LISTSERV 16.0 - MSUNAG Archives

....along with instructions on how to get your DHCP services unsuspended
when complete.

John LeTourneau
Information Technology Services

The Eli Broad College of Business
Michigan State University
424A Eppley Center
East Lansing, MI 48824-1122

Email: [log in to unmask]
Phone:  517.353.1639
Pager:  517.232.2646
Fax:    517.355.0970


-----Original Message-----
From: Wendy Tate [mailto:[log in to unmask]]
Sent: Thursday, August 21, 2003 10:50 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many campus systems port scanning (fwd)

If we want to manage this in this manner, I think it would be a great idea
to load up the DHCP 'service suspended' page with local links for the
correct hotfixes and virus removal tools, and instructions for using them.



Wendy Tate
Network Coordinator - Department of Economics
Michigan State University
101 Marshall Hall
East Lansing, MI 48824
[log in to unmask] <mailto:[log in to unmask]>     517.355.1816
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of John Resotko
Sent: Thursday, August 21, 2003 10:15 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many campus systems port scanning (fwd)

Good morning all,

I just had a visit from a student who recently caught, then disinfected
their computer of both Blaster and Welchia worms.  Today, when they first
connected to the campus network, they get a page saying their DHCP service
has been suspended, and that they need to clean their systems before they
will be allowed back on the network.  I've helped two other "suspended"
students clean their machines this morning, but when they return to
dhcp.msu.edu and try to check their registration, they are again told they
are suspended, and that they have to call the Computer Lab to be reinstated.

While I understand the need to do everything possible to stop the spread of
infection, I really wish someone would have warned me to expect this.  I
didn't see any messages on the host managers, IP managers, or NAG lists that
student access would be suspended.  I've been handing out instructions to
students on how to download the patches, as well as Blastfix.exe and
Welchfix.exe from Norton for the last few days.  Those instructions are now
useless, because students who are suspended can't use the network to get the
tools they need to cleanup their machines.

Is there an easier way for students to get their access to the DHCP registry
reinstated after they have cleaned up their PCs?  If not, you can expect a
lot of additional phone calls until the reinstatement process is somehow
automated. Any advice you can offer on what we need to tell our students
would be greatly appreciated.

John A. Resotko
Head of Systems Administration
MSU - Detroit College of Law
208 Law College Building
East Lansing, MI  48824-1300
email: [log in to unmask] <mailto:[log in to unmask]>
Phone: 517-432-6836
Fax: 517-432-6861




>>> [log in to unmask] 08/20/03 07:54PM >>>
Please note:  I have now posted today's list of infected computer
systems to the web site listed below.  The current list includes
systems which are doing ICMP (ping request) scans, as well as
Microsoft network scans.  The ICMP scans are primarily a result
of the "W32.Welchia" worm, whereas the port 135 scans are primarily
from "W32.Blaster".  Both worms exploit the MS DCOM vulnerability.

Doug


Doug Nelson                     [log in to unmask]
Network Manager                 Ph: (517) 353-2980
Computer Laboratory             http://www.msu.edu/~nelson/
<http://www.msu.edu/~nelson/>
Michigan State University


Forwarded message:

Subject: IMPORTANT: Many campus systems port scanning
To: [log in to unmask] (IP Host Managers),
        [log in to unmask] (MSU Security Announce),
        [log in to unmask] (MSU Network Administrators Group)
Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 835

Important message to all campus system and network administrators:

We are experiencing a high volume of Microsoft network scans, coming
from over 450 computer systems on the campus network.  In order to
speed up the process of contacting system administrators, the list
of IP addresses has been posted.

Please review the following site for systems under your control:

  http://network.msu.edu/msu/portscan.html
<http://network.msu.edu/msu/portscan.html>

Also included are pointers to several resources which may aid in
controlling and removing the viruses/worms involved in these port
scans.

The list of IP addresses will be revised later today, as we gain
further information on the level of port scanning on the campus
network.

Doug Nelson                     [log in to unmask]
Network Manager                 Ph: (517) 353-2980
Computer Laboratory             http://www.msu.edu/~nelson/
<http://www.msu.edu/~nelson/>
Michigan State University