Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Education Security

Universities Taken Offline to Fight Worms, Viruses 450

chrismg2003 writes "Nationwide universities are opening their doors to new students but closing off their network services. The Blaster worm has caused universities to take drastic actions to protect their campus networks. Universities have gone as far as shutting down their entire resnet network and bringing it back up dorm-by-dorm after each computer has been certified worm-free. The ICMP ping requests alone have brought down my university's resnet multiple times and we are scrambling to clean the worm from all computers before it forces us to follow suit with other universities."
This discussion has been archived. No new comments can be posted.

Universities Taken Offline to Fight Worms, Viruses

Comments Filter:
  • by inertia187 ( 156602 ) * on Thursday September 04, 2003 @05:47PM (#6874145) Homepage Journal
    Can we get the ISPs to do this too? It'd be really great if they'd just turn off a tiny manageable chunk of infected users and wait for them to call support. Support could then tell them to patch, or upgrade, or get some other type of clue. A really with-it ISP could just replace the web page the user wanted with a page that tells them to get with it.

    Problem is, any plan will cost money to support. Worse, it might prompt the users to just cancel their service. I can't imagine ISPs like that idea. At least with the universities, the students have no choice, pretty much.
    • by The_K4 ( 627653 ) on Thursday September 04, 2003 @05:53PM (#6874205)
      ISP Guy: Your coputers Infected, get a patch.
      Customer: I can't download the patch, you've turned off my internet access

      That could be a problem :)
    • by AuMatar ( 183847 ) on Thursday September 04, 2003 @05:58PM (#6874251)
      No. My computer is patched, and I pay for web access. I will NOT put up with being shut down for no reason. Either they need to target the virus vectors, or don't do it at all. The minute my machine is ever turned off because someone near me has a virus is the minute I cancel my account and change providers.
      • by Lemmy Caution ( 8378 ) on Thursday September 04, 2003 @06:35PM (#6874566) Homepage
        Of course, you get to go right past airport security without stopping, too, because you know you're not a terrorist. Right?
    • by Anonymous Coward
      Sbcglobal is doing something very similar. They redirect all http requests (of computers with high traffic on port 135) to a page they have set up that tells how to download and install the correct patch.
    • It would be nice if somebody would write a patching program for MSBlast that would automatically run on all of the hosts a certain subnet and patch them one by one. It would saturate the network, but it would save the IT department precious appointments.
      With all of the variants of msblast out there, there must be source code for the exploit someplace that someone could use to write a "friendly" patch program.
      • by BRTB ( 30272 ) <slashdot@nOsPam.brtb.org> on Thursday September 04, 2003 @06:08PM (#6874348) Homepage
        They did, it's called W32/Nachi. Useless, just as destructive as the first one. Completely flooded out the network at the local Comm College here, we were sending out 20Mbit worth of random ICMP traffic Tuesday morning within about 15 minutes of the usual work-start-time before we caught it. Still working on getting rid of it internally... (no I'm not the sysadmin, just helpdesk)
        • Did you read my post??

          One host at a time

          The "friendly" variant of MSBlast does every host at once and yes, creates a shitload of traffic to download the patch from Microsoft.
          My point is that the traffic should be contained on the LAN, which is much faster and less expensive than grabbing the patch over the internet.
    • Too mechanical (Score:5, Interesting)

      by Tor ( 2685 ) on Thursday September 04, 2003 @06:01PM (#6874286) Homepage
      Tech support services are basically overhead at an ISP (as far as increased service burden, ultimately cost to you). The easier you make the service, and the less dependent on tech support, the better for its consumers.

      Indeed, if you call your favorite big ISPs tech support, they are unlikely to provide real help anyway (little technical insight, low pay, high turnover). Adding the extra burden of instructing the user how to un-infect their computer on something mechanical like individual telephone tech support would not help matters.

      I favor the idea of cutting off infected customers. But I think the mechanism of getting customers back online should not involve the customer having to figure out that they need to call tech support - at least not first. The better way to support them is to redirect ALL HTTP requests from these customers to a ISP-provided site, which in turn informs the customer that they are seeing this page because their network access has been lost due to a virus problem on their computer.

      That's the way that AT&T got customers off their @Home services (e.g. static IP addresses, dns/nntp/pop3/imap server information, etc etc). All HTTP requests went to a canned page. All usenet newsgroups at the old NNTP server contained a single message - one that instructed the customer to reconfigure their NNTP settings. All requests from non-DHCP provided IP addresses were directed to an appropriate placeholder.

