The University’s internet connection was inoperable this morning from about 7 AM until about 10:30 AM. The problem was isolated to the PIX firewall. A number of logged outbound connection attemps (ca. 97000) from forged class A source addresses to a destination in Northern California were discovered. The sheer number of such attempts constituted a denial of service situation for the firewall.
The true source of the connection attempts was traced to a student computer in Todd/Phibbs. The students network port was inactivated, and the firewall was rebooted. This restored internet service.
The student’s computer had been compromised by the installation of a version of the MyTunes application that had been infected by the W32/Sdbot worm, although a complete analysis of the system was not possible because the student, upon notification, had deleted some components.
The student’s computer, a Windows XP workstation, was patched with the latest MS Critical Updates, the existing misconfgured copy of Norton AV was disabled, and McAfee VirusScan 7 was installed and updated to the latest DAT and engine update.
The student was advised not to install MyTues again.