Educause Security Discussion mailing list archives
Re: Researching Automated solution For Identifying Infected Machines
From: Michael Halm <Michael.Halm () CCMAIL NEVADA EDU>
Date: Mon, 10 Nov 2003 10:20:20 -0800
We did. We had trouble with Welchia on the Resnet backbone. So we set up an ACL to redirect outgoing HTTP requests through a Linux box. That box ran a Nessus scan every half hour for the RPCSS vulnerability. The outcome was dumped to a text file. The source address of every outgoing port 80 request was checked against the list. If there was a match, the request was re-routed to our own web page containing instructions for applying the patch and a link to download it. No outgoing port 80 requests would be allowed until the machine was patched. This got all but a half dozen to patch. We left the system in place for over a month to catch new pc's that were being introduced to the resnet backbone. After that, we needed the box back for other purposes, so we reverted to manual scans of that network. Michael Halm, CISSP Network Operations Center University of Nevada Las Vegas 4505 Maryland Parkway Las Vegas Nv 89154 702-895-0726 saras anu <saras_anu () YAHOO COM> Sent by: The EDUCAUSE Security Discussion Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 11/10/2003 09:58 AM Please respond to The EDUCAUSE Security Discussion Group Listserv To: SECURITY () LISTSERV EDUCAUSE EDU cc: Subject: [SECURITY] Researching Automated solution For Identifying Infected Machines Did your school attempt an automated technological solution to checking and cleaning the computers of students moving back to campus Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: Researching Automated solution For Identifying Infected Machines Michael Halm (Nov 10)