30-Jan-2006

No access ???
Webs were all out of order this morning, but telnet was possible, and SWS was up and running. Restart of the webserver did not help.
A sudden thought: The fowarding of traffic on port 80 has been moved to the cluster address was not reflected in HTTPD.CONF - there the old address was still used. So I changed that file to hold the cluster address instead, and restarted the server, and it worked again.

29-Jan-2006

Spontanuous reboots
Aphrodite shows a nasty behaviour since the VPN software has been installed: all of a sudden, the system restarts without notice. The event logger shows "System error" and the information from Microsoft doesn't say anything but it might be a drives issue. The only thing new is this VPN software - but the crashes do not occur when it is used, not even when it hasn't been used at all - it just happens. Of course there might be an issue with it, the only way to find out is to remove it and wait. Then, after 10, 20 ,30 minutes, or more than an hour, it happens again.
Data hase been sent to Microsoft, on each of the crashes, but the question remains what will be done.
Cluster configuration
Just some time used for checking the new system disk: since DNS and DHCP do work, now checking SMTP and POP - but first, done an Autogen using the MODPARAMS.DAT file that is the last used on Diana. And removed an error in SYPAGEWAPFILES.COM so the additional pagefile was used as well.
After reboot, mail did not arrive at Diana, but SMTP was running, couldn't retrieve the mail though. Found a lot of IO - by BIND. That triggered the solution: Cerberus passes all SMTP traffic to the CLUSTER (.200), the address is configured on Diana but it wasn't yet defined in DNS...Once that was done, SMTP did work: mail could be sent to, and received from any internet address, even using Aphrodite's Outlook. However, POP does not work - yet.
Changed the router that HTTP went to the cluster address as well (will be needed in future anyway).
At end, rebooted from the original system disk - since all works there.

26-Jan-2006

Quiet times
Too quiet, perhaps? Just the ordinary stuff with bad mail - I think I've seen most of them before, so there is no reason to publish.
System updates to come
On some places, I read about troubles with SWS 2.1 and MOD_PHP 1.3, but others seem to have no issues at all. I _could_ do an update, after having backed up the current system disk, so a simple reboot (though from another disk) would return to it's original state. Although I prefer to install it freshly using the new system disk. We'll see how far we can get this weekend.
VPN connection to the office
In the past I have tried to create a VPN connection to the company office but for some reason that never succeeded. The main problem might have been the included ZoneAlarm firewall, that didn't work well with Charon at the time; The laptop (Athene) didn't like it at all: it crashed severely when the VPN software was started when using the wireless connectivity, and Venus (at the time) could not properly connect - the connetion was set up but for some obscure reason, connecting to storage on the office network always failed and caused the connection to be dropped. So I abandoned the idea.

A few months ago the office moved to another location, and the network was changed, so I decided to give it another try. Tonight I tried on Aphrodite, but since Cerberos is the external firewall, ZoneAlarm was not installed, just the VPN software would do. After reboot it all went well, just creating the tunnel took some time but after that, all connections could be made.
So next will be Athene - see if that works as well, but I have a different brand of hardware for wireless network, with different drivers, and the VPN software may be working well with these.
SOAP
I don't mean the protocol
The project for which the research has been done may be postponed, or cancelled. The way it's done, is soap: I think we'd do; no we don't; yes, we do, he wants it;'it's said we do; or don't we?; we might do...You know what is meant...

24-Jan-2006

Some keep trying
like this one in FTP, that has tried before (at least, there have been access attempts from a DIALIN.NET user before):

%%%%%%%%%%% OPCOM 24-JAN-2006 17:44:44.80 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: p54AE7108.dip.t-dialin.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060124174541p]

As usual, just a short period, accoring anonymous_ftp.log:

24-JAN-2006 17:44:41.08 User:anonymous logged in ident:Zgpuser@home.com from Host:p54AE7108.dip.t-dialin.net
24-JAN-2006 17:44:44.51 User:anonymous ident:Zgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
24-JAN-2006 17:44:47.90 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]tagged.;
24-JAN-2006 17:44:48.03 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Tagged.;
24-JAN-2006 17:44:48.12 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]TaGGeD.;
24-JAN-2006 17:44:48.26 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]data.;.;
24-JAN-2006 17:44:48.39 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]Data.;.;
24-JAN-2006 17:44:48.55 User:anonymous ident:Zgpuser@home.com status:07649912 CWD dir:WEB_DISK:[public.anonymous]SYS$POSIX_ROOT^:^[000000^]^%.;.;.;
24-JAN-2006 17:44:48.69 User:anonymous ident:Zgpuser@home.com logged out

about 7 seconds - a script, obviously since I doubt very much that someone could type that fast.
There was quite a lot more - as is shown in FTP_RUN.LOG. Firts, just trying to access directories:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from p54AE7108.dip.t-dialin.net at 24-JAN-2006 17:44:38.59
%TCPIP-I-FTP_NODE, client host name: p54AE7108.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and other directories the same way - and the same error:

%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/

Next a change in behaviour: now there is the try to create a directory, and next trying to access from there (assumed - the script is unknown)

%TCPIP-I-FTP_NODE, client host name: p54AE7108.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060124174541p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: p54AE7108.dip.t-dialin.net
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format

and the same error occurs on accessing other directories:

%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/

Weird that all these are not signalled in anonymous_ftp.log - because of the Unix format, perhaps? When looking like VMS specification, they do show up:

%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data
%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%

This guy - or his program - has some idea of how VMS filespecs look like - but not good enough. "^" as an escape character is right, but not the position. ":", "[" ands "]" are valid for VMS, you know....

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from p54AE7108.dip.t-dialin.net at 24-JAN-2006 17:44:48.73

Bad mail was limited:

24-JAN-2006 04:11:08.62 BADMF peter@yahoo.com
24-JAN-2006 04:11:16.61 BADMF peter@yahoo.com
24-JAN-2006 04:11:24.61 BADMF peter@yahoo.com
24-JAN-2006 05:05:28.24 CLNTINRBL 143.248.223.218
24-JAN-2006 06:32:20.14 CLNTINRBL 58.51.89.8
24-JAN-2006 14:28:05.85 CLNTINRBL 69.173.46.107
24-JAN-2006 14:28:20.65 CLNTINRBL 221.10.98.121
24-JAN-2006 14:29:58.55 CLNTINRBL 200.242.18.80
24-JAN-2006 14:30:09.97 CLNTINRBL 201.44.0.238
24-JAN-2006 14:31:45.06 CLNTINRBL 210.181.15.157
24-JAN-2006 14:39:53.24 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
24-JAN-2006 18:34:55.36 NOSPAMRLY 221.140.55.69 smtphunter22@daum.net
24-JAN-2006 19:58:59.72 CLNTINRBL 24.166.164.89

and most are already known.

24-Jan-2006

Security
Copying the webserver logfiles did almost succeed - ACCESS_LOG does now exist but is empty, but ERROR_LOG of public, mail- and rpivate sites do now exist for last week. Scanning these (by hand) revealed attempts to acess some non-existing locations - using a script since the whole access took just a few seconds:

These were quite common:
File does not exist: /www/awstats/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats.pl
script not found or unable to stat: /apache$root/cgi-bin/awstats
File does not exist: /www/xmlrpc.php
File does not exist: /www/blog/xmlrpc.php
File does not exist: /www/blog/xmlsrv/xmlrpc.php
File does not exist: /www/blogs/xmlsrv/xmlrpc.php
File does not exist: /www/drupal/xmlrpc.php
File does not exist: /www/phpgroupware/xmlrpc.php
File does not exist: /www/wordpress/xmlrpc.php
File does not exist: /www/xmlrpc.php
File does not exist: /www/xmlrpc/xmlrpc.php
File does not exist: /www/xmlsrv/xmlrpc.php
These were found once but combined with a few from above:
File does not exist: /www/index2.php
File does not exist: /www/index.php
File does not exist: /www/mambo/index2.php
File does not exist: /www/cvs/index2.php

