[31585] in North American Network Operators' Group
Re: Disabling QAZ (was Re: Port 139 scans)
daemon@ATHENA.MIT.EDU (John Fraizer)
Fri Sep 29 16:26:57 2000
Date: Fri, 29 Sep 2000 16:17:19 -0400 (EDT)
From: John Fraizer <nanog@EnterZone.Net>
To: Mike Lewinski <mike@rockynet.com>
Cc: nanog@merit.edu
In-Reply-To: <007901c02a50$02bb6640$1cd8a8ce@rockynet.com>
Message-ID: <Pine.LNX.4.21.0009291613180.4455-100000@Overkill.EnterZone.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 29 Sep 2000, Mike Lewinski wrote:
>
> > It might be a good idea to implement filtering on the borders for TCP SYN
> > from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's
> > installed.
> >
> <snip>
> > Anyone else have any thoughts on damage control here?
>
> Ok, guess it's time to get on nanog-post....
>
> You can disable the clients, at least until next reboot. This won't work
> with telnet, you have to use netcat:
>
> $ nc qaz_infected_ip 7597
> :qazwsx.hsq
> >quit
>
Well, since I'm hardheaded, and I don't have netcat installed, I tried
with telnet and it seems to have worked.
$ telnet 216.30.78.100 7597
Trying 216.30.78.100...
Connected to 216.30.78.100.
Escape character is '^]'.
:qazwsx.hsq
>help
>die
>quit
Connection closed by foreign host.
$ telnet 216.30.78.100 7597
Trying 216.30.78.100...
telnet: Unable to connect to remote host: Connection refused
---
John Fraizer
EnterZone, Inc
