Re: Researching Automated solution For Identifying Infected Machines

[Michael Halm <Michael.Halm () CCMAIL NEVADA EDU>]

We did. We had trouble with Welchia on the Resnet backbone. So we set up
an ACL to redirect outgoing HTTP requests through a Linux box. That box
ran a Nessus scan every half hour for the RPCSS vulnerability. The outcome
was dumped to a text file. The source address of every outgoing  port 80
request was checked against the list. If there was a match, the request
was re-routed to our own web page containing instructions for applying the
patch and a link to download it. No outgoing port 80 requests would be
allowed until the machine was patched. This got all but a half dozen to
patch. We left the system in place for over a month to catch new pc's that
were being introduced to the resnet backbone. After that, we needed the
box back for other purposes, so we reverted to manual scans of that
network.


Michael Halm, CISSP
Network Operations Center
University of Nevada Las Vegas
4505 Maryland Parkway
Las Vegas Nv  89154
702-895-0726




saras anu <saras_anu () YAHOO COM>
Sent by: The EDUCAUSE Security Discussion Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU>
11/10/2003 09:58 AM
Please respond to The EDUCAUSE Security Discussion Group Listserv


        To:     SECURITY () LISTSERV EDUCAUSE EDU
        cc:
        Subject:        [SECURITY] Researching Automated solution For Identifying Infected
Machines


Did your school attempt an automated technological solution to checking
and cleaning the computers of students moving back to campus
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard ********** Participation and subscription information for this 
EDUCAUSE
Discussion Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.