Return-Path: <mhpower@MIT.EDU>
Received: from fort-point-station.mit.edu by po12.mit.edu (8.9.2/4.7) id XAA22270; Wed, 17 Jan 2001 23:17:24 -0500 (EST)
From: <mhpower@MIT.EDU>
Received: from customer-care.infrastructure.org (customer-care.infrastructure.org [216.110.34.41]) by fort-point-station.mit.edu (8.9.2/8.9.2) with SMTP id XAA28609 for <security-internal@mit.edu>; Wed, 17 Jan 2001 23:17:23 -0500 (EST)
Received: (qmail 75330 invoked by uid 7783); 18 Jan 2001 04:17:26 -0000
Message-ID: <20010118041726.75329.qmail@customer-care.infrastructure.org>
Date: Wed, 17 Jan 2001 23:17:26 -0500
To: security-internal@mit.edu
Subject: Ramen worm apparently not seen at MIT
X-Evolution: 0000005d-0000

Supposedly there is a worm program active today that automatically
breaks into Linux machines via wu-ftpd, rpc.statd, or LPRng and sends
the text "Eat Your Ramen" to two preconfigured e-mail addresses. The
compromised hosts listen on tcp port 27374. There don't seem to be any
Linux hosts at MIT listening on that port now, nor were there any when
I first looked about 8 hours ago.

Discussion of the worm can be found at:

  http://members.home.net/dtmartin24/ramen_worm.txt
  http://news.cnet.com/news/0-1003-201-4508359-0.html

Matt