I just had a visit from a student who recently caught, then disinfected
their computer of both Blaster and Welchia worms. Today, when they
first connected to the campus network, they get a page saying their DHCP service
has been suspended, and that they need to clean their systems before they will
be allowed back on the network. I've helped two other "suspended" students
clean their machines this morning, but when they return to dhcp.msu.edu and try
to check their registration, they are again told they are suspended, and that
they have to call the Computer Lab to be reinstated.
While I understand the need to do everything possible to stop the spread of
infection, I really wish someone would have warned me to expect this. I
didn't see any messages on the host managers, IP managers, or NAG lists that
student access would be suspended. I've been handing out instructions to
students on how to download the patches, as well as Blastfix.exe and
Welchfix.exe from Norton for the last few days. Those instructions are now
useless, because students who are suspended can't use the network to get the
tools they need to cleanup their machines.
Is there an easier way for students to get their access to the DHCP
registry reinstated after they have cleaned up their PCs? If not, you can
expect a lot of additional phone calls until the reinstatement process is
somehow automated. Any advice you can offer on what we need to tell our students
would be greatly appreciated.
>>>
[log in to unmask] 08/20/03 07:54PM
>>>
Please note: I have now posted today's list of infected
computer
systems to the web site listed below. The current list
includes
systems which are doing ICMP (ping request) scans, as well
as
Microsoft network scans. The ICMP scans are primarily a result
of
the "W32.Welchia" worm, whereas the port 135 scans are primarily
from
"W32.Blaster". Both worms exploit the MS DCOM
vulnerability.
Doug
Doug
Nelson
[log in to unmask]Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/Michigan
State University
Forwarded message:
Subject: IMPORTANT: Many
campus systems port scanning
To:
[log in to unmask] (IP Host
Managers),
[log in to unmask]
(MSU Security Announce),
[log in to unmask] (MSU Network Administrators Group)
Date: Wed, 20 Aug 2003
10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length:
835
Important message to all campus system and network
administrators:
We are experiencing a high volume of Microsoft network
scans, coming
from over 450 computer systems on the campus network. In
order to
speed up the process of contacting system administrators, the
list
of IP addresses has been posted.
Please review the following site
for systems under your control:
http://network.msu.edu/msu/portscan.htmlAlso
included are pointers to several resources which may aid in
controlling and
removing the viruses/worms involved in these port
scans.
The list of
IP addresses will be revised later today, as we gain
further information on
the level of port scanning on the campus
network.
Doug
Nelson
[log in to unmask]Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/Michigan
State University