The next accessed (startdate, IP address) concerned at least one of above. Most in the public site's error_log, (*) found in the one of the mail site:

Jan 16 01:26:42 2006 64.207.218.15 (*)
Jan 16 06:02:49 2006 82.224.76.103 (*)
Jan 16 09:39:06 2006 68.96.26.136 (*)
Jan 17 02:18:15 2006 67.18.40.162
Jan 17 02:18:17 2006 67.18.40.162 (*)
Jan 17 15:41:01 2006 210.82.89.137
Jan 17 17:31:44 2006 213.39.218.171
Jan 18 09:21:26 2006 200.129.27.6
Jan 18 14:46:13 2006 218.232.109.223
Jan 18 18:01:14 2006 218.219.149.177
Jan 19 01:18:13 2006 148.244.247.83
Jan 19 08:12:29 2006 66.98.144.89
Jan 19 13:27:16 2006 201.15.239.10
Jan 20 20:00:57 2006 61.66.208.78 (*)
Jan 20 20:06:02 2006 66.143.182.65
Jan 21 04:25:10 2006 212.68.203.234
Jan 21 23:33:07 2006 206.47.37.212
Jan 22 08:22:50 2006 219.163.61.51
Jan 22 23:46:22 2006 66.34.225.128

This one is probably an IIS attempt - just once so it might have been a typo:
File does not exist: /www/ + /
by:
Jan 20 17:29:03 2006 152.121.17.40

I think it hard to believe these are a typo:

File does not exist: /www/_vti_bin/owssvr.dll
File does not exist: /www/MSOffice/cltreq.asp
found to be attempted by:
Jan 20 20:05:27 2006 206.186.78.194
Jan 22 22:28:47 2006 128.253.95.211

And someone tried to get into the (non-existing) PHPBB and Coppermine areas:

File does not exist: /www/modules/Forums/admin/admin_styles.php
File does not exist: /www/modules/Forums/admin/admin_styles.phpadmin_styles.php
File does not exist: /www/Forums/admin/admin_styles.php
File does not exist: /www/modules/coppermine/themes/default/theme.php
File does not exist: /www/modules/coppermine/themes/default/theme.phptheme.php
Tried just once:
Jan 16 16:34:41 2006 85.37.240.241
thinking I use PHPBB or dome other PHP product for my mail ???

Yesterday's mail abuse atempts were minor: 3 times junk from Yahoo that I've seen before (good that they block further attempts!), one daily spam relay attempt and one that shows up once in a while - I'll keep an eye on that one):

23-JAN-2006 20:37:27.68 CLNTINRBL 82.226.85.104
23-JAN-2006 00:13:11.17 BADMF reginald@yahoo.com
23-JAN-2006 00:13:12.59 BADMF reginald@yahoo.com
23-JAN-2006 00:13:14.00 BADMF reginald@yahoo.com
23-JAN-2006 02:33:48.63 BADMF geoffrey@yahoo.com
23-JAN-2006 02:33:49.97 BADMF geoffrey@yahoo.com
23-JAN-2006 02:33:51.31 BADMF geoffrey@yahoo.com
23-JAN-2006 07:09:10.80 BADMF william@yahoo.com
23-JAN-2006 07:09:12.83 BADMF william@yahoo.com
23-JAN-2006 07:09:14.73 BADMF william@yahoo.com
23-JAN-2006 07:21:08.72 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
23-JAN-2006 16:20:05.86 NOSPAMRLY 221.140.55.69 smtphunter22@daum.net

No FTP found these days.