      • Here's a solution (Score:3, Insightful)

        by geekoid ( 135745 )
        Toss a webpage up that says:
        "We detected MSblaster on you machine, please goto to microsoft wupport, and download the appropriet patch"

        Just let it sit there for 60 seconds, then let them conintue on.

        After they hey the site three times, send them an email with directions. always point towards microsoft support.
        all this can be automated pretty darn quickly.
        • by Karl Cocknozzle ( 514413 ) <kcocknozzleNO@SPAMhotmail.com> on Thursday September 04, 2003 @07:10PM (#6874860) Homepage
          Toss a webpage up that says:
          "We detected MSblaster on you machine, please goto to microsoft wupport, and download the appropriet patch"

          I think this is a brilliant world. Unfortunately, there are already some sleazy companies who have pop-up ads that say the same thing. (ie. "You're infected with MSBlaster, patch your machine, then protect yourself permanently with (whatever the company's product is called.)"

          You could also exploit a common NT hole by sending an NTMESSENGER message to them. (ie. "Message from Root@yourdomain.com: Your machine has been infected with a virus, please visit Windows Update to apply the patch ASAP.) ...But of course that would probably not have much in the way of positive effect, and would annoy plenty of people as well.
    • by Anonymous Coward
      Last night I installed W2K on a VMware virtual machine. The vmnetX devices weren't playing nice with iptables so I disabled my host based firewall to download SP4. This morning I got an e-mail from Speakeasy telling me they've recieved complaints about Blaster propagating from my ip! They gave instructions on how to fight the thing and told me they might have to block my service until the problem was taken care of. So yes, ISPs are willing to do what it takes.
    • by colinramsay ( 603167 ) on Thursday September 04, 2003 @06:07PM (#6874332) Homepage
      Here in the UK, NTL did just that. I'd taken down our firewall for about five minutes and in that time we contracted Blaster, which promptly got eaten by Welchia. I scanned for Blaster and applied the MS patch but didn't scan for Welchia...

      Next day, we try and go online only to be redirected to http://outbreak.ntli.net/ which told us they'd found that we were transmitting loads of data... they gave us links to blaster and welchia scanners and the MS patch. Until we stopped transmitting we weren't going to be allowed onto the net at large.

      Upon removing Welchia we were promptly allowed back online. I've never been very impressed with NTL before, but this sort of decisive action was very impressive.
    • This ISP does (Score:4, Interesting)

      by nathana ( 2525 ) on Thursday September 04, 2003 @06:16PM (#6874408)
      I work in Technical Support for a local ISP here that provides access via dial-up, DSL, and terrestrial wireless (802.11b mostly, but also Turbocell, Trango & Motorola 5GHz solutions as well for backhaul links and bigger clients), and we also supply net access to a few apartment complexes and student housing facilities in the area (college town ISP).

      Ever since Welchia hit, we have been doing exactly what is being described here: kicking off individual customers and even shutting off entire chunks of our network when it is discovered that a particular user or a large group of users are infected with Welchia and spewing their worm-related ICMP crap all over creation. We've had to take down entire apartment complexes and have people go door-to-door with CDs containing the removal tools and MS patches before bringing them back up.

      I'm not certain how many people outside of the ISP technical support world know just how much of a PAIN Blaster and Welchia have been FOR technical support departments. Welchia came out, what, 2-3 weeks ago?, and although for the most part the majority of people are not seeing their effects anymore, these worms *are* still alive and kicking, and I don't see the end in sight anytime soon...our incoming calls have skyrocketed ever since the worms were released and especially after we found we had to take the drastic actions that we have had to take, and they have not waned yet!

      We're going to be forced to continue to deal with these annoyances (-- understatement) for a long time to come.
  • I wonder if they're checking each machine for mp3s & other RIAA/MPAA type material too. :P
  • Much wasted effort, probably to be repeated at least annually, could be avoided by insisting that students upgrade to a more secure operating system.
    • by abh ( 22332 ) <ahockley@gmail.com> on Thursday September 04, 2003 @05:51PM (#6874180) Homepage
      > upgrade to a more secure operating system. If you mean Linux, I assume you somehow are going to fund training all the students how to use it, along with getting all of the school's faculty and staff to support it, along with providing for Linux patch management efforts. Yeah, right. Back to the real world we go...
      • Aren't university students supposed to be intelligent?
        • Aren't university students supposed to be intelligent?

          You haven't been to a university lately, have you? Think "high school, but bigger and you're allowed to have alchohol."
      • Seems to me that students coming from the Mac world (many highschools are Mac only) have no problems switching to windows when their university requires it.

