If we want to manage this in this manner, I think it would be a great idea to load up the DHCP ‘service suspended’ page with local links for the correct hotfixes and virus removal tools, and instructions for using them.
Wendy Tate
Network Coordinator - Department of Economics
Michigan State University
101 Marshall Hall
East Lansing, MI 48824
[log in to unmask] 517.355.1816
-----Original Message-----
From: MSU Network Administrators
Group [mailto:[log in to unmask]] On Behalf
Of John Resotko
Sent: Thursday, August 21, 2003
10:15 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many
campus systems port scanning (fwd)
Good morning all,
I just had a visit from a student who recently caught, then disinfected their computer of both Blaster and Welchia worms. Today, when they first connected to the campus network, they get a page saying their DHCP service has been suspended, and that they need to clean their systems before they will be allowed back on the network. I've helped two other "suspended" students clean their machines this morning, but when they return to dhcp.msu.edu and try to check their registration, they are again told they are suspended, and that they have to call the Computer Lab to be reinstated.
While I understand the need to do everything possible to stop the spread of infection, I really wish someone would have warned me to expect this. I didn't see any messages on the host managers, IP managers, or NAG lists that student access would be suspended. I've been handing out instructions to students on how to download the patches, as well as Blastfix.exe and Welchfix.exe from Norton for the last few days. Those instructions are now useless, because students who are suspended can't use the network to get the tools they need to cleanup their machines.
Is there an easier way for students to get their access to the DHCP registry reinstated after they have cleaned up their PCs? If not, you can expect a lot of additional phone calls until the reinstatement process is somehow automated. Any advice you can offer on what we need to tell our students would be greatly appreciated.
John A. Resotko
Head of Systems Administration
MSU - Detroit College of Law
208 Law College Building
East Lansing, MI 48824-1300
email: [log in to unmask]
Phone: 517-432-6836
Fax: 517-432-6861
>>> [log in to unmask] 08/20/03 07:54PM >>>
Please note: I have now posted today's list of infected computer
systems to the web site listed below. The current list includes
systems which are doing ICMP (ping request) scans, as well as
Microsoft network scans. The ICMP scans are primarily a result
of the "W32.Welchia" worm, whereas the port 135 scans are primarily
from "W32.Blaster". Both worms exploit the MS DCOM
vulnerability.
Doug
Doug Nelson
[log in to unmask]
Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/
Michigan State University
Forwarded message:
Subject: IMPORTANT: Many campus systems port scanning
To: [log in to unmask] (IP Host Managers),
[log in to unmask] (MSU Security
Announce),
[log in to unmask] (MSU Network
Administrators Group)
Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 835
Important message to all campus system and network administrators:
We are experiencing a high volume of Microsoft network scans, coming
from over 450 computer systems on the campus network. In order to
speed up the process of contacting system administrators, the list
of IP addresses has been posted.
Please review the following site for systems under your control:
http://network.msu.edu/msu/portscan.html
Also included are pointers to several resources which may aid in
controlling and removing the viruses/worms involved in these port
scans.
The list of IP addresses will be revised later today, as we gain
further information on the level of port scanning on the campus
network.
Doug
Nelson
[log in to unmask]
Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/
Michigan State University