North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Disabling QAZ (was Re: Port 139 scans)
> It might be a good idea to implement filtering on the borders for TCP SYN > from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's > installed. > <snip> > Anyone else have any thoughts on damage control here? Ok, guess it's time to get on nanog-post.... You can disable the clients, at least until next reboot. This won't work with telnet, you have to use netcat: $ nc qaz_infected_ip 7597 :qazwsx.hsq >quit "exit" will close the connection but not the QAZ server, while "quit" does appear to shut it down. You can also "run x". Once QAZ has been shutdown, it's also possible to connect to the share and manually delete the infected notepad.exe, although I haven't yet figured out if there's a way to unshare someone's drives remotely via command line (if I did this, I wouldn't be able to get back in to clean the infection). I've also been playing with that chinese MTA. I've been trying to capture the actual contents of the e-mail that gets sent. Not sure if they've been recently imparted with a clue, but it seems like the SMTP transactions aren't completing now. Something is definitely funny over there... two days ago I could do the following by hand, just like strings on QAZ suggests that it does: 220 smtp.yeah.net ESMTP mail from:nongmin_cn 250 Ok rcpt to:nongmin_cn 250 Ok data 354 End data with <CR><LF>.<CR><LF> . 250 Ok: queued as 9D8021C25A939 Today it disconnects upon receving the "rcpt to:nongmin_cn" line (no 5xx error, just disconnects). I just have a funny feeling about this, it's a very weird MTA that accepts broken syntax (not that that is so uncommon), and it will terminate connections very quickly if it doesn't get data right away. My feeling is that the attackers are probably just watching the SMTP logs to glean IPs from, and that they don't care if the virus gets to send the e-mail or not. I believe that this SMTP isn't actually responsible for _any_ legitimate mail, a check on MX records for yeah.net shows that it's not listed there. Perhaps the attackers have modified the MTA itself now to hide their tracks, making it look like that address has been disabled (the virus doesn't know this, and will keep trying to send at every reboot, btw). Mike P.S. The QAZ server only allows one connection at a time. If you think someone is infected but not answering on that port, it may be in use....