        What makes it so difficult for them to run lindows instead?
      • > If you mean Linux, I assume you somehow are going to fund training all the students how to use it, along with getting all of the school's faculty and staff to support it, along with providing for Linux patch management efforts. Yeah, right. Back to the real world we go...

        Insightful? That isn't insightful, that's just plain flamebait. Obviously you've never even tried using Linux! There's nothing difficult about it at all - KDE and Gnome look enough like Windows that anyone familiar with Windows ca

  • If they shut down the campus networks, how will the students download all the music and movie files they need to start the semester off right? ;)
  • Linux (Score:5, Interesting)

    by Anonymous Coward on Thursday September 04, 2003 @05:51PM (#6874179)
    This situation has affected me. I wonder how they will certify my Linux computer. They can't run their security checker stuff on it, as it doesn't even run windows. I may have to put up a patched XP install just to regain network access. Anyone got a spare copy to donate?
    • Re:Linux (Score:5, Informative)

      by afidel ( 530433 ) on Thursday September 04, 2003 @07:48PM (#6875095)
      Sounds like the BSA audits. A company a friend works for runs all critical systems on some form of UNIX, the idiot "technician" from the BSA didn't understand that a company could run something other than windows and tried to find some way to install their scanner. He wouldn't leave for several days and the company couldn't use their systems during that time because the BSA guys were accompanied by sheriffs officers and a warrant specifying nothing be touched until the audit was completed so that no evidence was eliminited. Eventually the IT people at the company got the state crime lab computer people to tell the sheriff that the guy from the BSA was an idiot and that the company should be allowed to use their systems.
  • Nationwide universities are opening their doors to new students but closing off their network services. The Blaster worm has caused universities to take drastic actions to protect their campus networks. Universities have gone as far as shutting down their entire resnet network and bringing it back up dorm-by-dorm after each computer has been certified worm-free.

    Geez, this gives that old joke about the guy yelling from the back of the auditorium, "Get a Mac!" new life.

  • My friend attends SUNY Maritime in New York and said that his school shut down their network to solve the problems and just got internet today. I was extremely surprised, as I think its a very far-reaching solution to a small problem.

    I still haven't moved into my dorm, so I guess I'll have to find out when I go in. I have friends at RIT, West Conn, RPI, Marist, UCONN, NYIT, University of Rochester, and Elizabethtown College and none of them have trouble with their internet connections (I'm assuming this
  • by fupeg ( 653970 ) on Thursday September 04, 2003 @05:56PM (#6874225)
    You should get a partial tuition refund if you don't use Windows, and thus the university's IT doesn't have to worry about you.
    • You should get a partial tuition refund if you don't use Windows, and thus the university's IT doesn't have to worry about you.

      Since when does using Linux mean IT doesn't have to worry about you? A friend of mine set up a Linux box a few years ago. ITS showed up at his office and shut his computer down because it was (unintentionally) DDoSing the DHCP server.

      I'm a Linux user as well, but I certainly don't think that it solves all problems. Should knowledgeable Windows users who keep their systems pat
  • Say what? (Score:5, Insightful)

    by ldm ( 676254 ) on Thursday September 04, 2003 @05:56PM (#6874227)
    "I think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."
    *blink* I have yet to encounter a situation where a college-level student has their home computer taken care of by a parent... quite the opposite, usually. WTF?
    • Re:Say what? (Score:3, Insightful)

      by RatBastard ( 949 )
      What you don't understand is that most of these computers are never repaired. They aren't patched and they are never cleaned of virii or spyware.
  • I actually am a network technician at a university right now, and basically the problem with the current issues, is that the students don't know the proper security measures, like patching their systems. The majority of students that I have disinfected, haven't run windows update, ever! They usually also have out of date anti-virus definitions, and now a firewall is looking like more of a necessity. If they would realize this, then the problems wouldn't be as wide spread.
  • by lordbry ( 46768 ) on Thursday September 04, 2003 @05:56PM (#6874231)
    At the University I work at, this year they are just restricting resnet students from running what are deemed "Server" services on ports below 1024, such as shared drives or telnet dameons. However, above 1024, the students can run whatever services they want, so the ones who know what they are doing will run ssh up there. Also, the school has central servers that can run things (like web pages) for the students that are quite sufficent (speaking as a former student).

    Next year, however, there is discussion of implementing something like checking all the dorm machines before they are allowed on the network... We have 40,000 undergrad students, so if even 1/4 are living on campus that will be quite a chore, but it is being discussed, and will happen.

    One of the computing directors even told me the only reason it wasn't done this year was because they could not get the cd's for staff cut in time. I just want to know where they are going to get the army of staff that would be needed on Labor day weekend to do this.
  • As I mentioned in that Ask Slashdot question a while back about handling this sort of thing, one could VERY easily set up VLANs on managed network equipment.

    Joe User plugs in his desktop. His machine starts spewing garbage, which gets detected either at a border or by honeypots. Script runs, switches Joe User's network jack to a secure VLAN which is heavily firewalled and only allows him to get antivirus updates, removal tools, etc.

    Of course, this requires you use managed hubs/switches. If you're not

  • Even for those of us who still use MS operating systems regularly. Boot up, with your hand over the floppy drive light: "it's Linux, 'k?"

    Surely they have routers and not just switches tying each wing into the network. So I wonder why, instead of spending all these hours on manpower for the current worms, they don't just block ports 445, 135-139. Do they really need them on the residential network?

    • So I wonder why, instead of spending all these hours on manpower for the current worms, they don't just block ports 445, 135-139. Do they really need them on the residential network?

      Don't forget ICMP echo requests for the Welchia crap and port 25 for Sobig virus spamming everyone. Oh hell, just block all the ports and require everyone to use an authenticated web proxy with content filters and you even cut out P2P file sharing!

  • Our Solution (Score:5, Interesting)

    by RedSynapse ( 90206 ) on Thursday September 04, 2003 @05:58PM (#6874247)
    I posted this before but it's still relevant..

    I work for tech support for a large (30,000+ students) university. This fall we're expecting as many of 30 percent of the machines coming to residence to be infected with a worm.

    To defend against this we're going scan all machines over the network during the registration process and if the machine is vulnerable the browser will get redirected to a webpage with the relevant patches which the client must apply. If they don't apply the patch they won't be able to connect to anything but our internal authentication vlan.

    One of the reasons our networks get hammered during any worm incident is that there are so many machines connected to the network that just aren't patched ever.. Eventually we just have to manually shut down the ports infected machines are connected to and wait till clients call to complain to explain why they've been disconnected.
  • I'm a freshman at University of Maryland, College Park, and overall I think their policy is very straightforward and simple. They haven't bother shutting off sections of the network or anything like that - they don't need to. When you bring in your computer from home, you have to register it (I think it's done on a MAC address basis). One of the requirements of registration is that you have to apply all of the patches for the recent Blaster, SoBig, etc. viruses. Granted, this isn't going to do much in t
  • by BabyDave ( 575083 ) on Thursday September 04, 2003 @06:00PM (#6874264)

    At the university where I work, the main campus is in the middle of an XP rollout, and the builds being installed didn't have the patch applied. Hosed the network so badly that remote updating wasn't possible - all the techs have been frantically running around with patch disks for the last few days.

    Fortunately, the campus where I'm based is mostly on Win 9x, and we managed to get most of the rest of them patched before many were infected. We thought that we'd got them all, but we were still seeing ridiculous ICMP traffic. The networking people checked the traffic logs, and the PCs were identified.

    They belonged to two of the Technical Support staff.

    • by JimmytheGeek ( 180805 ) <jamesaffeld@yaho ... m minus math_god> on Thursday September 04, 2003 @06:28PM (#6874520) Journal
      sometimes the techs are so harried for time that they don't get around to patching their own shit.

      Sometimes they are so lame they can't be bothered to wipe their own asses, either...

      Still, what a professional embarassment!
    • We got hit by Nachi as well. Students came in Saturday. We figured there would be problems with these, but didn't realize the extent of it, so we weren't too proactive. We made a CD image with the MS patch and the Symantec cleaners for the different variants, and a batch file and autorun.inf to make sure it all ran when the CD was inserted. 5,000 or so copies were distributed (I love the high-speed duplicator with robotic arm) to be handed out at dormitory check-in with an instruction sheet that basical
  • by I_am_Rambi ( 536614 ) on Thursday September 04, 2003 @06:00PM (#6874271) Homepage
    I go to a decent size university (about 3000 students) they recently got hit by all the worms. Working for the computer services department, we were busy with the back to school issues and also with the worm. In creating our images, we have set the virus software to update daily around 9am (I think) with a randomization of about 3 hours. This was one defense against the worm.

    Another defence was through the problem reports, since the campus provides computers for every dorm room. Upon submission of the problem, sometimes we would go reimage the system with the fix. Other times we would run some virus software to remove it and then the fix. After a few days, after we had figured out the fix, we sent out an email to the entire student body with the fix and with a removal program.

    On the network end, port 139 is still currently blocked since that was one way that it spread. We have yet to totally get rid of the worms, but we are almost there.

    With the other viruses, the server team quickly blocked all attachments with the pif extension, and a few others. This worm was pretty much stopped before it had a chance to grow on the network.

    My university never shut down dorms or the network of any sort to stop the worm. We have maintained a active roll with virus software with our own ftp server for the definitions. Our server is also update twice a day to help prevent any more outbreaks.

    Even though the worms were all acrossed campus, having many people work on the stopping and blocking the transmission of the worm, I think help keep my universitys network up.
  • UC Berkeley (Score:4, Interesting)

    by rritterson ( 588983 ) * on Thursday September 04, 2003 @06:00PM (#6874272)
    At UCB the campus wide network (not just the resnet) is on alert for infected machines. If one is found, it is denied access until a sysadmin comes out and cleans it. They've sent several warning messages prior to doing this. The news release is here [berkeley.edu]
  • by account_deleted ( 4530225 ) on Thursday September 04, 2003 @06:01PM (#6874282)
    Comment removed based on user account deletion
  • Off-topic. How do I view my comments that I submitted previously to my latest 24? TIA.
  • The worms have crashed the network for several hours. Now the Computer Center admins put the entire dorms network behind a seperate firewall blocking ICMP and ports 135/139. I've seen the packet counts from the net admin, and it's scary! I suggested they disconnect all infected users and reconnect them only after applying patches, but they don't want to mess with that.
  • I'm at NDSU [ndsu.edu] in Fargo (insert obligatory joke here), and for once ITS had a semi-intelligent solution. They found some way (haven't had a chance to ask for specifics) to find out when a computer was infected (or even vulnerable, I hear), and then they just denied that MAC address an IP from the DHCP server. Once it's cleaned up, you call or email them and they put you on the list to be reactivated. Of course, it's a bit bothersome when you have to wait overnight to get a PC back online, but it's better then

  • by randyest ( 589159 ) on Thursday September 04, 2003 @06:06PM (#6874331) Homepage
    The action seems perfectly reasonable to me:

    To get the school's message across, all students were asked to sign a document confirming that their computers were updated with all the needed security upgrades. Not enough students confirmed that their machines were updated, prompting the GMU action today. Administrators said they would try later today to reconnect dorms, weeding out students with infected PCs. Students living off campus can continue to dial in to the campus computer network.

    Looks like the kids are getting a decent deal on virus-removal and system updates too:

    Students are being charged $30 if a university technician is called in to clean an infected machine, a school spokesman said. Students can go to off-campus experts for a fix but must certify that their computers are updated with the latest security fixes before being allowed to access the campus network.

    Hmph, I can't find anything wrong here. Of course, there are a couple of choice quotes from the kids who, I believe, are our future:

    Kimberly Borchert, a 19-year-old sophomore, said her computer "freaked out" as soon as she plugged it into the school's network last week.

    Freshman Andrew Canose was one of several GMU students who encountered problems after installing the university-provided anti-virus software. Canose found the new program conflicted with an older anti-virus program already on his computer. "My computer is like at war with itself and won't work," he said.


    But my favorite lines are from the admins, such as this gem:

    "I think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."

    And the classic:

    "There were a certain percentage of students that wouldn't listen to us unless we hit them upside the head with a lockout," he said. "You simply can't deal with these problems until you've got your network under control."


  • Saying that everyone should switch operating systems is not the answer to the problem. Although Windows has more than it's share of problems, other operating systems aren't flawless. If everyone went out tomorrow and switched to a Mac or Linux I can promise you that the number of viruses and worms for these systems would go through the roof. Considering that an average user either a. doesn't know how, or b. even bothers trying to use something as simple as Windows Update, do you really think they are going
  • If these schools have to resort to shutting down their entire networks than they seriously need a change in staff or an increased IT budget. I previously went to San Jose State in CA, the definition of completely incompetent school, and they had a system that automatically shut down ports with excess traffic, port scanning apps, and viruses. It then put a help desk ticket in to have a techie go talk to the student. This is the way to do it. Shutting down the whole network is not necessary.
  • by Empiric ( 675968 ) * on Thursday September 04, 2003 @06:10PM (#6874364)
    I got hit with the W32.Wechia.Worm today.

    Yes, yes... install all patches, etc. The thing is, Microsoft is releasing security patches at an alarming rate at this point, and XP's Automatic Update seems profoundly dumb... I could swear I've downloaded the same security updates 3 times now, since it apparently either doesn't detect whether you already downloaded them (I can't always install-and-reboot in the middle of my work), or there's a ongoing stream of new revs to the patches, without them stating such.

