It looks like all our fixed IP machines are now clean at the law college.
Since some of our part-time faculty register their laptops via DHCP, we have had
a hard time tracking down some infected machines (since they may only be on
campus one or two days a week.) We'll get them clean as soon as they are
back in the building.
A question for you: some of the addresses on the list, when I managed
to track them down, belong to student laptops who have registered their
computers in the DHCP database. Are you sending emails to students when a
DHCP address registered to a student shows up on these lists? Since they
all had to register using their Pilot IDs, I was curious to know if you are
running this list against the DHCP registry to notify students? Or are you
expecting the network administrators to try and identify student machines that
are infected?
Thanks for all your hard work on this. I know I am not the only one
who appreciates all your hard work in helping us track down infected
machines.
>>>
[log in to unmask] 08/20/03 07:54PM
>>>
Please note: I have now posted today's list of infected
computer
systems to the web site listed below. The current list
includes
systems which are doing ICMP (ping request) scans, as well
as
Microsoft network scans. The ICMP scans are primarily a result
of
the "W32.Welchia" worm, whereas the port 135 scans are primarily
from
"W32.Blaster". Both worms exploit the MS DCOM
vulnerability.
Doug
Doug
Nelson
[log in to unmask]Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/Michigan
State University
Forwarded message:
Subject: IMPORTANT: Many
campus systems port scanning
To:
[log in to unmask] (IP Host
Managers),
[log in to unmask]
(MSU Security Announce),
[log in to unmask] (MSU Network Administrators Group)
Date: Wed, 20 Aug 2003
10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length:
835
Important message to all campus system and network
administrators:
We are experiencing a high volume of Microsoft network
scans, coming
from over 450 computer systems on the campus network. In
order to
speed up the process of contacting system administrators, the
list
of IP addresses has been posted.
Please review the following site
for systems under your control:
http://network.msu.edu/msu/portscan.htmlAlso
included are pointers to several resources which may aid in
controlling and
removing the viruses/worms involved in these port
scans.
The list of
IP addresses will be revised later today, as we gain
further information on
the level of port scanning on the campus
network.
Doug
Nelson
[log in to unmask]Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/Michigan
State University