nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Disabling QAZ (was Re: Port 139 scans)

From: John Fraizer <nanog () EnterZone Net>
Date: Fri, 29 Sep 2000 16:17:19 -0400 (EDT)

On Fri, 29 Sep 2000, Mike Lewinski wrote:




It might be a good idea to implement filtering on the borders for TCP SYN
from 0/0 to 0/0 port 7597.  That way, at least it can't be used once it's
installed.


<snip>

Anyone else have any thoughts on damage control here?


Ok, guess it's time to get on nanog-post....

You can disable the clients, at least until next reboot. This won't work
with telnet, you have to use netcat:

$ nc qaz_infected_ip 7597
:qazwsx.hsq

quit




Well, since I'm hardheaded, and I don't have netcat installed, I tried
with telnet and it seems to have worked.


$ telnet 216.30.78.100 7597
Trying 216.30.78.100...
Connected to 216.30.78.100.
Escape character is '^]'.
:qazwsx.hsq

help
die
quit

Connection closed by foreign host.

$ telnet 216.30.78.100 7597
Trying 216.30.78.100...
telnet: Unable to connect to remote host: Connection refused


---
John Fraizer
EnterZone, Inc
Previous By Date Next
Previous By Thread Next

Current thread: