Please note: I have now posted today's list of infected computer
systems to the web site listed below. The current list includes
systems which are doing ICMP (ping request) scans, as well as
Microsoft network scans. The ICMP scans are primarily a result
of the "W32.Welchia" worm, whereas the port 135 scans are primarily
from "W32.Blaster". Both worms exploit the MS DCOM vulnerability.
Doug
Doug Nelson [log in to unmask]
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
Forwarded message:
Subject: IMPORTANT: Many campus systems port scanning
To: [log in to unmask] (IP Host Managers),
[log in to unmask] (MSU Security Announce),
[log in to unmask] (MSU Network Administrators Group)
Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 835
Important message to all campus system and network administrators:
We are experiencing a high volume of Microsoft network scans, coming
from over 450 computer systems on the campus network. In order to
speed up the process of contacting system administrators, the list
of IP addresses has been posted.
Please review the following site for systems under your control:
http://network.msu.edu/msu/portscan.html
Also included are pointers to several resources which may aid in
controlling and removing the viruses/worms involved in these port
scans.
The list of IP addresses will be revised later today, as we gain
further information on the level of port scanning on the campus
network.
Doug Nelson [log in to unmask]
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
