North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Second day of rolling blackouts starts
At 09:43 19/01/01 -0500, Marshall Eubanks wrote: Two people have asked me off list about the RAMEN worm,I have installed on my multicast tunnels (one to StarTap and the other to Dante/Quantum): rate-limit input access-group 180 128000 30000 30000 conform-action transmit exceed-action drop ! access-list 180 permit tcp any any eq 639 access-list 180 permit udp any any eq 639 access-list 180 deny ip any any IANA has MSDP listed as port 639 - tcp+udp. It appears MSDP is only really TCP: mcast#sho access-l 180 Extended IP access list 180 permit tcp any any eq 639 (1555 matches) permit udp any any eq 639 deny ip any any (37888 matches) and mcast#sho in rate Tunnel1 Mbone tunnel to Dante Input matches: access-group 180 params: 128000 bps, 30000 limit, 30000 extended limit conformed 755 packets, 60044 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 388ms ago, current burst: 0 bytes last cleared 00:07:26 ago, conformed 1000 bps, exceeded 0 bps Tunnel2 Mbone tunnel to Startap Input matches: access-group 180 params: 128000 bps, 30000 limit, 30000 extended limit conformed 909 packets, 148937 bytes; action: transmit exceeded 0 packets, 0 bytes; action: drop last packet: 1048ms ago, current burst: 0 bytes last cleared 00:08:48 ago, conformed 2000 bps, exceeded 0 bps I'll only know tomorrow if I stop getting the constant: Jan 21 14:00:03: %SYS-3-CPUHOG: Task ran for 6300 msec (123/75), process = MSDP Process, PC = 60790390. -Traceback= 60790398 604146B4 604146A0 error messages. I don't know whether 128kb/sec of MSDP is too much or too little. -Hank Marshall Eubanks "Lucy E. Lynch" wrote: > > a bit more info on ramen here: > > http://members.home.net/dtmartin24/ramen_worm.txt > > "And now, the contents of that ramen.tgz file: All the binaries are in the > archive twice, with RedHat 6.2 and RedHat 7.0 versions. Numerous binaries > were not stripped, which makes the job of taking them apart easier." > > asp: An xinetd config. file that will start up the fake webserver > Used on RedHat 7.0 victim machines. > asp62: HTTP/0.9-compatible server that always serves out the file > /tmp/ramen.tgz to any request - NOT stripped > asp7: RedHat 7-compiled version - NOT stripped > bd62.sh: Does the setup (installing wormserver, removing vulnerable > programs, adding ftp users) for RedHat 6.2 > bd7.sh: Same for RedHat 7.0 > getip.sh: Utility script to get the main external IP address > hackl.sh: Driver to read the .l file and pass addresses to lh.sh > hackw.sh: Driver to read the .w file and pass addresses to wh.sh > index.html: HTML document text > l62: LPRng format string exploit program - NOT stripped > l7: Same but compiled for RedHat 7 - stripped > lh.sh: Driver script to execute the LPRng exploit with several > different options > randb62: Picks a random class-B subnet to scan on - NOT stripped > randb7: Same but compiled for RedHat 7 - NOT stripped > s62: statdx exploit - NOT stripped > s7: Same but compiled for RedHat 7 - stripped > scan.sh: get a classB network from randb and run synscan > start.sh: Replace any index.html with the one from the worm; run getip; > determine if we're RedHat 6.2 or 7.0 and run the appropriate > bd*.sh and start*.sh > start62.sh: start (backgrounded) scan.sh, hackl.sh, and hackw.sh > start7.sh: Same as start62.sh > synscan62: Modified synscan tool - records to .w and .l files - stripped > synscan7: Same but compiled for RedHat 7 - stripped > w62: venglin wu-ftpd exploit - stripped > w7: Same but compiled for RedHat 7 - stripped > wh.sh: Driver script to call the "s" and "w" binaries against a given > target > wu62: Apparently only included by mistake. "strings" shows it to be > very similar to w62; nowhere is this binary ever invoked. > > Lucy E. Lynch Academic User Services > Computing Center University of Oregon > [email protected] (541) 346-1774 > Cell: (541) 912-7998 [email protected]
|