....along with instructions on how to get your DHCP services unsuspended when complete. John LeTourneau Information Technology Services The Eli Broad College of Business Michigan State University 424A Eppley Center East Lansing, MI 48824-1122 Email: [log in to unmask] Phone: 517.353.1639 Pager: 517.232.2646 Fax: 517.355.0970 -----Original Message----- From: Wendy Tate [mailto:[log in to unmask]] Sent: Thursday, August 21, 2003 10:50 AM To: [log in to unmask] Subject: Re: IMPORTANT: Many campus systems port scanning (fwd) If we want to manage this in this manner, I think it would be a great idea to load up the DHCP 'service suspended' page with local links for the correct hotfixes and virus removal tools, and instructions for using them. Wendy Tate Network Coordinator - Department of Economics Michigan State University 101 Marshall Hall East Lansing, MI 48824 [log in to unmask] <mailto:[log in to unmask]> 517.355.1816 -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of John Resotko Sent: Thursday, August 21, 2003 10:15 AM To: [log in to unmask] Subject: Re: IMPORTANT: Many campus systems port scanning (fwd) Good morning all, I just had a visit from a student who recently caught, then disinfected their computer of both Blaster and Welchia worms. Today, when they first connected to the campus network, they get a page saying their DHCP service has been suspended, and that they need to clean their systems before they will be allowed back on the network. I've helped two other "suspended" students clean their machines this morning, but when they return to dhcp.msu.edu and try to check their registration, they are again told they are suspended, and that they have to call the Computer Lab to be reinstated. While I understand the need to do everything possible to stop the spread of infection, I really wish someone would have warned me to expect this. I didn't see any messages on the host managers, IP managers, or NAG lists that student access would be suspended. I've been handing out instructions to students on how to download the patches, as well as Blastfix.exe and Welchfix.exe from Norton for the last few days. Those instructions are now useless, because students who are suspended can't use the network to get the tools they need to cleanup their machines. Is there an easier way for students to get their access to the DHCP registry reinstated after they have cleaned up their PCs? If not, you can expect a lot of additional phone calls until the reinstatement process is somehow automated. Any advice you can offer on what we need to tell our students would be greatly appreciated. John A. Resotko Head of Systems Administration MSU - Detroit College of Law 208 Law College Building East Lansing, MI 48824-1300 email: [log in to unmask] <mailto:[log in to unmask]> Phone: 517-432-6836 Fax: 517-432-6861 >>> [log in to unmask] 08/20/03 07:54PM >>> Please note: I have now posted today's list of infected computer systems to the web site listed below. The current list includes systems which are doing ICMP (ping request) scans, as well as Microsoft network scans. The ICMP scans are primarily a result of the "W32.Welchia" worm, whereas the port 135 scans are primarily from "W32.Blaster". Both worms exploit the MS DCOM vulnerability. Doug Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ <http://www.msu.edu/~nelson/> Michigan State University Forwarded message: Subject: IMPORTANT: Many campus systems port scanning To: [log in to unmask] (IP Host Managers), [log in to unmask] (MSU Security Announce), [log in to unmask] (MSU Network Administrators Group) Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT) X-Mailer: ELM [version 2.5 PL2] Content-Length: 835 Important message to all campus system and network administrators: We are experiencing a high volume of Microsoft network scans, coming from over 450 computer systems on the campus network. In order to speed up the process of contacting system administrators, the list of IP addresses has been posted. Please review the following site for systems under your control: http://network.msu.edu/msu/portscan.html <http://network.msu.edu/msu/portscan.html> Also included are pointers to several resources which may aid in controlling and removing the viruses/worms involved in these port scans. The list of IP addresses will be revised later today, as we gain further information on the level of port scanning on the campus network. Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ <http://www.msu.edu/~nelson/> Michigan State University