Good day, all,
Attached is the latest version of the Ramenfind detection and
removal tool. V0.3 was supposed to have been the final release, but a new
Ramen variant showed up.
The goals of the tool are:
- It should be a shell script so it can be run from a single
floppy linux if the user chooses.
- It should use standard utilities on a Redhat Linux system.
- It should allow for either detection or detection and removal of
the worm. By default, it should only detect and perform no action.
- It should run as a non-root user, invoking sudo as necessary.
- The user should be given the chance to confirm each command
before it is run.
- The script should provide an option to archive the ramen files
for later analysis.
- It should check for needed support utilities.
Changes from version 0.3:
- Ramenfind now handles a new ramen variant, which:
- creates /usr/sbin/update, which kills off the trojan lpd and
restarts it.
- doesn't remove index.html's (no changes needed to Ramenfind).
- adds a new crontab entry: run update every minute of the first
day of the month.
- adds a new crontab entry: nuke synscan every minute of 1am.
- mails /etc/shadow off to "chicha" and "libero" accounts and wipe
entries from maillog.
- runs "2", which appears to mail off notices to two email
accounts (at least one of which has been disabled; no word on the other).
- runs /usr/bin/lpd on future boots from rc.sysinit.
- moves netstat to /usr/lib/ldlibns.so .
- replaces netstat with a wrapper c app that discards certain
lines:
"/usr/lib/ldlibns.so {parameters} | grep -v ftp | \
grep -v 28593 | grep -v 212.102 | grep -v b92 | \
grep -v 147.91 | grep -v grep | grep -v ldlibns | \
grep -v -- -i"
- moves ps to /usr/lib/ldlibps.so .
- replaces ps with a wrapper c app that discards certain lines:
"/usr/lib/ldlibps.so {parameters} | grep -v tail | \
grep -v ipsc | grep -v synscan | grep -v .sh | \
grep -v grep | grep -v ldlibps | grep -v -- -i"
- moves /bin/login to /usr/lib/ldliblogin.so and replaces it with
a trojan.
- copies "td" to /usr/bin/lpd (normal path is /usr/sbin/lpd) and
runs it. td is a Stacheldracht agent.
- makes minor changes to scan.sh (no changes needed to Ramenfind).
- Handle issues of using ps in Ramenfind when ps may have been trojanized.
This, and any future versions of this script will soon be
available at the following URL's:
http://www.sans.org/y2k/ramen.htm
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.html
http://www.linuxlock.org/features/ramenfix.html
Many thanks to all who have contributed to this tool. In
particular, thanks to Francisco for providing this new variant, Max Vision
for his anlysis of the original Ramen and Dave Dittrich for his additional
analysis of Ramen2.
If you have problems, suggestions, or requests, please contact me
at: William Stearns <wstearns_at_pobox.com>
MD5sums for this tool:
49330da7a84b67a694830d3cf7948106 ramenfind.v0.4
47ec41edc981a66df35e1dcaec2fa47c ramenfind.v0.4.gz
Cheers,
- Bill
---------------------------------------------------------------------------
"Ironically, DeCSS was published on the Web by a U.S. court (as
evidence) as a result of legal action against people who posted DeCSS on
the Web. Oops."
-- Sandy McMurray, readme_at_passport.ca
http://canoe.ca/TechNews/column_readme.html
--------------------------------------------------------------------------
William Stearns (wstearns_at_pobox.com). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com
--------------------------------------------------------------------------
Received on Feb 14 2001
Intro
