Back to article
Ramen and the Danger of Default Linux Configurations
Worming into Red Hat Linux
January 18, 2001
If there's one area where Linux distributions miserably fail, it's in how services are configured right out of the box upon installation. Experienced users know enough to plug the many security holes present in a default Linux installation, but many Linux newbies -- and those experienced system administrators coming from the UNIX and NT worlds -- don't.
Yes, it's true that the distributions have generally gotten better about plugging these holes in recent versions: Red Hat 7.0 does a slightly better job of this than Red Hat 6.2, but it's still not perfect. And in general, the Linux companies do a decent job of sending out security advisories to address these sorts of issues.
In fact, last September Red Hat Linux sent out patches that addressed some basic security exploits in Red Hat Linux 6.2 and 7.0, but apparently these patches weren't applied by all Linux system administrators. Those who didn't apply the patches were in danger of falling victim to the dreaded Ramen worm.
Basically, the Ramen worm looks for RPC.statd and wu-FTP vulnerabilities in Red Hat 6.2 and 7.0 -- vulnerabilities that are well-known in the Linux security community. After gaining access to the system, Ramen fixes the hole, replaces some basic system files, and puts up a new index page that says "RameN Crew--Hackers looooooooooooove noodles." It then notifies a Web-based email account of the successful intrusion.
Not that this worm is really dangerous. Sure, the security companies and the consultants have lept upon this worm as something really dangerous, but they're just trying to drum up a little business. (The more authoratative and unbiased CERT, the Computer Emergency Response Team at Carnegie-Mellon, hasn't even bothered to send out an advisory.) I spend a fair amount of time surfing the Web, and I haven't seen a single instance of this worm in action. Similarly, the talkbacks on Linux Today haven't yielded a single instance of anyone claiming to be hit by this worm. So I really question how widespread this worm really is.
Not that it matters. In many ways, this worm will probably end up being good news for Linux system administrators. For those who didn't know about the many security holes present in a default Linux distribution, it will cause them to address them upon installation and configuration of a new system. Yes, these holes exist, and the next time around the worm may do some actual damage instead of just overwriting the index page. Security should always be paramount when setting up a Linux server or desktop, and this limited worm should be proof enough that closing down security holes and setting up firewalls should be mandatory for any computer user, not just Linux users.