Virus Attack!

Discussion in 'General Mac Discussion' started by Steven1621, Jan 25, 2005.

  1. Steven1621 macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #1
    I work for the IT department at my college, and the virus situation is fully out of control at the present moment. This "sasser" virus is everywhere. I have seen it spread to a freshly installed PC within five minutes. It's is the most tedious thing to remove since it is spread over the network so easily. It even disables the installation of SP2 which would correct the issue. All this really shows how great it is to have a mac. You never quite realize it till you have 67 laptops waiting to be fixed. We had one mac in for repairs the other day...someone spilt a beer on it and fried the HD. Man, I love my mac...
     
  2. Hodapp macrumors 6502a

    Hodapp

    Joined:
    Jul 10, 2003
    Location:
    New York, NY
    #2
    You must work for a pretty incompitent IT staff or poorly ran college if you're still having issues with Sasser... Good god.
     
  3. ChrisBrightwell macrumors 68020

    ChrisBrightwell

    Joined:
    Apr 5, 2004
    Location:
    Huntsville, AL
    #3
    Who the hell puts a fresh and un-patched Windows installation in the wild and forces it to fend for itself?

    If you just sat and watched that machine be taken over by Sasser, you have no business working IT.
     
  4. virividox macrumors 601

    virividox

    Joined:
    Aug 19, 2003
    Location:
    Manila - Nottingham - Philadelphia - Santa Barbar
    #4
    sasser whoah blast from the past!!! someone better get these unpatched pcs of the network!!!
     
  5. Earendil macrumors 68000

    Earendil

    Joined:
    Oct 27, 2003
    Location:
    Washington
    #5
    The guy has His college and '08 in his tag, I'm going to assume since my own graduating year is 2008, that he is a freshmen. While I am tempted to apply for the IT department because the department knows jack shiet about Macs, I wouldn't have a clue how to take care of a sassar virus, and would expect the department heads to know what they are doing in that regard. I wouldn't want this board telling me I have no business in the IT department though...To his his own I suppose.

    And in case you didn't notice, he said College campus. That means that people do whatever the hell they want with their computers, and bring all kinds of crap in. To an IT department, College campuses have to be Hell.

    ~Tyler
     
  6. Hodapp macrumors 6502a

    Hodapp

    Joined:
    Jul 10, 2003
    Location:
    New York, NY
    #6
    Right, but there is no way any real college does not have managed switches for 90%+ of the ports on the network. Any IT department that doesn't have its head lodged firmly up its own ass blocks that kind of junk at the port itself. In Sasser's case, you only need to block three ports. There's no excuse for a Sasser infestation anywhere outside of a dorm room's local LAN of two or three computers.

    Unbelievable.
     
  7. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #7
    Do take into account that everyone has just come back from winter break where they had 37 days to ruin their computers. Never doubt the average PC user's ability to know absolutely nothing about how to tend and update their computer. You're right that it was only on few of the campus LAN's, and the computers were concentrated in those areas. The computers that were sending out sasser were blocked. It's just a slow process to fix them all up.

    (note also that the freshly installed PC i mentioned had virus protection on it, and it detected the virus, but it was only a few minutes after it was put on the network. it was being patched while it was detected, so we do know what we're doing.)

    I work at the Student Helpdesk, which as the name suggests, is maned by students. We can generally take care of most problems, leaving the pros do handle more important stuff. We didn't really know how to handle this on our own, so the pros had to help us.
     
  8. ChrisBrightwell macrumors 68020

    ChrisBrightwell

    Joined:
    Apr 5, 2004
    Location:
    Huntsville, AL
    #8
    No, I noticed the "college campus" bit -- but it's a friggin' IT dept. They have to have managed switches and such that are capable of detecting and shutting down a machine with malicious intent.

    My point is that if they're having problems with Sasser, and he just watched it, he has no business in IT. Any half-ass IT dweeb knows that you do *not* put a fresh XP install on the network -- especially if you read Slashdot or one of the similar sites and see story after story about how fresh XP installs last less than five minutes in the wild.

    What IT dept doesn't have an XP "patch" CD w/ all the critical patches on it? What IT dept doesn't have some policy in place to ensure that simple things like firewalls and security patches aren't in place to ensure that trash like this Sasser mess stays contained?

    I stand by what I said earlier -- but any "IT dept" that is still dealing with Sasser needs to fire everyone, from the top down, and start over. I know that if my group were still dealing with Windows problems that were patched months ago, I'd be far to embarassed to mention it online, let alone claim to work with/for them.

    Then again -- I've been a DOS/Windows user for 15 years. I've only been using Apple's Mac OS for the last two or so. Perhaps I take for granted how easy it is for a Windows machines to be setup, patched, and placed on a LAN w/ no worries of infection.
     
  9. Hodapp macrumors 6502a

    Hodapp

    Joined:
    Jul 10, 2003
    Location:
    New York, NY
    #9
    LOL! My thoughts exactly!
     
  10. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #10
    Yikes. You guys are being rather harsh. Please note my above post and see that we are addressing problems that were created over the winter break as we have been on campus for two days. All you have mentioned is what we have done to address the problem.
     
