SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Monday, February 27

27-Feb-2006 - 2

New software
tested on Athene, started with the portal: e107. Set up a pro-defined look-and-feel, made some changes in configuration and texts - and blew it all up. Re-installed the product and redone some of these, leaving out what I now know to be wrong - and blew it up once more. At least, I think...
Looks like fun but great care to be taken: it's unstable outside the tracks, so far.
Security.
FTP
just one more doing a lot:

%%%%%%%%%%% OPCOM 27-FEB-2006 23:37:25.08 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: tigershark.cyberlink.com
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060227174108p]

He took 7,5 seconds to do it all:
27-FEB-2006 23:37:23.59 User:anonymous logged in ident:Ugpuser@home.com from Host:tigershark.cyberlink.com
27-FEB-2006 23:37:24.86 User:anonymous ident:Ugpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
27-FEB-2006 23:37:30.21 User:anonymous ident:Ugpuser@home.com logged out

Someone trying to dump hist stuff?
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from tigershark.cyberlink.com at 27-FEB-2006 23:37:22.81
%TCPIP-I-FTP_NODE, client host name: tigershark.cyberlink.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060227174108p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00002: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: tigershark.cyberlink.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00002: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and trying to access the following lot - with the same results:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

and logs out - without doing any harm (and without having dumped ANYTHING)
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from tigershark.cyberlink.com at 27-FEB-2006 23:37:30.32
Just two known sources for mail (relaying attempts) and a few that are known spammers:
27-FEB-2006 03:38:56.28 NOSPAMRLY 221.140.55.69 louisjin@netian.com
27-FEB-2006 04:22:34.53 NOSPAMRLY 125.188.63.10 gjwns_22@daum.net
27-FEB-2006 05:00:21.22 CLNTINRBL 67.173.109.132
27-FEB-2006 05:00:27.58 CLNTINRBL 67.173.109.132
27-FEB-2006 05:00:35.39 CLNTINRBL 67.173.109.132
27-FEB-2006 23:53:05.07 CLNTINRBL 66.57.215.132

Got a number of spam messages that go through.

27-Feb-2006

Logs
were cycles properly - including Apache logs. Apache_index.html has indeed been re-created and shows 3 empty and 1 big ACCESS_LOG files - like last week.
Web security
Found of course a few interesting abuse attempts in http, running scripts I don't have (so they warn me anyway):
File does not exist: /www/awstats/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats
File does not exist: /www/index.php
File does not exist: /www/mambo/index2.php
File does not exist: /www/cvs/index2.php
File does not exist: /www/articles/mambo/index2.php
File does not exist: /www/xmlrpc.php
File does not exist: /www/blog/xmlrpc.php
File does not exist: /www/blog/xmlsrv/xmlrpc.php
File does not exist: /www/blogs/xmlsrv/xmlrpc.php
File does not exist: /www/drupal/xmlrpc.php
File does not exist: /www/phpgroupware/xmlrpc.php
File does not exist: /www/wordpress/xmlrpc.php
File does not exist: /www/xmlrpc/xmlrpc.php
File does not exist: /www/xmlsrv/xmlrpc.php
File does not exist: /www/ + /
File does not exist: /www/phpmyadmin/main.php
File does not exist: /www/cvs/index2.php
File does not exist: /www/articles/mambo/index2.php
File does not exist: /www/cvs/mambo/index2.php

Addresses that tried some or all of these:
63.126.131.10
67.19.26.114
69.183.25.176
81.169.169.215
200.43.57.210
202.157.177.49
203.146.247.69
210.19.111.9
218.104.211.118