    And now, MSN Messenger keeps informing me that there's a "Critical Security Update" with a link to a download page (naturally, I can't reply to the message...), and going there informs me that I must set up a .NET Passport before I can do anything.

    All I want to do is turn MSN Messenger off. Close, disable, whatever. Version 7 seems to have no method of preventing it from connecting and giving me a bunch of messages when I connect to the internet. Try exiting it, it says it's in use by another application, even when I have none open. Select anything regarding its startup options in the options menu, still comes up. I've now went ahead and uninstalled it using Add/Remove Programs, though I'm reluctant to do that in case I need to communicate with a client using it at some point.

    This is truly annoying. It seems that in effect, Microsoft is zealously forcing me to maintain my vulnerability to exploits, by insisting I continually use their Messenger (Yahoo IM works just fine for me, thank you...). They nicely give me the alternative of updating, to do which I need to sign up for .NET Passport, which has also been cracked, and potentially sensitive user information taken.

    At least in most areas, you can choose to avoid a vulnerability-laden application. It seems the Microsoft solution to their insecure software is just to go ahead and force you to use it.

    Argh. Does anyone know how I can just turn off MSN Messenger? TIA!

    (Disclaimer: My personal experience, Microsoft used fictionally, MS lawyers are good people, etc...)
    • by Spy Hunter ( 317220 ) on Thursday September 04, 2003 @06:51PM (#6874710) Journal
      msconfig.

      msconfig is the answer to all your problems with stupid applications running at startup (like messenger, realplayer, etc). Start->Run, type in msconfig, hit enter. Go to the rightmost tab, "Startup", and uncheck all the boxes. Your computer will start up and run faster and more reliably, and you won't get retarded MSN messenger starting up (though you can still start it manually if you really have a burning desire to use it). You have to do this periodically since whenever you install a program nowadays it adds something to this list. Some programs are even adding Windows services, which aren't disabled by this screen. Luckily the next tab to the left is "Services", and it even has an option to hide all the default ones that come with Windows so you can selectively disable the ones installed by programs (And while you're at it, disable the deceptively named "Messenger" service from Microsoft to stop those stupid gray popup ads from appearing).

      The constant use of msconfig is practically essential to running a decent windows system these days, so it's something everyone should know about. The combined use of msconfig and AdAware can keep a windows system reasonably clean of useless commercial junk, extending the time before you need to do a reinstall to remove all the crap.

    • Edit C:/WINNT/inf/sysoc.inf in notepad, replace all the
      "HIDE" with nothing but don't remove the ","

      before : msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
      afte r : msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7

      go to "Add/Remove programs" and "Add/remove Windows Components" then uncheck "Windows Messenger"

      if you removed all the "hide"s from the file, you can uninstall many many other unnecessary components as well
    • To turn off MSN Messenger, open it, go to tools-options (or similar) and uncheck "Run in background" and "Run at Startup". Then close it. If you've got XP SP1 you can uninstall it from the control panel.
  • Here in Mexico, at my university (ITESM), there is a scanner running every 30 minutes. If it detects you are infected with the Blaster worm, your network access is revoked. You have to go to the IT department so they can check your computer and certify it virus-free.
    Also, every time you go into the school's web site, a pop-up window appears with instructions on how to install Norton AV and keep it updated.
    Because of these worms/virii, the network has been down intermittently for the last 4 weeks.
  • remove computers from the internet, limit access to systems, and ...wait that is what these scripts were written to do.

    No, the terrorists are winning!
  • Funny, that. (Score:2, Interesting)

    by wretched22 ( 231780 )
    It's not just universities doing this. My girlfriend lives in an apartment complex (primarily students) in which they have a complex-wide wireless network (Airwave, I believe). Anyhow, their network has not worked longer than 15 minutes at a time for the past 2 weeks. The apartment managers turned off the network access to everyone this past Friday and required everyone to install patches, virus scanners, "Service Pack 1", etc., and turn in a signed affidavit that this has been done in order to get inter
  • I work for Residential Computing at Kansas State University (it is a student position). We really haven't too much trouble. Yes people have had blaster, but we did a pretty good job with an educational campaign as the dorms were opening. In instructing people to install fixes before hooking into the network. Those unfortunate souls who could not obey simple instructions had their port shut off until an employee got around to installing fixes for them.

    Was it a hassle? Yeah, it definitely was, but to
  • Yes, I know it's not "hep" to RTFA, but the following struck me as interesting:

    think we really need to groom a new type of student who is responsible for their computer security," said Kathy Gillette, manager of George Mason University's beleaguered tech support center. "A lot of them lived at home and mom or dad took care of the computer so they've never learned how to fix them, but hopefully we'll be able to teach them that too."