  11. Hodapp macrumors 6502a

    Hodapp

    Joined:
    Jul 10, 2003
    Location:
    New York, NY
    #11
    You don't have any kind of system in place to distribute vital security updates? At a real college with a real IT staff when a major vulnerability is released, they scan their network to see who is vulnerable, then contact those people. Prevention is the key here, it is literally amazing to me that there was no effort to roll out patches to all these people... Sasser was a pretty serious worm.
     
  12. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #12
    Just because someone is told to update doesn't mean they will...

    I get calls from people who say the email is broken because their pop up blocker presents them from opening reply windows....and our average SAT is something like 1420... :)
     
  13. Hodapp macrumors 6502a

    Hodapp

    Joined:
    Jul 10, 2003
    Location:
    New York, NY
    #13
    This is where you telnet in to the switch and turn off their port. When they call you, you explain that they won't be allowed back on the network until they patch their machine. They'll be at your desk in less than 10 minutes to pick up a disc with the updates on it.

    Do you go to some kind of junior college or somewhere that just got access to the internet? I literally cannot fathom how you're still dealing with Sasser.
     
  14. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #14
    and that is exactly what we do, but the unpatched system isn't noticed till infected.

    ha ha that assumption is borderline insulting considering i go to one of the best colleges in the country. i'm not sure why it's back. i don't know everything that is going on with our IT. they told me it is a "sasser-like" virus. it's been dealt with, but there certainly was a sudden influx.
     
  15. Hodapp macrumors 6502a

    Hodapp

    Joined:
    Jul 10, 2003
    Location:
    New York, NY
    #15
    Uhh... you can run a simple port scan on ports 5554 and 9996 to see what machines are vulnerable and which aren't. It probably wouldn't take more than 10 minutes to scan your entire junior college network.

    ...Unpatched systems aren't noticed until the infection, lol, I'm emailing this thread to everyone else I work with, this is hilarious.

    I'm starting to think Steven1621 is playing a joke on us.
     
  16. ChrisBrightwell macrumors 68020

    ChrisBrightwell

    Joined:
    Apr 5, 2004
    Location:
    Huntsville, AL
    #16
    The problem is that you're being reactive rather than proactive.

    You should be pushing updates down to people instead of expecting them to know what to do and expecting them to pull down the udpates.

    Their ignorance is your responsibility.
     
  17. brap macrumors 68000

    Joined:
    May 10, 2004
    Location:
    Nottingham
    #17
    It's not his responsibility at all. Students, on a helpdesk, are in no position to tell the (full time, salaried) IT department how to do their jobs no matter how incompetent they are.

    Look to the chain of command, and give the poor guy a break.
     
  18. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #18
    I looked into it and found that it isn't sasser we are having a problem with. that was what i thought, but it is completely different. I'm not sure what it is, but i will find out to tell you. and yes, ports are scanned, but as it can only take a few minutes to spread a virus to many computers, there were many computers infected before we could turn them off. when i fix a computer, i have to gives its port access again. recall again that we are all just getting back from break and a lot of this was created without our control. with 1500 students on campus, 60 with this virus isn't that much. but it is a ton when you are fixing them all!
     
  19. emw macrumors G4

    emw

    Joined:
    Aug 2, 2004
    #19
    This thread is extremely disconcerting. Someone logs on to proclaim his delight that he doesn't have to fix all the Macs on campus, and all you people can do is jump all over him about how incompetent he is and what a POS IT department he has? He's a student help desk operator at a large university with little or no control over his IT management. He's just stuck cleaning up. Which, I'm sure, has never happened to any of you perfect people.

    WTF? You should be ashamed of yourselves. :mad:
     
  20. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #20
    thank you.

    BTW, there are only 1500 kids at my school
     
  21. emw macrumors G4

    emw

    Joined:
    Aug 2, 2004
    #21
    Perhaps, but many IT departments don't support 1500 users...
     
  22. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #22
    i pointed that out because he said that i went to a large university, when that is not the case.
     
  23. emw macrumors G4

    emw

    Joined:
    Aug 2, 2004
    #23
    Yup, got that ("he" was me) ;)
     
  24. Steven1621 thread starter macrumors 6502a

    Steven1621

    Joined:
    Apr 10, 2003
    Location:
    Connecticut
    #24
    Ok, I found out what the offical situation happens to be from the IT people. There is one computer on campus that is sending out some sasser-like virus. By means of port scanning, they have a list of 120 computers that it could be. It is their policy to not turn off the ports of massive amounts of computers. They are going through each one to figure out which computer the problem is coming from. Many of the computers I am seeing are being effected by this one infected computer, but don't actually have the virus. It starts a shutdown sequence. An email was issued to students to tell him to be sure their PC is updated to Sp2, which prevents this problem.

    I certainly didn't expect to have my IT department attacked by members and to have to defend what I really don't know a whole lot about.
     
  25. Mechcozmo macrumors 603

    Mechcozmo

    Joined:
    Jul 17, 2004
    #25
    Our school still is having issues with POZA. Sheesh. The IT department is 3 people at there are ~700 people total mind you, but still. My student account doesn't have enough privileges to get rid of POZA, but I have seen the executable and the registry keys. And I have seen failed infections, because POZA guesses between 2000 and XP and if it fails, "svcost.exe" crashes.

    Good luck. At least you can do something about it.
     

Share This Page