Print

Print
[log in to unmask]">

….along with instructions on how to get your DHCP services unsuspended when complete.

 

John LeTourneau

Information Technology Services

 

The Eli Broad College of Business

Michigan State University

424A Eppley Center

East Lansing, MI 48824-1122

 

Email: [log in to unmask]

Phone:  517.353.1639

Pager:  517.232.2646

Fax:    517.355.0970

 

 

-----Original Message-----
From: Wendy Tate [mailto:[log in to unmask]]
Sent: Thursday, August 21, 2003 10:50 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many campus systems port scanning (fwd)

 

If we want to manage this in this manner, I think it would be a great idea to load up the DHCP ‘service suspended’ page with local links for the correct hotfixes and virus removal tools, and instructions for using them.  

 

 

 

Wendy Tate

Network Coordinator - Department of Economics

Michigan State University

101 Marshall Hall

East Lansing, MI 48824

[log in to unmask]    517.355.1816

-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of John Resotko
Sent: Thursday, August 21, 2003 10:15 AM
To: [log in to unmask]
Subject: Re: IMPORTANT: Many campus systems port scanning (fwd)

 

Good morning all,

 

I just had a visit from a student who recently caught, then disinfected their computer of both Blaster and Welchia worms.  Today, when they first connected to the campus network, they get a page saying their DHCP service has been suspended, and that they need to clean their systems before they will be allowed back on the network.  I've helped two other "suspended" students clean their machines this morning, but when they return to dhcp.msu.edu and try to check their registration, they are again told they are suspended, and that they have to call the Computer Lab to be reinstated.

 

While I understand the need to do everything possible to stop the spread of infection, I really wish someone would have warned me to expect this.  I didn't see any messages on the host managers, IP managers, or NAG lists that student access would be suspended.  I've been handing out instructions to students on how to download the patches, as well as Blastfix.exe and Welchfix.exe from Norton for the last few days.  Those instructions are now useless, because students who are suspended can't use the network to get the tools they need to cleanup their machines.

 

Is there an easier way for students to get their access to the DHCP registry reinstated after they have cleaned up their PCs?  If not, you can expect a lot of additional phone calls until the reinstatement process is somehow automated. Any advice you can offer on what we need to tell our students would be greatly appreciated.

 

John A. Resotko
Head of Systems Administration
MSU - Detroit College of Law
208 Law College Building
East Lansing, MI  48824-1300
email: [log in to unmask]
Phone: 517-432-6836
Fax: 517-432-6861

 




>>> [log in to unmask] 08/20/03 07:54PM >>>
Please note:  I have now posted today's list of infected computer
systems to the web site listed below.  The current list includes
systems which are doing ICMP (ping request) scans, as well as
Microsoft network scans.  The ICMP scans are primarily a result
of the "W32.Welchia" worm, whereas the port 135 scans are primarily
from "W32.Blaster".  Both worms exploit the MS DCOM vulnerability.

Doug


Doug Nelson                     [log in to unmask]
Network Manager                 Ph: (517) 353-2980
Computer Laboratory             http://www.msu.edu/~nelson/
Michigan State University


Forwarded message:

Subject: IMPORTANT: Many campus systems port scanning
To: [log in to unmask] (IP Host Managers),
        [log in to unmask] (MSU Security Announce),
        [log in to unmask] (MSU Network Administrators Group)
Date: Wed, 20 Aug 2003 10:58:24 -0400 (EDT)
X-Mailer: ELM [version 2.5 PL2]
Content-Length: 835

Important message to all campus system and network administrators:

We are experiencing a high volume of Microsoft network scans, coming
from over 450 computer systems on the campus network.  In order to
speed up the process of contacting system administrators, the list
of IP addresses has been posted.

Please review the following site for systems under your control:

  http://network.msu.edu/msu/portscan.html

Also included are pointers to several resources which may aid in
controlling and removing the viruses/worms involved in these port
scans.

The list of IP addresses will be revised later today, as we gain
further information on the level of port scanning on the campus
network.

Doug Nelson                     [log in to unmask]
Network Manager                 Ph: (517) 353-2980
Computer Laboratory             http://www.msu.edu/~nelson/
Michigan State University