Some other (typ0? since these are the only, single-line ones this week)
[Thu Feb 23 05:37:53 2006] [error] [client 213.254.203.210] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
and this line:
File does not exist: /www/OpenVMS/perl/binarykit/perl-5_8_4-vmsaxp-7_2-1.zip
More on security
Ftp had just two scripts running, that tried a lot.
The first one seems to me a hacked mail server - shame on SIEMENS!
%%%%%%%%%%% OPCOM 24-FEB-2006 01:32:03.89 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: mail.siemens.com.by
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060224023453p]
just 9 seconds:
24-FEB-2006 01:31:59.97 User:anonymous logged in ident:Kgpuser@home.com from Host:mail.siemens.com.by
24-FEB-2006 01:32:03.66 User:anonymous ident:Kgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
24-FEB-2006 01:32:07.05 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]tagged.;
24-FEB-2006 01:32:07.23 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Tagged.;
24-FEB-2006 01:32:07.40 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]TaGGeD.;
24-FEB-2006 01:32:07.68 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]data.;.;
24-FEB-2006 01:32:07.85 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Data.;.;
24-FEB-2006 01:32:08.10 User:anonymous ident:Kgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]^%.;.;.;
24-FEB-2006 01:32:09.14 User:anonymous ident:Kgpuser@home.com logged out
and attempting:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mail.siemens.com.by at 24-FEB-2006 01:31:59.58
%TCPIP-I-FTP_NODE, client host name: mail.siemens.com.by
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002B: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and the same on:
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
Next trying a new directory:
%TCPIP-I-FTP_NODE, client host name: mail.siemens.com.by
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060224023453p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002B: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: mail.siemens.com.by
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002B: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and this goes on:
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%
and the script ends without doing harm (but using resources and bandwith).
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from mail.siemens.com.by at 24-FEB-2006 01:32:09.24

The other one is from France:
%%%%%%%%%%% OPCOM 25-FEB-2006 05:05:10.98 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060225050703p]
It took just 4 seconds:
25-FEB-2006 05:05:10.25 User:anonymous logged in ident:Pgpuser@home.com from Host:AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr
25-FEB-2006 05:05:10.79 User:anonymous ident:Pgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
25-FEB-2006 05:05:14.96 User:anonymous ident:Pgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]incoming.;
25-FEB-2006 05:05:17.48 User:anonymous ident:Pgpuser@home.com logged out
to learn this all doesn't work:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr at 25-FEB-2006 05:05:09.86
%TCPIP-I-FTP_NODE, client host name: AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060225050703p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002C: Failed to create directory

%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002C: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and the same for this bunch opf directories:
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /cgibin/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /in/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /audio/
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: /.tmp/
%TCPIP-I-FTP_OBJ, object: /win/
%TCPIP-I-FTP_OBJ, object: //
%TCPIP-I-FTP_OBJ, object: /root/
%TCPIP-I-FTP_OBJ, object: /games/
%TCPIP-I-FTP_OBJ, object: /inetpub/
%TCPIP-I-FTP_OBJ, object: /_derived/
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]incoming
%TCPIP-I-FTP_OBJ, object: /wwwrootx/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /webroot/
%TCPIP-I-FTP_OBJ, object: /bin/
%TCPIP-I-FTP_OBJ, object: /dev/
%TCPIP-I-FTP_OBJ, object: /etc/
%TCPIP-I-FTP_OBJ, object: /lib/
%TCPIP-I-FTP_OBJ, object: /share/
%TCPIP-I-FTP_OBJ, object: /_kurdt/
%TCPIP-I-FTP_OBJ, object: /log/
%TCPIP-I-FTP_OBJ, object: /logs/
%TCPIP-I-FTP_OBJ, object: /_aux/
%TCPIP-I-FTP_OBJ, object: /aux/
%TCPIP-I-FTP_OBJ, object: /com1/
%TCPIP-I-FTP_OBJ, object: /com2/
%TCPIP-I-FTP_OBJ, object: /com3/
%TCPIP-I-FTP_OBJ, object: /aux1/
%TCPIP-I-FTP_OBJ, object: /aux2/
%TCPIP-I-FTP_OBJ, object: /aux3/
%TCPIP-I-FTP_OBJ, object: /ltp1/
%TCPIP-I-FTP_OBJ, object: /ltp2/
%TCPIP-I-FTP_OBJ, object: /ltp3/
%TCPIP-I-FTP_OBJ, object: /scan/
%TCPIP-I-FTP_OBJ, object: /scanned/
%TCPIP-I-FTP_OBJ, object: /tag/
%TCPIP-I-FTP_OBJ, object: /taggued/
%TCPIP-I-FTP_OBJ, object: /_sysops/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
Again, without harm but using diskspace (above are just the lines stating what has been tried, I removed all lines stating the failure) he loggded out:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from AFontenayssB-151-1-46-55.w82-121.abo.wanadoo.fr at 25-FEB-2006 05:05:17.57
I may signal this to the ISP, but I have my doubts on what may be done to prevent this...

