STeve Andre' wrote: >While I can see your point John, these are absolutely extraordinary >times. I have never seen anything like this before with Windows. >Given the situation, I think what the CL did was reasonable. They >only have so much manpower, and in essense what they did was >a triage system. Could it have been done better? Well, yes, given >more people involved. > >Hats off to Doug, Joe, Jeff, Ken and ? in the networking group for >dealing with things as well as they have. I'm not sure I've ever >heard of a group doing as much with as few resources as these >folks have. > >--STeve Andre' (Political Science) > >On Thursday 21 August 2003 10:14 am, John Resotko wrote: > > >>Good morning all, >> >>I just had a visit from a student who recently caught, then disinfected >>their computer of both Blaster and Welchia worms. Today, when they first >>connected to the campus network, they get a page saying their DHCP service >>has been suspended, and that they need to clean their systems before they >>will be allowed back on the network. I've helped two other "suspended" >>students clean their machines this morning, but when they return to >>dhcp.msu.edu and try to check their registration, they are again told they >>are suspended, and that they have to call the Computer Lab to be >>reinstated. >> >>While I understand the need to do everything possible to stop the spread of >>infection, I really wish someone would have warned me to expect this. I >>didn't see any messages on the host managers, IP managers, or NAG lists >>that student access would be suspended. I've been handing out instructions >>to students on how to download the patches, as well as Blastfix.exe and >>Welchfix.exe from Norton for the last few days. Those instructions are now >>useless, because students who are suspended can't use the network to get >>the tools they need to cleanup their machines. >> >>Is there an easier way for students to get their access to the DHCP >>registry reinstated after they have cleaned up their PCs? If not, you can >>expect a lot of additional phone calls until the reinstatement process is >>somehow automated. Any advice you can offer on what we need to tell our >>students would be greatly appreciated. >> >>John A. Resotko >>Head of Systems Administration >>MSU - Detroit College of Law >>208 Law College Building >>East Lansing, MI 48824-1300 >>email: [log in to unmask] >>Phone: 517-432-6836 >>Fax: 517-432-6861 >> >> >> >>>>>[log in to unmask] 08/20/03 07:54PM >>> >>>>> >>>>> >>Please note: I have now posted today's list of infected computer >>systems to the web site listed below. The current list includes >>systems which are doing ICMP (ping request) scans, as well as >>Microsoft network scans. The ICMP scans are primarily a result >>of the "W32.Welchia" worm, whereas the port 135 scans are primarily >>from "W32.Blaster". Both worms exploit the MS DCOM vulnerability. >> >>Doug >> >> >>Doug Nelson [log in to unmask] >>Network Manager Ph: (517) 353-2980 >>Computer Laboratory http://www.msu.edu/~nelson/ >>Michigan State University >> >> >>Forwarded message: >> >>Subject: IMPORTANT: Many campus systems port scanning >>To: [log in to unmask] (IP Host Managers), >> [log in to unmask] (MSU Security Announce), >> [log in to unmask] (MSU Network Administrators Group) >>Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT) >>X-Mailer: ELM [version 2.5 PL2] >>Content-Length: 835 >> >>Important message to all campus system and network administrators: >> >>We are experiencing a high volume of Microsoft network scans, coming >>from over 450 computer systems on the campus network. In order to >>speed up the process of contacting system administrators, the list >>of IP addresses has been posted. >> >>Please review the following site for systems under your control: >> >> http://network.msu.edu/msu/portscan.html >> >>Also included are pointers to several resources which may aid in >>controlling and removing the viruses/worms involved in these port >>scans. >> >>The list of IP addresses will be revised later today, as we gain >>further information on the level of port scanning on the campus >>network. >> >>Doug Nelson [log in to unmask] >>Network Manager Ph: (517) 353-2980 >>Computer Laboratory http://www.msu.edu/~nelson/ >>Michigan State University >> >> > > > > > Yes I totally agree. And a special thanks to Joe for the scan and info > three weeks a go. That saved me a lot of time and headache now. Must > have taken a big effort to get the policy changed so you could do > that. I am happy to deal with the occasional mad user that was kicked > off the network. After all they are the once that ignored the updates > and warnings for over six weeks. > > > > > > Uwe Rossbach >