Ramen worm hits some Red Hat Linux servers

An Internet worm that affects Linux-based servers running Red Hat Inc.'s version of the open-source operating system has been causing aggravation for some users over the past week, although security analysts said they haven't yet seen any permanent damage that was caused by the so-called Ramen code.

Users can protect themselves against the worm -- which enters a vulnerable machine, then replicates itself and spreads to other systems -- by downloading readily available patches from Red Hat's Web site, according to Ryan Russell, an incident analyst at SecurityFocus.com in San Mateo, Calif.

Russell said SecurityFocus.com, which tracks technology security issues, began receiving Ramen-related postings to its online "Incidents List" last week after Linux system administrators noticed an increased number of scans for ports on their servers.

The worm appears to use several known security vulnerabilities in the Red Hat 6.2 and 7.0 releases of Linux, Russell said. The holes, which are said to be in a Network File System daemon, an FTP daemon and a line printer remote file, have since been fixed by patches that were issued by Red Hat. But if users don't apply the patches to their servers, the machines can be left susceptible to attacks such as this one.

"The vulnerabilities have been [publicized] for months," Russell said. He added that Ramen's creator, who has not been identified yet, seems to have "cobbled together a bunch of things" to create the worm, which scans the Internet in search of vulnerable servers running Red Hat's software and then insinuates itself into the systems.

The worm has been dubbed Ramen because it sends e-mail messages telling recipients to "eat your ramen," a reference to the popular Oriental noodle soup. More seriously, Russell said, the worm could potentially cause some damage on Web pages as it looks for the index.html main page.