Mail had just a few:

24-FEB-2006 00:56:13.75 CLNTINRBL 85.136.165.215
and 12 more with an interval of about 10 seconds
24-FEB-2006 03:38:53.30 NOSPAMRLY 58.225.75.149 ehstkah@hanmail.net
24-FEB-2006 04:22:23.41 NOSPAMRLY 125.188.63.10 gjwns_22@daum.net
24-FEB-2006 07:54:26.64 CLNTINRBL 81.214.130.89
24-FEB-2006 12:24:53.95 NOSPAMRLY 221.140.55.69 louisjin@netian.com
24-FEB-2006 17:48:24.60 CLNTINRBL 213.25.140.4
24-FEB-2006 23:54:22.09 CLNTINRBL 61.78.125.154
25-FEB-2006 01:11:04.58 CLNTINRBL 69.15.178.42
25-FEB-2006 03:33:01.89 CLNTINRBL 221.11.70.158
25-FEB-2006 07:48:03.99 NOSPAMRLY 125.188.63.10 gjwns_22@daum.net
25-FEB-2006 08:53:08.92 CLNTINRBL 24.21.221.220
25-FEB-2006 08:53:28.95 CLNTINRBL 81.190.159.87
25-FEB-2006 08:53:32.15 CLNTINRBL 71.197.50.2
25-FEB-2006 10:04:19.41 NOSPAMRLY 221.140.55.69 louisjin@netian.com
25-FEB-2006 19:24:07.82 CLNTINRBL 81.216.144.34
26-FEB-2006 00:04:00.69 CLNTINRBL 24.3.171.161
26-FEB-2006 00:04:08.67 CLNTINRBL 24.3.171.161
26-FEB-2006 00:04:15.28 CLNTINRBL 24.3.171.161
26-FEB-2006 01:31:33.40 CLNTINRBL 207.119.69.62
26-FEB-2006 03:40:51.72 NOSPAMRLY 211.222.179.253 louisjin@netian.com
26-FEB-2006 07:34:30.33 CLNTINRBL 195.136.246.2

If I update the list, this will be much larger since I get more and more spam. It's perhaps time to install SpamAssassin...

Sunday, February 26

26-Feb-2006

Getting on
with the new configuration.
There was a minor syntax error in SYSTARTUP_VMS.COM preventing the second part (in batch) to be started, so TCPIP wasn't started.
I copied QUEMANAGER.DAT file from the original system diskto the new one, but that ruined all batches. Since it's not that much to be done, I started a new queue manager and re-created the most important queues: SYS$START (batch) and HPTN2100 (Print), and restarted Diana once more. Now all startup was done - expect for the errors that are to be expected.
Next job was installing programming environment. Originally, I wanted this to reside on a separate location but that turned out to be a not so good idea: SYS$COMMON would need a re-definition to include this location as well. So I reversed the idea and installed all languages and tools on SYS$COMMON - where is is intended.
All languages installed directly from CD: - COBOL, FORTAN and PASCAL went flawlessly, but C and C++ need to be expanded first. So copied the kits to sman:[install], unpacked them and installed from there.
Also installed DECSet - the developers' toolkit.
Installation of DCPS however failed - still have to find the exact cause but it has to do with an undefined symbol "NODES" and nothing is mentioned in the relase notes and installation guides. At least - not at first glance. Abandonend that - for the moment.
Web stuff
Next, installed the web-based software on a logical disk named "WEB", except for Java (installed on SYS$COMMON): PERL, Apache 2.1, Tomcat, MOD_PHP and MOD_PERL. Ran the configuration scripts for Apache and Tomcat but the configuration of Apache is too different from the 1.3-1 version than it could be used. So I printed the conf files for comparison and to find out what to do next. Once that works well with the current webs, I will start setting up the new ones.
Also, installed Secure Web Browser, but didn't try that (will need substantial changes in system configuration)
Done - for today
Rebooted Diana from it's original disk in the end; as turned out, mail from the outside world was bounced. (well possible since TCPIP wasn't started at first).

Friday, February 24

23-Feb-2006

Security
Found two attempts in the log, on FTP:

I've got this one before - at least: from the same network in Poland:

%%%%%%%%%%% OPCOM 23-FEB-2006 02:30:24.92 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: cje3.neoplus.adsl.tpnet.pl
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060223023214p]

The connection lasts just 4 seconds:
23-FEB-2006 02:30:24.22 User:anonymous logged in ident:Agpuser@home.com from Host:cje3.neoplus.adsl.tpnet.pl
23-FEB-2006 02:30:24.68 User:anonymous ident:Agpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
23-FEB-2006 02:30:28.01 User:anonymous ident:Agpuser@home.com logged out

Ha: Script kiddy since trying to dump his stuff ? (and of course: Windows, and probably Linux based)) because no-one can type that fast, that this data is logged:
%TCPIP-I-FTP_NODE, client host name: cje3.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060223023214p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00028: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

