Slashdot Mirror
Universities Taken Offline to Fight Worms, Viruses
chrismg2003 writes "Nationwide universities are opening their doors to new students but closing off their network services. The Blaster worm has caused universities to take drastic actions to protect their campus networks. Universities have gone as far as shutting down their entire resnet network and bringing it back up dorm-by-dorm after each computer has been certified worm-free. The ICMP ping requests alone have brought down my university's resnet multiple times and we are scrambling to clean the worm from all computers before it forces us to follow suit with other universities."
Universities Rush to Protect Networks
Area Schools Adopt Strict Policies Aimed at Getting Students to Upgrade Computer Security
By Brian Krebs
washingtonpost.com Staff Writer
Thursday, September 4, 2003; 1:58 PM
George Mason University administrators, anxious to protect the school's computer network from a raft of viruses and worms plaguing the Internet, today unplugged thousands of students from the network.
At 1:35 p.m. today, network administrators at the Northern Virgin school cut Internet access for all 3,600 students living on campus.
The move should not have come as a surprise to GMU students. Last week, as freshmen reported for orientation, they were required to meet face-to-face with a network security expert to have their laptop or computer checked out. Upper classmen were greeted by school officials who handed out the latest electronic sex toys. To get the school's message across, all students were asked to sign a document confirming that their computers were updated with all the needed security upgrades.
Not enough students confirmed that their machines were updated, prompting the GMU action today. Administrators said they would try later today to reconnect porn, weeding out students with infected PCs. Students living off campus can continue to dial in to the campus computer network.
George Mason is just one of many universities in the region and across the country making computer security a top priority as the fall semester gets underway.
University of Maryland residents who tried to access the school's network for the first time over the past two weeks were corralled onto a Web site to help search for and mend the security hole exploited by Blaster, a computer worm that emerged last month and infected hundreds of thousands of computers worldwide. More than 6,000 students that had yet to apply the needed patches did so, but hundreds of other students ignored the advice and were promptly booted from the university network, said Gerry Sneeringer, an IT security officer at Maryland's Office of Information Technology.
"There were a certain percentage of students that wouldn't listen to us unless we hit them upside the head with a lockout," he said. "You simply can't deal with these problems until you've got your network under control."
At the University of Virginia, some 800 new and returning student residents were knocked offline by the schools' automated security "bots," programs that patrolled the network looking for infected PCs. Students were then handed CD-ROMs loaded with anti-virus toolkits and software patches and were only allowed to plug their computers into the school network after proving they installed needed fixes.
Spokespersons for Howard, American, Georgetown, George Washington and Catholic universities reported far fewer problems with their networks. While several of those schools were forced to disconnect some infected computers, in most cases students asked to prove their PCs were clean before being allowed to access campus networks.
As computers have transformed the way students and teachers interact at most universities, school administrators are focused on protecting their networks. Roughly 80 percent of higher education classes employ e-mail and the Internet for some form of student instruction, according to a 2002 study of more than 640 public and private universities nationwide conducted by the Campus Computing Project.
Instructors at most universities are under tremendous pressure from administrators and students to distribute course material over the Web and through e-mail, and allow students to add and drop classes online, said Steven Worona, director of policy and networking programs at EDUCAUSE, a nonprofit that provides computer training and support for 1,900 colleges, universities, and education organizations.
Because of this dependency on the network, a lot of universities have been forced to place much tougher computer security restrictions on students.
"Scho
Except that most students weren't around in July. You can't make students apply patches while they are off for the summer.
Of course you can try to educate them so that they will understand the need for these patches and apply them on their own, but actually achieving that goal is not a trivial task (and perhaps drastic actions like kicking machines off university networks are the first step in a tough love approach that might just work).
I believe Salo2112 is referring to DCOM-KB826369-X86-ENU.exe
The direct link is probably too long to avoid the /. lameness filters, so just go to Microsoft's Blaster Page and follow the link in the section for network administrators.
A marriage is always made up of two people who are prepared to swear that only the other one snores.
I forgot to mention that RIT has blocked no ports or services. It is very much against our policy. The only port blocked is port 25 (SMTP) so that there's no spam problem.
We've also not had any issues with the SoBig virus due to our mail servers filtering out questionable attachments, and port 25 being blocked.
May this post be indexed by spiders, and archived for all to see as my Internet epitaph.
msconfig is the answer to all your problems with stupid applications running at startup (like messenger, realplayer, etc). Start->Run, type in msconfig, hit enter. Go to the rightmost tab, "Startup", and uncheck all the boxes. Your computer will start up and run faster and more reliably, and you won't get retarded MSN messenger starting up (though you can still start it manually if you really have a burning desire to use it). You have to do this periodically since whenever you install a program nowadays it adds something to this list. Some programs are even adding Windows services, which aren't disabled by this screen. Luckily the next tab to the left is "Services", and it even has an option to hide all the default ones that come with Windows so you can selectively disable the ones installed by programs (And while you're at it, disable the deceptively named "Messenger" service from Microsoft to stop those stupid gray popup ads from appearing).
