Ticket #82 (closed task: fixed)

Opened 12 years ago

Last modified 12 years ago

reinstall Windows on virus-infected machines

Reported by: joshuadf Owned by: k1@…
Priority: major Milestone:
Component: systems Version:
Keywords: Cc: k1@…

Description

Joshua Daniel Franklin wrote:

JE,

The following machines of ours were apparently infected:

128.95.10.20 otolith (Hao's) 128.95.10.30 scarpa (Wayne's) 128.95.228.23 atlas (formerly August's)

CAC has disabled their network at the wall ports for now. I'm not sure why the automatic Microsoft and anti-virus updates didn't work. Considering none of those are in frequent use, I would recommend reinstalling Windows as soon as possible.

I was able to reformat all three machines, install windows, install drivers, and install office XP on atlas. Also, since scarpa had a windows xp key i went ahead and installed xp on that machine. Also, I installed the latest Virusscan 8.0 and enabled the firewall.

However, I was unable to unblock otolith and scarpa because their network access is completely blocked (they can't even ping), so I wasn't able to log into the CAC unblock page. I think we will have to contact CAC to get them unblocked manually.

I was able to log into the unblock page with atlas, but it wasn't able to unblock it, possibly because it has IE 5 (I'm not entirely sure since it said unable to block, but also had some sort of scripting error pop up.) What makes it even better was that I was unable to update to IE 6.0 since the download installer doesn't work with the net access block in place. So... I was able to grab an old version of autopatcher 2k that was on another machine's file share which installed IE 6 and also started the autopatcher to install whatever patches it had up to that point. Also with the limited network access I was able to join atlas to the domain and it installed firefox automatically.

And that's as far as I got. The problem is that I'm going on a trip to new york with my Dad and the rest of my family, and won't be back until next tuesday. I was hoping to get it all done today but the inabilty to unblock the machines got me stuck and I ran out of time. Hopefully, since those machines aren't in much use very often it won't be that much of an issue if they are offline until I can come back and finish setting them up next week. Sorry for leaving things such a mess, hope it doesn't inconvience anyone too badly.

  • JE

Change History

comment:1 Changed 12 years ago by joshuadf

Unfortunately Virusscan says atlas was already reinfected, so I've unplugged it again. The McAfee page at http://vil.nai.com/vil/Content/v_140394.htm seems to indicate that Virusscan does not protect against the MS06-040 flaw, though it can detect infection.

This may have happened right after joining the domain since atlas hadn't had all patches installed yet. Does the McAfee firewall off the UWICK CD block TCP 139 and 445? If not we need to block those before plugging a reformatted machine into the network.

Long-term, we should probably buy a cheap SOHO router that blocks all incoming connections and do Windows reformat/patch behind that before joining the domain.

comment:2 Changed 12 years ago by k1@…

Okay, as of yesterday 8/24/06 all three machines have been patched using autopatcher with the latest windows updates as of August (which is fully up to date at this point.) Atlas was reformatted yet again and patched, while the other two machines already had windows installs and now are fully patched.

Also, Mcaffe Virusscan 8.0 has been installed, and they all have the standard firewall rules that all the machines in the labs have, which block ports 1-1024 except those needed for network file sharing. Since they have the latest updates they should not be vunlerable to the same exploit that affected them earlier.

At this point what needs to be done is CAC needs to be contacted to unblock their network connections. Then they can be put back on the domain, have their network file shares restored (which are needed for regular backup), and any user data that was on those machines that is still needed needs to be restored.

comment:3 Changed 12 years ago by joshuadf

  • Cc k1@… added
  • Owner changed from k1@… to joshuadf
  • Status changed from new to assigned

Thanks JE, I've emailed netops about the wall ports.

Max has asked for some files, so I guess restore everything for mneal on atlas. As far as I know Hao and Wayne don't need any files, but be sure to keep around the last pre-infection backups we have (maybe in the archived backups).

Also, since Wayne isn't using scarpa we should give that machine to Hao, who's mentioned that otolith is slow. You can swap them when you're doing the other stuff. Also, be sure to update ticket #84 with notes of your progress on wpkg. And it would still be great to have the rack server by the end of the month (ticket #83).

Thanks again.

comment:4 Changed 12 years ago by joshuadf

  • Cc k1@… removed
  • Owner changed from joshuadf to k1@…
  • Status changed from assigned to new

comment:5 Changed 12 years ago by k1@…

Update:

  • All machines have been restored to the domain
  • All machines have updated versions of firefox, virusscan definitions, and are set to check windows update daily at 3:00 am
  • Scarpa has been moved to underneath Hao's desk
  • Max's files have been restored to atlas, in the folder C:\users\mneal\restore\

comment:6 Changed 12 years ago by joshuadf

  • Cc k1@… added

Thanks JE, have you told Hao and Max (mneal@u)? That's important to mention. Pretty much any sysadmin work that involves users is worthless if they don't know about it.

It's fine to email them separately, but if you do so you need to keep your supervisor (me in this case) aware of what's going on. I shouldn't need to communicate separately with them.

comment:7 Changed 12 years ago by k1@…

I've emailed them both.

comment:8 Changed 12 years ago by joshuadf

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.