North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Disabling QAZ (was Re: Port 139 scans)

  • From: Jason Slagle
  • Date: Sat Sep 30 11:13:01 2000

Get me specs on how it's done and I will give it a shot.

We already have automated sub7 cleaners on Dalnet that we use to clean
infected hosts.  I could likely whip a daemon up pretty eaisly to monitor
port 139 and auto disinfect.


Jason Slagle - CCNA - CCDA
Network Administrator - Toledo Internet Access - Toledo Ohio
- [email protected] - [email protected] - WHOIS JS10172
Version: 3.12 GE d-- s:+ a-- C++ UL+++ P--- L+++ E- W- N+ o-- K- w---
O M- V PS+ PE+++ Y+ PGP t+ 5 X+ R tv+ b+ DI+ D G e+ h! r++ y+

On Fri, 29 Sep 2000, Dan Hollis wrote:

> On Fri, 29 Sep 2000, Mike Lewinski wrote:
> > "exit" will close the connection but not the QAZ server, while "quit" does
> > appear to shut it down. You can also "run x". Once QAZ has been shutdown,
> > it's also possible to connect to the share and manually delete the infected
> > notepad.exe, although I haven't yet figured out if there's a way to unshare
> > someone's drives remotely via command line (if I did this, I wouldn't be
> > able to get back in to clean the infection).
> It would be cool if someone would make a tool that would auto-disinfect
> users...
> -Dan