TUCoPS :: Web :: General :: in200101.htm

Compromises via ramen toolkit
CERT Incident Note IN-2001-01: Compromises via ramen Toolkit

Widespread Compromises via "ramen" Toolkit

Date: Thursday, January 18, 2001


The CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits one of several known vulnerabilities and contains a mechanism to self-propagate.


Ramen is a collection of tools designed to attack systems by exploiting well-known vulnerabilities in three commonly installed software packages. A successful exploitation of any of the vulnerabilities results in a privileged (root) compromise of the victim host.

The services and specific vulnerabilities targeted are

When a host is compromised, the ramen toolkit is automatically copied to the compromised host, installed in "/usr/src/.poop", and started. The ramen toolkit is controlled by a series of shell scripts that make modifications to the compromised system and initiate attacks on other systems. Several notable system modifications are made in sequence after ramen is started.

After modifying the local system, ramen initiates scanning and exploitation attempts against external systems on a widespread basis. The scanning and exploitation operations are executed, to some degree, in parallel. The time between a probe and an exploit attempt may be relatively short.

Successful exploitation results in the target host being root compromised. In addition, several actions are automatically taken on the newly compromised host that result in ramen being propagated from the attacker to the victim.

The method of propagation is provided by the intruder-supplied 'asp' service. It receives connections on TCP port 27374 of the attacking host and responds by sending a copy of '/tmp/ramen.tgz' to the victim host.


Vulnerable systems that are not current with vendor security patches are at risk for being root compromised via the ramen toolkit. Compromised systems may be subject to web-related files and system files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.

The widespread, automated attack and propagation characteristics of ramen may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where ramen is running.


The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT advisories:

In the absence of fully patched and secured systems, one short-term mitigation strategy is to prevent propagation through packet filtering. Using packet filters to block outbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts within your network from acquiring ramen from external hosts and further propagating it. Using packet filters to block inbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts outside of your network from acquiring ramen from internal hosts and further propagating it. Using packet filters, or IDS signatures, with logging may also provide a quick means of identifying hosts within your network that may have been compromised by ramen.

Please note that packet filtering on specific ports is a nonsustainable strategy because usage of specific port numbers by intruder tools can and does change over time.

If you believe your host has been compromised, please follow the steps outlined in

Steps for Recovering From a Root Compromise

Author: Kevin Houle

This document is available from:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH