While I can see your point John, these are absolutely extraordinary
times. I have never seen anything like this before with Windows.
Given the situation, I think what the CL did was reasonable. They
only have so much manpower, and in essense what they did was
a triage system. Could it have been done better? Well, yes, given
more people involved.
Hats off to Doug, Joe, Jeff, Ken and ? in the networking group for
dealing with things as well as they have. I'm not sure I've ever
heard of a group doing as much with as few resources as these
folks have.
--STeve Andre' (Political Science)
On Thursday 21 August 2003 10:14 am, John Resotko wrote:
> Good morning all,
>
> I just had a visit from a student who recently caught, then disinfected
> their computer of both Blaster and Welchia worms. Today, when they first
> connected to the campus network, they get a page saying their DHCP service
> has been suspended, and that they need to clean their systems before they
> will be allowed back on the network. I've helped two other "suspended"
> students clean their machines this morning, but when they return to
> dhcp.msu.edu and try to check their registration, they are again told they
> are suspended, and that they have to call the Computer Lab to be
> reinstated.
>
> While I understand the need to do everything possible to stop the spread of
> infection, I really wish someone would have warned me to expect this. I
> didn't see any messages on the host managers, IP managers, or NAG lists
> that student access would be suspended. I've been handing out instructions
> to students on how to download the patches, as well as Blastfix.exe and
> Welchfix.exe from Norton for the last few days. Those instructions are now
> useless, because students who are suspended can't use the network to get
> the tools they need to cleanup their machines.
>
> Is there an easier way for students to get their access to the DHCP
> registry reinstated after they have cleaned up their PCs? If not, you can
> expect a lot of additional phone calls until the reinstatement process is
> somehow automated. Any advice you can offer on what we need to tell our
> students would be greatly appreciated.
>
> John A. Resotko
> Head of Systems Administration
> MSU - Detroit College of Law
> 208 Law College Building
> East Lansing, MI 48824-1300
> email: [log in to unmask]
> Phone: 517-432-6836
> Fax: 517-432-6861
>
> >>> [log in to unmask] 08/20/03 07:54PM >>>
>
> Please note: I have now posted today's list of infected computer
> systems to the web site listed below. The current list includes
> systems which are doing ICMP (ping request) scans, as well as
> Microsoft network scans. The ICMP scans are primarily a result
> of the "W32.Welchia" worm, whereas the port 135 scans are primarily
> from "W32.Blaster". Both worms exploit the MS DCOM vulnerability.
>
> Doug
>
>
> Doug Nelson [log in to unmask]
> Network Manager Ph: (517) 353-2980
> Computer Laboratory http://www.msu.edu/~nelson/
> Michigan State University
>
>
> Forwarded message:
>
> Subject: IMPORTANT: Many campus systems port scanning
> To: [log in to unmask] (IP Host Managers),
> [log in to unmask] (MSU Security Announce),
> [log in to unmask] (MSU Network Administrators Group)
> Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
> X-Mailer: ELM [version 2.5 PL2]
> Content-Length: 835
>
> Important message to all campus system and network administrators:
>
> We are experiencing a high volume of Microsoft network scans, coming
> from over 450 computer systems on the campus network. In order to
> speed up the process of contacting system administrators, the list
> of IP addresses has been posted.
>
> Please review the following site for systems under your control:
>
> http://network.msu.edu/msu/portscan.html
>
> Also included are pointers to several resources which may aid in
> controlling and removing the viruses/worms involved in these port
> scans.
>
> The list of IP addresses will be revised later today, as we gain
> further information on the level of port scanning on the campus
> network.
>
> Doug Nelson [log in to unmask]
> Network Manager Ph: (517) 353-2980
> Computer Laboratory http://www.msu.edu/~nelson/
> Michigan State University
|