This script of course has no error handling (why would it, it's crap, and most systems would accept it), because it just continues:
%TCPIP-I-FTP_NODE, client host name: cje3.neoplus.adsl.tpnet.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00028: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and so on for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/

and finally logged out.
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from cje3.neoplus.adsl.tpnet.pl at 23-FEB-2006 02:30:28.11

The second one seems not to have a DNS entry:

%%%%%%%%%%% OPCOM 23-FEB-2006 06:42:38.46 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 216.191.217.3
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060223064435p]

This lasted a bit longer: 22 seconds:
23-FEB-2006 06:42:22.57 User:anonymous logged in ident:Hgpuser@home.com from Host:216.191.217.3
23-FEB-2006 06:42:35.93 User:anonymous ident:Hgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
23-FEB-2006 06:42:44.44 User:anonymous ident:Hgpuser@home.com logged out

Again, I suspect a script, but some might be done manually (buffer recall is fast enough) and a good typer coud make it:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 216.191.217.3 at 23-FEB-2006 06:42:19.19
%TCPIP-I-FTP_NODE, client host name: 216.191.217.3
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002A: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

There is no PUB directory, nor one of the following:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/

Next, I guess this one wants to drop his stuff on a new, probably "hidden" directory (and there is no such thing on VMS)
%TCPIP-I-FTP_NODE, client host name: 216.191.217.3
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060223064435p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002A: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

and on that one, a directory:
%TCPIP-I-FTP_NODE, client host name: 216.191.217.3
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0002A: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and two more:
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /inetpub/

which don't exist either.. He gave up:
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 216.191.217.3 at 23-FEB-2006 06:42:44.54

Who is behind this address:

OrgName: Allstream Corp. Corporation Allstream
OrgID: ACCA-2
Address: 200 Wellington Street West
Address: 16th FloorCity: Toronto
StateProv: ON
PostalCode: M5V-3G2
Country: CA

ReferralServer: rwhois://rwhois.allstream.com:4321

NetRange: 216.191.0.0 - 216.191.255.255
CIDR: 216.191.0.0/16
NetName: ALLSTREAM-8
NetHandle: NET-216-191-0-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BUSINESS.ALLSTREAM.NET
NameServer: NS2.BUSINESS.ALLSTREAM.NET
Comment:
RegDate:
Updated: 2004-02-03

Canadian - and they have an abuse address. Good: they will be informed.

Monday, February 20

20-Feb-2006

Soymail
Received an answer - for ptrivate access the URL must be ../script/soymail/~: the tilde marks access as private. This is no problem, just adjust the URL in the startpage. Now it does indeed show up - somewhat different in layout, but there is a starting point. Main problem seems to be that the structure is "non-standard" and I will have to do a lot of digging myself - no problem: it will add to the usability of the product.
Some issues found, but by contacting the author, it could be that most issues can be solved by carefully follow the installation and administration guide, and adjust where needed. One thing will be needed - mapping /soymail/-/ to the right directory. But that is minor.
Also, I need to adjust smpt_config, to allow local host to send - otherwise, any mail sent to the outside world wil be treated as spam - and be rejected.
Logs
The scan-log jobs works, and so dows the creation of the Apache index page. Funny: all virtual webs seem to craete a new access_log - and there should be just one. Another thing to find out in the apache configuration!
Security
Apart from the ususal mail stuff, just one in FTP - due to late examination, just found today:

%%%%%%%%%%% OPCOM 17-FEB-2006 01:47:21.09 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: mgd9-d9ba3a4c.pool.mediaWays.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060217015050p]

A 1.5 second attempt:

17-FEB-2006 01:47:19.89 User:anonymous logged in ident:Kgpuser@home.com from Host:mgd9-d9ba3a4c.pool.mediaWays.net
17-FEB-2006 01:47:20.91 User:anonymous ident:Kgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
17-FEB-2006 01:47:21.28 User:anonymous ident:Kgpuser@home.com logged out

FTP log says:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mgd9-d9ba3a4c.pool.mediaWays.net at 17-FEB-2006 01:47:19.65
%TCPIP-I-FTP_NODE, client host name: mgd9-d9ba3a4c.pool.mediaWays.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00017: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and the same on :

%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/

Next tried to create the directory:

%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060217015050p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00017: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation

and accesing the following (non-existing) directories:

%TCPIP-I-FTP_OBJ, object: /upload/

After that; the script gave up:

