[31592] in North American Network Operators' Group
Re: Disabling QAZ (was Re: Port 139 scans)
daemon@ATHENA.MIT.EDU (Dana Hudes)
Fri Sep 29 17:08:15 2000
Message-ID: <008b01c02a55$edd945c0$3d5cdcd1@hudes.org>
From: "Dana Hudes" <dhudes@hudes.org>
To: "John Fraizer" <nanog@EnterZone.Net>,
"Dan Hollis" <goemon@sasami.anime.net>
Cc: "Mike Lewinski" <mike@rockynet.com>, <nanog@merit.edu>
Date: Fri, 29 Sep 2000 16:43:31 -0400
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: owner-nanog-outgoing@merit.edu
ISPs must shut off service to infected clients until they repair the =
damage.
A user in such situation can telnet to their own port 7597 and type the =
commands.
If they want service back, that's what they have to do.
If they can't handle it or can't be bothered then they can't have =
service because it is an AUP violation.
doesn't matter how big or small the provider, you are helping your own =
uninfected customers because
the behavior seems to be to scan local netblocks.
Aggressive action is required because things are going to get worse if =
it is not taken.
----- Original Message -----=20
From: "John Fraizer" <nanog@EnterZone.Net>
To: "Dan Hollis" <goemon@sasami.anime.net>
Cc: "Mike Lewinski" <mike@rockynet.com>; <nanog@merit.edu>
Sent: Friday, September 29, 2000 4:29 PM
Subject: Re: Disabling QAZ (was Re: Port 139 scans)
>=20
> On Fri, 29 Sep 2000, Dan Hollis wrote:
>=20
> >=20
> > On Fri, 29 Sep 2000, Mike Lewinski wrote:
> > > "exit" will close the connection but not the QAZ server, while =
"quit" does
> > > appear to shut it down. You can also "run x". Once QAZ has been =
shutdown,
> > > it's also possible to connect to the share and manually delete the =
infected
> > > notepad.exe, although I haven't yet figured out if there's a way =
to unshare
> > > someone's drives remotely via command line (if I did this, I =
wouldn't be
> > > able to get back in to clean the infection).
> >=20
> > It would be cool if someone would make a tool that would =
auto-disinfect
> > users...
> >=20
> > -Dan
> >=20
> >=20
>=20
>=20
> Yep. The problem with that is that current laws on the books (in the =
US
> at least) make this an illegal solution. If memory serves me =
correctly,
> the one I'm thinking about is worded something like:
>=20
> "...any person who without authorization, accesses, modifies, deletes =
or
> destroys..."
>=20
> The penalties are pretty stiff too. The best of intentions don't =
negate
> the fact that it's illegal.
>=20
> ---
> John Fraizer
> EnterZone, Inc
>=20
