Re: Disabling QAZ (was Re: Port 139 scans)

["Dana Hudes" <dhudes () hudes org>]

ISPs must shut off service to infected clients until they repair the damage.
A user in such situation can telnet to their own port 7597 and type the commands.
If they want service back, that's what they have to do.
If they can't handle it or can't be bothered then they can't have service because it is an AUP violation.
doesn't matter how big or small the provider, you are helping your own uninfected customers because
the behavior seems to be to scan local netblocks.

Aggressive action is required because things are going to get worse if it is not taken.

----- Original Message ----- 
From: "John Fraizer" <nanog () EnterZone Net>
To: "Dan Hollis" <goemon () sasami anime net>
Cc: "Mike Lewinski" <mike () rockynet com>; <nanog () merit edu>
Sent: Friday, September 29, 2000 4:29 PM
Subject: Re: Disabling QAZ (was Re: Port 139 scans)


> On Fri, 29 Sep 2000, Dan Hollis wrote:
>
> > On Fri, 29 Sep 2000, Mike Lewinski wrote:
> > > "exit" will close the connection but not the QAZ server, while "quit" does
> > > appear to shut it down. You can also "run x". Once QAZ has been shutdown,
> > > it's also possible to connect to the share and manually delete the infected
> > > notepad.exe, although I haven't yet figured out if there's a way to unshare
> > > someone's drives remotely via command line (if I did this, I wouldn't be
> > > able to get back in to clean the infection).
> >
> > It would be cool if someone would make a tool that would auto-disinfect
> > users...
> >
> > -Dan
>
>
> Yep.  The problem with that is that current laws on the books (in the US
> at least) make this an illegal solution.  If memory serves me correctly,
> the one I'm thinking about is worded something like:
>
> "...any person who without authorization, accesses, modifies, deletes or
> destroys..."
>
> The penalties are pretty stiff too.  The best of intentions don't negate
> the fact that it's illegal.
>
> ---
> John Fraizer
> EnterZone, Inc