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from mgd9-d9ba3a4c.pool.mediaWays.net at 17-FEB-2006 01:47:21.37

Hey kiddy: you want to dump your stuff? Sorry, wrong system!
Well, some weird thing in mail - happend the last days several times, but I still have to investigate:

%%%%%%%%%%% OPCOM 17-FEB-2006 06:13:28.00 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 82.49.85.174 Port: 2776

%%%%%%%%%%% OPCOM 17-FEB-2006 06:13:40.15 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51607

%%%%%%%%%%% OPCOM 17-FEB-2006 06:13:45.36 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51608

Every 5 seconds or so, until:

%%%%%%%%%%% OPCOM 17-FEB-2006 06:16:44.73 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51639

Here it stopped, but it started again 36 hours later:

%%%%%%%%%%% OPCOM 18-FEB-2006 21:13:56.84 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 80.182.88.246 Port: 3552

%%%%%%%%%%% OPCOM 18-FEB-2006 21:14:14.26 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51832

%%%%%%%%%%% OPCOM 18-FEB-2006 21:14:19.85 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51833

again every 5 seconds or so until:

%%%%%%%%%%% OPCOM 18-FEB-2006 21:17:25.44 %%%%%%%%%%%
Message from user INTERnet on DIANAINTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51864

A few hours later, it started once again:

%%%%%%%%%%% OPCOM 19-FEB-2006 06:40:42.39 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 82.49.85.148 Port: 2783

%%%%%%%%%%% OPCOM 19-FEB-2006 06:40:55.44 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51871

%%%%%%%%%%% OPCOM 19-FEB-2006 06:41:01.25 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51872

every 5 seconds until:

%%%%%%%%%%% OPCOM 19-FEB-2006 06:43:57.63 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51903

but shortly after, it started once again:

%%%%%%%%%%% OPCOM 19-FEB-2006 07:26:23.47 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 82.49.85.148 Port: 2520

%%%%%%%%%%% OPCOM 19-FEB-2006 07:26:35.64 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51904

%%%%%%%%%%% OPCOM 19-FEB-2006 07:26:42.05 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51905

and so on, until

%%%%%%%%%%% OPCOM 19-FEB-2006 07:29:39.23 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 192.168.0.33 Port: 51936

192.168.0.33 is Cerberus! But there is NOT ANY message found in these times.
Some tampering the router? As far as I know, there is no SMTP server in it, it's flash-based, but if this is true, it's not safe as it should be. Time to re-enable Charon.

Sunday, February 19

19-feb-2006

Diana logs
Made a small change in the job that does the cycle of the logfiles, in order to cycle the Apache logfiles: set the commands to SYS$MANAGER:APACHE$CONFIG in uppercase, because the default setting on Diana is to keep case, and this procedure will take the parameters as-is - will not change case before comparison, so nothing would happen.
Also created a commandprocedure to show all versions of the logfiles as hyperlinks, and added the execution into the scan-procedure; next, this adapted version has been submitted. We'll see tomorrow if it works.
New web setup
Downloaded a number of products that are know to work (directly, or with minor adjustements) on VMS. Have them installed on Athene to get an idea what is look like, how it works, without interrupting normal processing. All use MySQL as a database, and are written in PHP; all look promising. Next is to make a basic set-up , next install new MySQL and the products I want to use, and make the new web public.
Another internet mail client
Yahmail's successor is here: SOYMAIL, by the same author. Downloaded and installed it - had to do some adjustements since I do not install directly under APACHE$COMMON. It all seems right but for some reason, it always shows:

Fatal soyMAIL Error: Insufficient privilege or objectprotection violation.

Next, I enabled logging according the manaul and got some output but that didn't help either. Contacted the authoer for help.

Tuesday, February 14

14-Feb-2006

Not yet working
The logs of the apache server were expected to be copied - but once again, they were not, so there is again something to look after: did it work at all? Well, it did since operator and FTP logs were copied, just the Apache logfiles seem to be missing. Whether it's just the copy that failed, or the whole part of procseeing in the batch procedure, needs to be seen.
Security
Weird processing in FTP when checking, but it may be an issue with firewall settings.

