On Fri, 29 Sep 2000, Mike Lewinski wrote:
It might be a good idea to implement filtering on the borders for TCP SYN from 0/0 to 0/0 port 7597. That way, at least it can't be used once it's installed.
<snip>
Anyone else have any thoughts on damage control here?
Ok, guess it's time to get on nanog-post....
You can disable the clients, at least until next reboot. This won't work with telnet, you have to use netcat:
$ nc qaz_infected_ip 7597 :qazwsx.hsq
quit
Well, since I'm hardheaded, and I don't have netcat installed, I tried with telnet and it seems to have worked. $ telnet 216.30.78.100 7597 Trying 216.30.78.100... Connected to 216.30.78.100. Escape character is '^]'. :qazwsx.hsq
help die quit Connection closed by foreign host.
$ telnet 216.30.78.100 7597 Trying 216.30.78.100... telnet: Unable to connect to remote host: Connection refused --- John Fraizer EnterZone, Inc