  Before you discard this
note, because you believe that Linux is not susceptible to viruses, I
suggest that you take a read.

If you are a Red Hat user, this article would be of great interest to you!!!

Oh Yeah!  This is not intended to add fuel to the anti Red Hat fires.  I
would rather hope that it starts people thinking, that if something like
this can happen to one distribution of Linux, how long before it happens to
other distributions as well.  So, before you attack Red Hat, think twice,
because, it may be your favorite distributions turn next!!!

I haven't taken the liberty of cutting the article out of its location and
attached it to my note to make it easier for all to read.

+---------------------------------------------------------------------------
---+

News  Thursday, Jan. 25, 2001 12:14 pm PT

More articles on
Security

Ramen Linux worm seen in wild

By
James Evans

A LINUX-BASED INTERNET worm known as Ramen -- named after the popular noodle
soup -- has been seen in the wild, affecting systems that run Red Hat's 6.2
or 7.0 versions of the open-source OS, several Web security observers
report.

The worm has struck a server at the U.S. National Aeronautics and Space
Administration (NASA) Jet Propulsion Lab in California, a University of
Texas A&M
server, and one operated in Taiwan by server vendor Supermicro Computer,
according to Attrition.org, a site that chronicles Web site defacements. The
worm
has been known of since about September 2000 when Red Hat developed a patch
addressing it.

The worm only affects servers running Red Hat's Linux and not any of
Microsoft's operating systems, computer security company Symantec said. The
worm apparently
hits sites that run Red Hat Linux and then spreads itself by locating like
servers running the same OS.

Three known security breaches are struck by the Ramen worm, according to
Kaspersky Lab International, an international data-security software
development
company in Cambridge, United Kingdom, in a statement. The breaches allow
Ramen to take over root access rights, and unbeknownst to the user, execute
its
code on target file systems.

The Computer Emergency Response Team (CERT) Coordination Center at Carnegie
Mellon University, in Pittsburgh, which put out an advisory about the Ramen
worm on Jan. 18, warns that the worm could damage or alter Web-related files
and system files. It also might create denial-of-service (DoS) conditions
when altered or when destroyed files are not available. Ramen worm victims
are at high risk for "being party to attacks on other Internet sites,"
according
to CERT's advisory.

If the worm does hit a system, it modifies the index.html file and defaces
the Web site. It ultimately replaces the index.html file with the words
"RameN
Crew" and "Hackers looooooooooooooooove noodles." Then a message appears
that says "This site powered by" and a picture of a Top Ramen noodles
package
is displayed, according to Symantec.

Durham, N.C.-based Red Hat has received some calls recently, directed to its
tech-support crew to assist with working through problems from the worm,
said
Melissa London, a spokeswoman for the company. But there have not been a lot
of tech-support requests, she said. If users were on top of the patch
notification,
they should not be having problems, she said.

James Evans
is a Boston correspondent for the IDG News Service, an InfoWorld affiliate.