CERT® Incident Note IN-2001-01The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
Widespread Compromises via "ramen" Toolkit
Date: Thursday, January 18, 2001
OverviewThe CERT/CC has received reports from sites that have recovered an intruder toolkit called 'ramen' from compromised hosts. Ramen has been discussed in several public forums and the toolkit is publicly available. Ramen exploits one of several known vulnerabilities and contains a mechanism to self-propagate.
Ramen is a collection of tools designed to attack systems by exploiting well-known vulnerabilities in three commonly installed software packages. A successful exploitation of any of the vulnerabilities results in a privileged (root) compromise of the victim host.
The services and specific vulnerabilities targeted are
When a host is compromised, the ramen toolkit is automatically copied to the compromised host, installed in "/usr/src/.poop", and started. The ramen toolkit is controlled by a series of shell scripts that make modifications to the compromised system and initiate attacks on other systems. Several notable system modifications are made in sequence after ramen is started.
After modifying the local system, ramen initiates scanning and exploitation attempts against external systems on a widespread basis. The scanning and exploitation operations are executed, to some degree, in parallel. The time between a probe and an exploit attempt may be relatively short.
Successful exploitation results in the target host being root compromised. In addition, several actions are automatically taken on the newly compromised host that result in ramen being propagated from the attacker to the victim.
The method of propagation is provided by the intruder-supplied 'asp' service. It receives connections on TCP port 27374 of the attacking host and responds by sending a copy of '/tmp/ramen.tgz' to the victim host.
Vulnerable systems that are not current with vendor security patches are at risk for being root compromised via the ramen toolkit. Compromised systems may be subject to web-related files and system files being altered or destroyed. Denial-of-service conditions may be created for services relying on altered or destroyed files. Hosts that have been compromised are also at high risk for being party to attacks on other Internet sites.The widespread, automated attack and propagation characteristics of ramen may cause bandwidth denial-of-service conditions in isolated portions of the network, particularly near groups of compromised hosts where ramen is running.
The CERT/CC encourages Internet users and sites to ensure systems are up to date with current vendor security patches or workarounds for known security vulnerabilities. For more information, please see the related CERT advisories:
In the absence of fully patched and secured systems, one short-term mitigation strategy is to prevent propagation through packet filtering. Using packet filters to block outbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts within your network from acquiring ramen from external hosts and further propagating it. Using packet filters to block inbound TCP SYN packets to destination port 27374 at strategic network choke points will help prevent newly compromised hosts outside of your network from acquiring ramen from internal hosts and further propagating it. Using packet filters, or IDS signatures, with logging may also provide a quick means of identifying hosts within your network that may have been compromised by ramen.Please note that packet filtering on specific ports is a nonsustainable strategy because usage of specific port numbers by intruder tools can and does change over time.
If you believe your host has been compromised, please follow the steps outlined in
This document is available from: http://www.cert.org/incident_notes/IN-2001-01.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.