This is ftp_anonymous.log's data:

11-FEB-2006 19:52:42.20 User:anonymous logged in ident:AppleNetworkingTechnology@apple.com from Host:216-99-199-38.cust.aracnet.com
11-FEB-2006 19:52:44.20 User:anonymous ident:AppleNetworkingTechnology@apple.com logged out

Just checking existence? Well, try to access a directory, this may be automatic, the directory exists, here it says it's Ok:

11-FEB-2006 19:52:44.80 User:anonymous logged in ident:AppleNetworkingTechnology@apple.com from Host:216-99-199-38.cust.aracnet.com
11-FEB-2006 19:52:46.00 User:anonymous ident:AppleNetworkingTechnology@apple.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]WEB_DISK^:^[public^.anonymous^].;
11-FEB-2006 19:52:46.21 User:anonymous ident:AppleNetworkingTechnology@apple.com logged out

ok, that's one step further. Now try with TWO sessions at a time , but as a different user (default by Mozilla client?), and one got down to the (existing) Perl directory:

11-FEB-2006 19:53:40.47 User:anonymous logged in ident:mozilla@example.com from Host:216-99-199-38.cust.aracnet.com
11-FEB-2006 19:53:42.62 User:anonymous ident:mozilla@example.com status:00010001
CWD dir:WEB_DISK:[public.anonymous.perl]

The other logged out immediately:

11-FEB-2006 19:55:40.63 User:anonymous logged in ident:mozilla@example.com from Host:216-99-199-38.cust.aracnet.com
11-FEB-2006 19:55:43.00 User:anonymous ident:mozilla@example.com logged out

The one still connected tries to retrieve the binary kit and logged off:

11-FEB-2006 19:57:42.27 User:anonymous ident:mozilla@example.com status:FFFFFFFF RETR file:WEB_DISK:[public.anonymous.perl.binarykit]perl-5_8_4-vmsaxp-7_2-1.zip;1
11-FEB-2006 19:57:42.34 User:anonymous ident:mozilla@example.com logged out


But: Status -1: would that mean an error? Or is this "success"? (TCPIP has been ported from Tru64 and is known for this kind of bad habits....)

FTP log shows the same things.
The first access: log in and out:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:52:41.67
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:52:44.27


testing whether it existed? Now the other accesses:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:52:44.40
%TCPIP-I-FTP_NODE, client host name: 216-99-199-38.cust.aracnet.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK^:^[public^.anonymous^]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000D: Failed to set default directory
%TCPIP-E-FTP_BADDIR, invalid directory
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:52:46.27

Weird, this directory does exist - but without the escaped :, [, . and ] (they're not needed, so either this persons' FTP client is bad, or the person doesn't know the proper escaping)
Once more, and now two sessions at a time:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:53:40.06

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:55:40.22

Both sessions try to access 'backward', or is this an attempt to do passive? Never seen before, not even with the Linksys router:

%TCPIP-I-FTP_NODE, client host name: 216-99-199-38.cust.aracnet.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: 216.99.199.38
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000E: Can't open data connection
%SYSTEM-F-TIMEOUT, device timeout
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:55:43.22

and the other session the same:

%TCPIP-I-FTP_NODE, client host name: 216-99-199-38.cust.aracnet.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: 216.99.199.38
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC0000F: Can't open data connection
%SYSTEM-F-TIMEOUT, device timeout
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 216-99-199-38.cust.aracnet.com at 11-FEB-2006 19:57:42.43

Or did it something different?

Friday, February 10

10-Feb-2006

Time did permit
so I examined these two addresses of yesterday's outcome:

32.97.182.141 is IBM:

AT&T Global Network Services ATT-32-0-0-0-A (NET-32-0-0-0-1)
32.0.0.0 - 32.255.255.255
IBM IBM20-182-0 (NET-32-97-182-0-1)
32.97.182.0 - 32.97.182.255

205.248.102.79 is Microsoft:

INFONET Services Corporation INFOLAN-BLK2 (NET-205-248-0-0-1)
205.248.0.0 - 205.248.255.255
Microsoft Corp MICROSOFT33 (NET-205-248-80-0-1)
205.248.80.0 - 205.248.129.255

Thursday, February 9

09-Feb-2006

Distributed Netbeans for demo
This nice (oh well..) product has been installed - Netbeans 3.6 on Aphrodite and the IDE-server on Diana. Both client and server are Java, which causes system-wide settings on VMS to be set very, very high: WSMAX to be extended to 300.000, to accomodate PQL_DWSEXTENT of the same amount; PQL_DPGFLQUO to be set to 500.000 - just below the size of the current pagefile. These changes required a reboot (WSMAX is not dynamic), and after that, the accounts used to test it required some changes as well. Once done, it kind of works. Starting the server is quick, but it takes some time for clients to be able to connect. And, please, on this 256Mb, 600 MHz machine, one at a time....
Anyway: good for testing and preparing the demo on Feb 28th.