    This raised two points in my mind:

    1. Young people raised on a MS Wi
  • UW Labs (Score:5, Interesting)

    by jeeryg_flashaccess ( 456261 ) on Thursday September 04, 2003 @06:20PM (#6874447) Homepage Journal
    The UW labs in Seattle were hit real hard by the Blaster worm. Thus, the UW campus network was a mess for a bit. Main causes: First, students can use the computers for whatever they want... i.e. the computers are very open. Second, IT didn't patch the computer.

    Now you may wonder why I said "computer" and not "computers". Well here is why...the UW has an imaged drive lab. So one computer is used to push updates to EVERY single computer. Everytime a student logs off a computer the hard drive is made fresh again (cleaned) by the master server. That ensures proper working order and minimum IT staff work. Anything the student installed is erased too.

    Single point of failure anyone?
  • by reallocate ( 142797 ) on Thursday September 04, 2003 @06:27PM (#6874506)
    Colleges, like the rest of society, expect students to behave in accord with established standards, or face the consequences. Violate those standards -- steal test questions, set fire to the library, etc. -- and you will be held responsible for your behavior.

    There's no reason why behavior with a computer should be exempt.

    If some college kid physically damaged hardware in his school's server farm and took the network down, the school might very well sue him to recover their financial losses.

    Likewise, any student who deliberately releases a virus, worm, etc., on a school network ought to be held financially responsible for the damage.

    Schools (and any other institutions) should establish "standards of behavior" (e.g., required protective software, avoidance of banner servers, etc.) and hold students who violate those standards responsible for their share of the damages.
  • Problem solving, (Score:3, Insightful)

    by miffo.swe ( 547642 ) <daniel...hedblom@@@gmail...com> on Thursday September 04, 2003 @06:40PM (#6874608) Homepage Journal
    Identify what is the source of the problem and then get rid of it. In this case i think demanding safer systems would be a wise solution. Just cut off the bosos who have infected computers.

    That should make linux etc popular. Every windows user has stare at their empty nic while the nerds just keeps using the network as usual.
  • by LogicX ( 8327 ) * <slashdot@logi c x .us> on Thursday September 04, 2003 @06:40PM (#6874615) Homepage Journal
    I work for RESNet at Rochester Institute of Technology [rit.edu]. We've implemented a pretty good solution which has stopped no-one from internet access for any extended period of time.

    Every PC on our network must go to start.rit.edu (when they plug in they get a temporary 10. IP, which can only access select servers, and other machines on their subnet). At the start.rit.edu page we've coded an activex control which checks the version numbers of the RPC DCOM patched files (We compiled a list of every major windows version, every service pack, pre/post RPC DCOM patch). If the user is not patched, they are redirected to a page indicating which patches they must download/install off our server -- we also have allowed the users to access windows update through a proxy (if IE auto proxy detection is turned on).

    Finally we've coded a program, and put it on a CD entitled the RIT Windows Resource Kit. The program automatically detects their OS version, and upon them clicking a button, runs ipconfig /release to get them off the network, installs any and all necessary patches, installs the university-licensed mcafee antivirus, updates the definitions, and prompts them to restart at appropriate moments. Also on the CD for severe cases we have all the individual updates, and the Stinger virus remover.

    We also have RIT servers on campus who's logs are parsed on an hourly basis, and any machine which has connected to it in an attempt to spread the worm is blocked from the network. We then have a new custom-coded web interface which correlates with our network registration database: IPEdit [rit.edu] that we can use to look up users who can't get online, explain to them to get the CD, patch their PC, run stinger, and then we can reeanble them. Most users are back online within an hour.

    So far we've distributed over 5,000 copies of the CDs to each incoming freshmen and returning upperclassmen. (15,000 students at the college). As can be seen, our bandwidth usage [rit.edu] is very much under control. Although we've experienced a lot of call volume (300 students a day) this last weekend as 2500 freshmen moved in, I'm happy to say that over 4000 students are registered on the network, and the phone in our office hasn't rung for the last hour.
    • I forgot to mention that RIT has blocked no ports or services. It is very much against our policy. The only port blocked is port 25 (SMTP) so that there's no spam problem.
      We've also not had any issues with the SoBig virus due to our mail servers filtering out questionable attachments, and port 25 being blocked.
  • run dcomcnfg.exe and disable distributed COM. That will allow you to be able to go online and get kb823980 from microsoft and then use a removal tool such as fixblast from Symantec. Make sure to re-enable distributed COM when you are done.
  • UConn. (Score:3, Interesting)

    by Grendel Drago ( 41496 ) on Thursday September 04, 2003 @07:13PM (#6874872) Homepage
    At the University of Connecticut, ResNet officials actually keyed into rooms. Didn't unplug the machines from the router, didn't block the MAC address.

