[31612] in North American Network Operators' Group
Re: Disabling QAZ (was Re: Port 139 scans)
daemon@ATHENA.MIT.EDU (Jason Slagle)
Sat Sep 30 11:12:10 2000
Date: Sat, 30 Sep 2000 11:10:11 -0400 (EDT)
From: Jason Slagle <raistlin@tacorp.net>
To: Dan Hollis <goemon@sasami.anime.net>
Cc: Mike Lewinski <mike@rockynet.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.4.21.0009291312510.16988-100000@anime.net>
Message-ID: <Pine.BSO.4.21.0009301109170.25207-100000@mail.tacorp.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
Get me specs on how it's done and I will give it a shot.
We already have automated sub7 cleaners on Dalnet that we use to clean
infected hosts. I could likely whip a daemon up pretty eaisly to monitor
port 139 and auto disinfect.
Jason
---
Jason Slagle - CCNA - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w---
O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+
------END GEEK CODE BLOCK------
On Fri, 29 Sep 2000, Dan Hollis wrote:
>
> On Fri, 29 Sep 2000, Mike Lewinski wrote:
> > "exit" will close the connection but not the QAZ server, while "quit" does
> > appear to shut it down. You can also "run x". Once QAZ has been shutdown,
> > it's also possible to connect to the share and manually delete the infected
> > notepad.exe, although I haven't yet figured out if there's a way to unshare
> > someone's drives remotely via command line (if I did this, I wouldn't be
> > able to get back in to clean the infection).
>
> It would be cool if someone would make a tool that would auto-disinfect
> users...
>
> -Dan
>
>
