The University experienced a major attack of the Blaster worm and its varients starting late last Monday evening, August 18th. The Blaster worm spreads by exploiting security weaknesses in Windows 2000 and XP operating systems. The worm generates high volumes of traffic looking for new targets on and off the campus. This traffic caused our network to essentially shut down.
OIS shutdown the internet connection early Tuesday morning and spnt most of Tuesday reconfiguring the network. The network was moved to a new Cisco 6509 Core Router and restored to service in the early afternoon. Restrictive Access Control Lists were applied to every building until OIS personnel updated every computer with current security patches and anti-virus software. Network services were more or less back to normal late Friday afternoon, but some problems continue to appear.
OIS is monitoring the situation closely, but everyone can help in this effort. Everyone should ensure that their computer’s anti-virus software is installed and active and Microsoft’s updates are being applied.
Majordomo is down. Majordomo, the software package used for user discussion lists has failed after working without an error for almost two week on the new mail server. For some unknown reason the software now fails to function properly. We have attempted to upgrade with no success. We have attempted to roll back to the old server, but no luck.
At 11:00 AM, the campus network was disconnected because of widespread infection of University workstations by the Nachi worm subsequent to an initial infection by the Blaster worm (see http://us.mcafee.com/virusInfo/ for more details). The University’s Windows servers do not appear to have been infected. A byproduct of Nachi infection is a large volume of network traffic, and it was this that apparently overwhelmed the campus network.
OIS employees have eradicated most worm infections in Jones Hall, McIntyre Hall, Wheelock Hall and Security Services, and non-public workstations in Collins Library.
Currently, most University network services are online, with the exception of Windows filesharing. Thus, access to MERLIN2 and ALEXANDRIA is unavailable at this time. We expect it to become available sometime tomorrow morning(Wednesday, 20 August) from the above buildings.
A Cisco 6509 was installed, and replaces the Enterasys SmartSwitch Router (SSR).
Listservs are now available.
The installation of and changeover to the new email server hardware is complete. Proxy servers, email delivery, Webmail, dialin access, and account management interfaces (password changes, etc.) should be online.
The listserv system is not working correctly yet, but will be brought online tomorrow.
Beginning in the early morning hours of Saturday, 16 August 2003 (soon after midnight) the University e-mail system, including Webmail, password changes, and the forward and vacation message management interfaces, will be unavailable. The Corporate Time calendaring system, dialin authentication, and the University’s proxy servers will also be unavailable
during this period. These improvements are neccessary for the email system to handle the higher email volumes that we are experiencing. We will be making a series of infrastructure changes in order to bring the new mail server hardware on line.
- We will migrate the user data from the old mail server to the new mail server. It is recommended that you backup any important e-mail messages, and delete any unnecessary messages.
- We will upgrade the directory server from version 4.11 to version 5.1 service pack 2.
This upgrade is necessary for the new mail server to communicate with the directory server to authenticate users.
- We will modify Orion, Sun server for Math & Computer Science, to authenticate against the upgraded directory server.
We expect that this will take approximately one day, due to the volume of mail data
that must be moved.
E-mail service will be restored to campus by 8:00 AM Sunday, 17 August 2003.
Please check the Network Service Failure and Status Log for
status information on the 16th. When the affected services become available, status will be posted at that location.