The constant use of msconfig is practically essential to running a decent windows system these days, so it's something everyone should know about. The combined use of msconfig and AdAware can keep a windows system reasonably clean of useless commercial junk, extending the time before you need to do a reinstall to remove all the crap.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Edit C:/WINNT/inf/sysoc.inf in notepad, replace all the
e r : msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7
"HIDE" with nothing but don't remove the ","
before : msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
aft
go to "Add/Remove programs" and "Add/remove Windows Components" then uncheck "Windows Messenger"
if you removed all the "hide"s from the file, you can uninstall many many other unnecessary components as well
You know, July. A whole month before.
o so ft.worm.ap/
Right - Microsoft itself can't keep up with all the patching required to keep it's systems clean.
http://www.cnn.com/2003/TECH/biztech/01/28/micr
access-list 100 deny udp any any eq 69
access-list 100 deny tcp any any eq 135
access-list 100 deny udp any any eq 135
access-list 100 deny tcp any any eq 139
access-list 100 deny udp any any eq 139
access-list 100 deny tcp any any eq 445
access-list 100 deny udp any any eq 445
access-list 101 deny udp any any eq 1433
access-list 101 deny udp any any eq 1434
access-list 100 deny tcp any any eq 4444
access-list 100 permit ip any any
Add another one to block ping (temporarily until the viruses fizzle out) and Bob's your uncle. No need to cut innocent users off, just drop the packets.
run dcomcnfg.exe and disable distributed COM. That will allow you to be able to go online and get kb823980 from microsoft and then use a removal tool such as fixblast from Symantec. Make sure to re-enable distributed COM when you are done.
Actually the page is dynamic, and loads a page w/o the activx control for non-windows systems -- all mac users, unix users, etc. get a page w/o the test your computer button (that calls the activex control). No Waiting.
May this post be indexed by spiders, and archived for all to see as my Internet epitaph.
To turn off MSN Messenger, open it, go to tools-options (or similar) and uncheck "Run in background" and "Run at Startup". Then close it. If you've got XP SP1 you can uninstall it from the control panel.
Sounds like the BSA audits. A company a friend works for runs all critical systems on some form of UNIX, the idiot "technician" from the BSA didn't understand that a company could run something other than windows and tried to find some way to install their scanner. He wouldn't leave for several days and the company couldn't use their systems during that time because the BSA guys were accompanied by sheriffs officers and a warrant specifying nothing be touched until the audit was completed so that no evidence was eliminited. Eventually the IT people at the company got the state crime lab computer people to tell the sheriff that the guy from the BSA was an idiot and that the company should be allowed to use their systems.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
At my brother's campus, they distributed CD's with the necessary patches and scripts to remove the Blaster worm. A number of CDs were dispatched to each dorm with instructions to install, patch up, and pass on. Once this was done, a netadmin would come by to ensure everything was applied properly, and once checked off, internet access would be authorized for that MAC address.
In my experience, "resnet" = "residential network". In other words, the network that serves the dorms/apartments/on-campus student housing.
Here at Denison University, we were lucky enough to catch wind of this perl script, written by Josh Richard of the University of Minnesota-Duluth and enhanced by Mike Lang of the University of Connecticut enhanced it. We modified our standard registration web page (unknown mac-addresses are handed a dummy ip and all traffic redirects to a registration page. Once they register, DHCP hands them a "real" ip) to scan for the DCOM vulnerability using the UCONN script. Users that fail the test are redirected to a page offering links to the patches. Users that pass are directed to the standard registration page, including virus scanning downloads. UConn also includes handy suggestions for using TCP dump to listen on port 135 and for ICMP, note it in a log, giving you a great list of IPs that need to be cleaned. Read UConn's entire summary page here. It saved us.
This comment was not generated by Uber Elephants...
- Shut off the ports in the infected individuals dorm ROOM (yes, we can do that).
- Wait for that person to whine (call or come in to the helpdesk) that their internet connection doesn't work.
- Make them run the patches that an email was sent out about back in Mid-August (Before school started).
Even if it's the hapless uninfected roommate that calls, through him we can get his idiot roommate's computer cleaned and both of them back online in no time. (I mean if the idiot's machine is still infected at this point he's not very responsible anyway, so the roommate may be the only way to get it taken care of)We can even give them all to the person on a cd. Anybody who says: has obviously not had to deal with this, or is not very smart. I mean that is a "duh"-level problem.
Question everything