….along
with instructions on how to get your DHCP services unsuspended when complete.
John LeTourneau
Information Technology Services
The Eli Broad
College of Business
Michigan State
University
424A Eppley
Center
East Lansing, MI
48824-1122
Email:
[log in to unmask]
Phone: 517.353.1639
Pager: 517.232.2646
Fax: 517.355.0970
-----Original
Message-----
From: Wendy Tate
[mailto:[log in to unmask]]
Sent: Thursday, August 21, 2003
10:50 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many
campus systems port scanning (fwd)
If we want to manage this in this manner, I think
it would be a great idea to load up the DHCP ‘service suspended’ page with
local links for the correct hotfixes and virus removal tools, and instructions
for using them.
Wendy Tate
Network Coordinator - Department of Economics
Michigan State University
101 Marshall Hall
East Lansing, MI 48824
[log in to unmask]
517.355.1816
-----Original
Message-----
From: MSU Network Administrators
Group [mailto:[log in to unmask]] On Behalf
Of John Resotko
Sent: Thursday, August 21, 2003
10:15 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many
campus systems port scanning (fwd)
Good
morning all,
I just
had a visit from a student who recently caught, then disinfected their computer
of both Blaster and Welchia worms. Today, when they first connected
to the campus network, they get a page saying their DHCP service has been
suspended, and that they need to clean their systems before they will be
allowed back on the network. I've helped two other "suspended"
students clean their machines this morning, but when they return to
dhcp.msu.edu and try to check their registration, they are again told they are
suspended, and that they have to call the Computer Lab to be reinstated.
While I
understand the need to do everything possible to stop the spread of infection,
I really wish someone would have warned me to expect this. I didn't see
any messages on the host managers, IP managers, or NAG lists that student
access would be suspended. I've been handing out instructions to students
on how to download the patches, as well as Blastfix.exe and Welchfix.exe
from Norton for the last few days. Those instructions are now useless,
because students who are suspended can't use the network to get the tools they
need to cleanup their machines.
Is
there an easier way for students to get their access to the DHCP registry
reinstated after they have cleaned up their PCs? If not, you can expect a
lot of additional phone calls until the reinstatement process is somehow
automated. Any advice you can offer on what we need to tell our students would
be greatly appreciated.
John A.
Resotko
Head of Systems Administration
MSU - Detroit College of Law
208 Law College Building
East Lansing, MI 48824-1300
email: [log in to unmask]
Phone: 517-432-6836
Fax: 517-432-6861
>>> [log in to unmask] 08/20/03 07:54PM >>>
Please note: I have now posted today's list of infected computer
systems to the web site listed below. The current list includes
systems which are doing ICMP (ping request) scans, as well as
Microsoft network scans. The ICMP scans are primarily a result
of the "W32.Welchia" worm, whereas the port 135 scans are primarily
from "W32.Blaster". Both worms exploit the MS DCOM
vulnerability.
Doug
Doug
Nelson
[log in to unmask]
Network
Manager
Ph: (517) 353-2980
Computer
Laboratory
http://www.msu.edu/~nelson/
Michigan State University
Forwarded message:
Subject: IMPORTANT: Many campus systems port scanning
To: [log in to unmask] (IP Host Managers),
[log in to unmask] (MSU Security
Announce),
[log in to unmask] (MSU Network
Administrators Group)
Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 835
Important message to all campus system and network administrators:
We are experiencing a high volume of Microsoft network scans, coming
from over 450 computer systems on the campus network. In order to
speed up the process of contacting system administrators, the list
of IP addresses has been posted.
Please review the following site for systems under your control:
http://network.msu.edu/msu/portscan.html
Also included are pointers to several resources which may aid in
controlling and removing the viruses/worms involved in these port
scans.
The list of IP addresses will be revised later today, as we gain
further information on the level of port scanning on the campus
network.
Doug
Nelson
[log in to unmask]
Network
Manager
Ph: (517) 353-2980
Computer Laboratory
http://www.msu.edu/~nelson/
Michigan State University