Tried it first using Netbeans 5.0 on Aphrodite but that didn't take the modules: missing file.

Microsoft's and IBMS's mailserver open relay???
Just for the record - it might be a fake, but take a look at this spam's mailheader:

Return-Path: kentronsi@afsingapour.com
Received: from 64.99.101-84.rev.gaoland.net (84.101.99.64)
by diana.intra.grootersnet.nl (V5.5-11, OpenVMS V8.2 Alpha); Thu, 9 Feb 2006 20:26:54 +0100 (CET)
Received: from [205.248.102.79] (port=25 helo=mailc.microsoft.com)
by mailc.microsoft.com with smtp
for <me> ; Thu, 09 Feb 2006 20:28:43 +0100
Received: from [32.97.182.141] (port=25 helo=e1.ny.us.ibm.com)
by e1.ny.us.ibm.com with smtp
for <me> ; Thu, 09 Feb 2006 20:28:43 +0100
Message-ID: <000001c62dd9$13cd1b80$0100007f@localhost>
From: "Elias Long"
To:
Subject: Don't get left behind!
Date: Thu, 09 Feb 2006 20:28:43 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0001_01C62DD9.13CD1B80"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

(for obvious reasons, I removed my emailaddress)

Read the receivers from bottom up:

e1.ny.us.ibm.com - IBM, US, New York (that;s an assumption, but I guess rather valid)
mailc.microsoft.com - Microsoft - you know...

Next is to check:
32.97.182.141 - is this IBM?
205.248.102.79 - is this Microsoft?

Tomorrow, when time permits...

Wednesday, February 8

08-Feb-2006

Error corrected
It seems the error was coreected, all was normal today.
Apache trouble since last reboot
Well, not really, just that Tomcat isn't running. But that's not new.

Diana's site-specific startup procedure (SYSTARTUP_VMS.COM) is devided in two: one part running in forefront, that is directly invoked by STARTUP.COM (the basic boot procedure that comes withn OpenVMS and should not be altered), taking part of the stuff that is considered "basic". The rest is submitted to batch at it's end, so as soon as this job is submitted, I have access to the system using the console while the rest is still being prepared. And: I get a log, regardless the SYSGEN settings (and on a predefined, self-defined location).

This batch procedure starts TCPIP, enables the usage of programming languages (likely: it just loads the privileged parts of compilers, SDK members and alike), starts databases, and will also start Apache the Diana way, using a commandprocedure. One more, indeed, but with a reason: It starts all Apache based stuff in the right order.
Starting Apache implies starting Tomcat beforehand, to be able to use Tomcat's facilities. In that proces, apache$tomcat.exe is startwed as a detached proces. However, in some way, this fails with an RMS error: File not found, or File protection violation... I have to check accounting and audit for the exact message, but I think it is an issue with SYS$OUTPUT, SYS$ERROR or SYS$OUTPUT, since the problem does not occur when started from the terminal.
Apache has no problem that Tomcat isn't running. It will come available.
So normally, I stop the webserver and run the startup procedure that is normally executed by the batch procedure.
But this time, I didn't.

Since Tomcat isn't started, Java cannot be started from the web, nor will .JSP-files be serviced. I have none so it is not really an issue. Even better: it frees resources: Tomcat is written in Java and consumes quite a lot of CPU, memory and IO even doing nothing at all.

So I decided to leave it for the moment.

Tuesday, February 7

07-Feb-2006

Bad habits pay back. Always...
Released the edited commandprocedure to soon, and purged without resubmiiting the job processing logfiles. Result:

Error opening primary input file SYS$INPUT
File not found
SYSTEM job terminated at 7-FEB-2006 00:00:00.27

and running the procedure manually today revealed some stupid errors.
Should have known better than that!

Monday, February 6

06_feb-2006

Logs
Checked why access_log wasn't copied. Found an error in the command procedure: it copied several times, so I lost the last ones. Next week, it should work properly

