[log in to unmask]">
While I can see your point John, these are absolutely extraordinary
times. I have never seen anything like this before with Windows.
Given the situation, I think what the CL did was reasonable. They
only have so much manpower, and in essense what they did was
a triage system. Could it have been done better? Well, yes, given
more people involved.
Hats off to Doug, Joe, Jeff, Ken and ? in the networking group for
dealing with things as well as they have. I'm not sure I've ever
heard of a group doing as much with as few resources as these
folks have.
--STeve Andre' (Political Science)
On Thursday 21 August 2003 10:14 am, John Resotko wrote:
Good morning all,
I just had a visit from a student who recently caught, then disinfected
their computer of both Blaster and Welchia worms. Today, when they first
connected to the campus network, they get a page saying their DHCP service
has been suspended, and that they need to clean their systems before they
will be allowed back on the network. I've helped two other "suspended"
students clean their machines this morning, but when they return to
dhcp.msu.edu and try to check their registration, they are again told they
are suspended, and that they have to call the Computer Lab to be
reinstated.
While I understand the need to do everything possible to stop the spread of
infection, I really wish someone would have warned me to expect this. I
didn't see any messages on the host managers, IP managers, or NAG lists
that student access would be suspended. I've been handing out instructions
to students on how to download the patches, as well as Blastfix.exe and
Welchfix.exe from Norton for the last few days. Those instructions are now
useless, because students who are suspended can't use the network to get
the tools they need to cleanup their machines.
Is there an easier way for students to get their access to the DHCP
registry reinstated after they have cleaned up their PCs? If not, you can
expect a lot of additional phone calls until the reinstatement process is
somehow automated. Any advice you can offer on what we need to tell our
students would be greatly appreciated.
John A. Resotko
Head of Systems Administration
MSU - Detroit College of Law
208 Law College Building
East Lansing, MI 48824-1300
email: [log in to unmask]
Phone: 517-432-6836
Fax: 517-432-6861
[log in to unmask] 08/20/03 07:54PM >>>
Please note: I have now posted today's list of infected computer
systems to the web site listed below. The current list includes
systems which are doing ICMP (ping request) scans, as well as
Microsoft network scans. The ICMP scans are primarily a result
of the "W32.Welchia" worm, whereas the port 135 scans are primarily
from "W32.Blaster". Both worms exploit the MS DCOM vulnerability.
Doug
Doug Nelson [log in to unmask]
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
Forwarded message:
Subject: IMPORTANT: Many campus systems port scanning
To: [log in to unmask] (IP Host Managers),
[log in to unmask] (MSU Security Announce),
[log in to unmask] (MSU Network Administrators Group)
Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 835
Important message to all campus system and network administrators:
We are experiencing a high volume of Microsoft network scans, coming
from over 450 computer systems on the campus network. In order to
speed up the process of contacting system administrators, the list
of IP addresses has been posted.
Please review the following site for systems under your control:
http://network.msu.edu/msu/portscan.html
Also included are pointers to several resources which may aid in
controlling and removing the viruses/worms involved in these port
scans.
The list of IP addresses will be revised later today, as we gain
further information on the level of port scanning on the campus
network.
Doug Nelson [log in to unmask]
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
Yes I totally agree. And a special thanks to Joe
for the
scan and info three weeks a go. That saved me a lot of time and
headache now.
Must have taken a big effort to get the policy changed so you could do
that. I
am happy to deal with the occasional mad user that was kicked off the
network.
After all they are the once that ignored the updates and warnings for
over six
weeks.
Uwe
Rossbach