    I'm aware that this is an awful problem, but how on earth does it justify keying into someone's room?

    (I'm not kidding. dailycampus.com has the story in its 8/28 back issue. They don't take external links, though this [dailycampus.com] will take you to a registration page. Also notice the article on 3/6/2003 where ResNet threatens to boot warez kiddies out of housing. Real nice fellas, these guys...)

    --grendel drago
  • by chill ( 34294 ) on Thursday September 04, 2003 @07:19PM (#6874921) Journal
    Any upper level (Junior/Senior) CompSci students who were infected and notified by the automated bot should be ASHAMED!

    It should also be noted in their record. (Wants to run a network, but can figure out Windows Update, personal firewalls or anti-virus software...)
    • I think you'd be surprised just how many Comp Sci students don't even know what the C: drive is in windows, or what a firewall even is. I agree with your sentiment, but at least 50% of the kids I'm in school with (just finished 3rd year) still store everything in 'My Documents', use default everything within Windows, and whine and bitch every time they have to do homework using anything other than WindowsXP and Java.

      Doesn't bother me though, because the lack of competition has meant that I have gotten top
  • by zbuffered ( 125292 ) on Thursday September 04, 2003 @07:23PM (#6874952)
    Is all the extra work that these worms and what not are causing for us IT folks, good for our industry in general? Certainly it keeps us busy just keeping everything running, and that's gotta keep a few people on the payroll.

    If that's the case, I'd like to send a shout-out to all the virus and worm authors out there: you infect my computer and I'll pop a cap in yo azz, but as long as you just infect the clueless newbies, and it helps me separate them from their cash, I give you the thumbs up.
  • Well (Score:3, Interesting)

    by chrisgeleven ( 514645 ) on Thursday September 04, 2003 @08:32PM (#6875326) Homepage
    I'm a senior at SNHU and this is what I have observed.

    There was a noticable slowdown on Saturday and Sunday (when all freshmen moved in), but the network didn't go down. I imagine probably some of it was the normal freshman Internet traffic since many of them never had fast internet before, the rest was from Blaster.

    Returning students arrived on Monday and Tuesday. Tuesday the network got slower and SLOWER and SLOOOOWEERRR then crashed about mid-afternoon. Didn't come up until yesterday morning.

    RA's and orientation leaders were given CD's with the patch, fix tool, and virus definition files for various popular virus scanners.

    Knowing this university, there will still be people unpatched come next May since no one has gone door-to-door to verify everyone's computers.

    Oh and some students randomly can't get on the internet. Noticed today I had an IP address conflict, so I got a suspcion that the DHCP server has also ran out of IP addresses.

    My girlfriend goes to NEC and their network has been totally down since Sunday. Basically they are going to go to each computer and patch it before they turn the network on. For some reason they insisted on attempting to patch her computer even though she showed them it was running Windows 98 SE (which isn't effected by Blaster), just like I told her to do. *sigh*
  • UConn saved our tail (Score:4, Informative)

    by Prep ( 26315 ) <bix AT bixworld DOT com> on Thursday September 04, 2003 @10:30PM (#6876025) Homepage
    Here at Denison University [denison.edu], we were lucky enough to catch wind of this perl script, [uconn.edu] written by Josh Richard of the University of Minnesota-Duluth and enhanced by Mike Lang of the University of Connecticut enhanced it. We modified our standard registration web page (unknown mac-addresses are handed a dummy ip and all traffic redirects to a registration page. Once they register, DHCP hands them a "real" ip) to scan for the DCOM vulnerability using the UCONN script. Users that fail the test are redirected to a page offering links to the patches. Users that pass are directed to the standard registration page, including virus scanning downloads. UConn also includes handy suggestions for using TCP dump to listen on port 135 and for ICMP, note it in a log, giving you a great list of IPs that need to be cleaned. Read UConn's entire summary page here. [uconn.edu] It saved us.
    • I was reading through this discussion and was about to post about the work UCONN did. I think one of their admins posted the link to their page to resnet-l last week and I was impressed.

      They did a very nice job containing the spread of the worm. Kudos to them.

      On the other hand, the response from our office (Housing Tech Support at a school in Indiana, we just help students get online, don't deal w/ switches and routers) has been somewhere between nothing and next to nothing. I asked my boss to go buy u

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...