Sunday, February 5

05-Feb-2006

One step at a time
I had just a few hours to work on Diana booting from the new system disk, to test POP - being the only one of the basic protocols still to be tested. Also, had the system authorisation and startup files located in another location and that should be usable as well. This required some rethought - "3dgen" not being a logical disk but a single directory made things a lot simpler. But some had to be changed in startup - for instance, the right definition of this logical....
This was a requirement since although the system came up nicely, it was impossible to login since a number of logicals seemed to be wrong, and for instance SYSUAF.DAT was inaccessable. Using minimal startup, all these issues could be solved and in the end, it all worked, thta is: sort-of. BIND, for instance, wasn't started and TCPIP SHO HOST didn't show all the expected results - just what's in HOSTS but not the DNS zone.
It turned out that the copied SYSUAF.DAT containend different values for the TCPIP service identifiers, so ownership of most of the service directories and files was wrong. Had that solved maually - there are not so many - and restrated the services, and it all worked - POP as well.
Reversed to original disk, since the webserver hasn't been installed yet. That's next.
Aphrodite's troubles
I have de-installed the VPN software - the system even restarted in the final stage of de-installing the VPN software. but it seemed to be gone anyway. Next, retried to reverse to an earlier checkpoint of XP, before installation of VPN. But this failed, and even one further away. The final "solution" was to examine the registry and change that directly, removeing what seemed to be related to this removed software. After reboot, VPS and some other products were indeed fully removed, and no more crashed have occurred.
Security
Some FTP attemps have been made since last time:

%%%%%%%%%%% OPCOM 2-FEB-2006 07:06:35.33 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: rtr.sebastiana.ceti.pl
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060202070831p]

TCPIP$FTP_ANONYMOUS.LOG shows a 30 minutes connection:

2-FEB-2006 07:06:34.44 User:anonymous logged in ident:Rgpuser@home.com from Host:rtr.sebastiana.ceti.pl
2-FEB-2006 07:06:35.07 User:anonymous ident:Rgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
2-FEB-2006 07:07:09.96 User:anonymous ident:Rgpuser@home.com logged out

Manual activity, this time?
According TCPIP$FTP_RUN.log, TWO attempts. One straight FTP (presumably):

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from rtr.sebastiana.ceti.pl at 2-FEB-2006 02:55:39.69
%TCPIP-E-FTP_LOGFAL, remote interactive login failure anonymous@ftp.adobe.com
-TCPIP-I-FTP_NODE, client host name: rtr.sebastiana.ceti.pl
-LOGIN-F-NOSUCHUSER, no such user
The other attempt, is just the usual:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from rtr.sebastiana.ceti.pl at 2-FEB-2006 07:06:34.04
%TCPIP-I-FTP_NODE, client host name: rtr.sebastiana.ceti.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060202070831p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00003: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: rtr.sebastiana.ceti.pl
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00003: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
and the same for:
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /web/

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from rtr.sebastiana.ceti.pl at 2-FEB-2006 07:07:10.03

Another attempt the next day, by an US-based kiddy:

Operator.log:
%%%%%%%%%%% OPCOM 3-FEB-2006 05:38:23.89 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: 66-227-168-217.static.aldl.mi.charter.com
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.sliverslide_tagged]

According FTP_ANOPNYMOUS.LOG this must have been a script:
3-FEB-2006 05:38:22.74 User:anonymous logged in ident:ddeeff from Host:66-227-168-217.static.aldl.mi.charter.com
3-FEB-2006 05:38:23.67 User:anonymous ident:ddeeff status:00010001 CWD dir:WEB_DISK:[public.anonymous]
3-FEB-2006 05:38:24.04 User:anonymous ident:ddeeff status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]pub.;
3-FEB-2006 05:38:33.32 User:anonymous ident:ddeeff logged out

Trying the obvious - once again - according FTP_RUN.LOG: all IIS and Linux/Apache:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 66-227-168-217.static.aldl.mi.charter.com at 3-FEB-2006 05:38:22.39
%TCPIP-I-FTP_NODE, client host name: 66-227-168-217.static.aldl.mi.charter.com
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.sliverslide_tagged]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00004: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: 66-227-168-217.static.aldl.mi.charter.com
%TCPIP-I-FTP_USER, user name: anonymous%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]pub
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00004: Failed to set default directory
%TCPIP-E-FTP_BADDIR, invalid directory

and it goes on:
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /pub/images /pub/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /pub/_vti_txt/ /wwwroot/
%TCPIP-I-FTP_OBJ, object: /wwwroot/incoming/
%TCPIP-I-FTP_OBJ, object: /wwwroot/pub/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_cfg/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/

%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /cgibin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /in/
%TCPIP-I-FTP_OBJ, object: /html/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /cgibin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /public_html/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /~tmp/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_USER, user name: anonymous


%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from 66-227-168-217.static.aldl.mi.charter.com at 3-FEB-2006 05:38:33.39

Mail is a long list - for the time (over one week) so I won't get into that one this time.