While I can see your point John, these are absolutely extraordinary times. I have never seen anything like this before with Windows. Given the situation, I think what the CL did was reasonable. They only have so much manpower, and in essense what they did was a triage system. Could it have been done better? Well, yes, given more people involved. Hats off to Doug, Joe, Jeff, Ken and ? in the networking group for dealing with things as well as they have. I'm not sure I've ever heard of a group doing as much with as few resources as these folks have. --STeve Andre' (Political Science) On Thursday 21 August 2003 10:14 am, John Resotko wrote: > Good morning all, > > I just had a visit from a student who recently caught, then disinfected > their computer of both Blaster and Welchia worms. Today, when they first > connected to the campus network, they get a page saying their DHCP service > has been suspended, and that they need to clean their systems before they > will be allowed back on the network. I've helped two other "suspended" > students clean their machines this morning, but when they return to > dhcp.msu.edu and try to check their registration, they are again told they > are suspended, and that they have to call the Computer Lab to be > reinstated. > > While I understand the need to do everything possible to stop the spread of > infection, I really wish someone would have warned me to expect this. I > didn't see any messages on the host managers, IP managers, or NAG lists > that student access would be suspended. I've been handing out instructions > to students on how to download the patches, as well as Blastfix.exe and > Welchfix.exe from Norton for the last few days. Those instructions are now > useless, because students who are suspended can't use the network to get > the tools they need to cleanup their machines. > > Is there an easier way for students to get their access to the DHCP > registry reinstated after they have cleaned up their PCs? If not, you can > expect a lot of additional phone calls until the reinstatement process is > somehow automated. Any advice you can offer on what we need to tell our > students would be greatly appreciated. > > John A. Resotko > Head of Systems Administration > MSU - Detroit College of Law > 208 Law College Building > East Lansing, MI 48824-1300 > email: [log in to unmask] > Phone: 517-432-6836 > Fax: 517-432-6861 > > >>> [log in to unmask] 08/20/03 07:54PM >>> > > Please note: I have now posted today's list of infected computer > systems to the web site listed below. The current list includes > systems which are doing ICMP (ping request) scans, as well as > Microsoft network scans. The ICMP scans are primarily a result > of the "W32.Welchia" worm, whereas the port 135 scans are primarily > from "W32.Blaster". Both worms exploit the MS DCOM vulnerability. > > Doug > > > Doug Nelson [log in to unmask] > Network Manager Ph: (517) 353-2980 > Computer Laboratory http://www.msu.edu/~nelson/ > Michigan State University > > > Forwarded message: > > Subject: IMPORTANT: Many campus systems port scanning > To: [log in to unmask] (IP Host Managers), > [log in to unmask] (MSU Security Announce), > [log in to unmask] (MSU Network Administrators Group) > Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT) > X-Mailer: ELM [version 2.5 PL2] > Content-Length: 835 > > Important message to all campus system and network administrators: > > We are experiencing a high volume of Microsoft network scans, coming > from over 450 computer systems on the campus network. In order to > speed up the process of contacting system administrators, the list > of IP addresses has been posted. > > Please review the following site for systems under your control: > > http://network.msu.edu/msu/portscan.html > > Also included are pointers to several resources which may aid in > controlling and removing the viruses/worms involved in these port > scans. > > The list of IP addresses will be revised later today, as we gain > further information on the level of port scanning on the campus > network. > > Doug Nelson [log in to unmask] > Network Manager Ph: (517) 353-2980 > Computer Laboratory http://www.msu.edu/~nelson/ > Michigan State University