23-Jan-2006

Getting on
A short time could be used to get Diana to work using the new system disk. DNS and DHCP work after small adjustments. SMTP and POP configuration copied and processes restarted. Sending mail from Diana is no problem, sending mail to Diana inside the domain will start the receiving process but it will hang (MUTEX) and disappear after some time - and the sender will gets a message sending failed. Mail from outside the domain isn't received at all. POP doesn't work either - but that might be a user configuration issue.
Set up the cluster address, but it's not yet in DNS.

Since it still doesn't work properly, rebooted back after two hours - there were other issues that required attention.

22-Jan-2006

New systemdisk for Diana
This weekend was used to set up the basic startup for Diana over the shared SCSI and HSZ50. It did boot all right, but finishing the whole sequence was quite another story: Containers needed to be opened, and therefore mounting disk was to be done first. That meant looking through the startup files and changing things now and then. That some things didn't work out properly is no surprise since not all software is installed yet, and some data needs to be setup properly before.
But once it came so far, some configuration issues needed to be done as well - the cluster-IP address for instance. The whole set should work as before. That meant cleaning up the DNS and DHCP directories - get rid of the .pid files, for instance. Once that was done, all seems well.
At least, it looked like, but when trying to refesh one system's IP-settings, DNS wasn't updated, although all info was sent.
After review and copying the files from the original system disk, and a reboot onvce or twice, it worked!

Next to check is SMTP and POP to work as before, and installation of languages and other tools.

Booted back to the previous system disk for normal work, untill all is set and working as I want it to work.

Security
There has been one attempt getting in by FTP:

%%%%%%%%%%% OPCOM 21-JAN-2006 01:57:04.79 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: host217-35-86-85.in-addr.btopenworld.com
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060121005615p]

Anonymous FTP log tells a fairly short connection:

21-JAN-2006 01:57:04.00 User:anonymous logged in ident:Bgpuser@home.com from Host:host217-35-86-85.in-addr.btopenworld.com
21-JAN-2006 01:57:04.66 User:anonymous ident:Bgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
21-JAN-2006 01:57:07.22 User:anonymous ident:Bgpuser&$64;home.com logged out

but FTP log itself doesn't say anything:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from host217-35-86-85.in-addr.btopenworld.com at 19-JAN-2006 11:28:57.21

Not sure why.

Mail had the usual
20-JAN-2006 07:10:49.84 BADMF geoffrey@yahoo.com
20-JAN-2006 07:10:58.44 BADMF geoffrey@yahoo.com
20-JAN-2006 07:11:05.45 BADMF geoffrey@yahoo.com
20-JAN-2006 08:18:05.28 CLNTINRBL 12.208.42.168
20-JAN-2006 09:57:50.11 BADMF joi.pagea1bv@gmail.com
20-JAN-2006 09:57:57.30 BADMF rasbury.guntonizgt@gmail.com
20-JAN-2006 09:58:04.12 BADMF early902@gmail.com
20-JAN-2006 09:58:10.35 BADMF tresha.torres0405@gmail.com
20-JAN-2006 15:00:34.65 CLNTINRBL 212.29.211.18
20-JAN-2006 15:19:47.93 CLNTINRBL 60.226.24.45
20-JAN-2006 15:20:02.14 CLNTINRBL 61.97.159.185
20-JAN-2006 17:03:17.68 NOSPAMRLY 221.140.55.169 smtphunter22@daum.net
20-JAN-2006 17:44:28.61 CLNTINRBL 222.105.233.169
20-JAN-2006 19:01:52.11 BADMF sharp800@gmail.com
21-JAN-2006 01:59:50.39 CLNTINRBL 69.241.171.249
... and 13 more ever 10 minutes until
21-JAN-2006 02:03:30.96 CLNTINRBL 69.241.171.249
21-JAN-2006 02:07:05.21 CLNTINRBL 69.251.50.111
21-JAN-2006 02:39:23.60 CLNTINRBL 221.195.64.100
... and 15 more every 8 minutes until
21-JAN-2006 02:41:20.48 CLNTINRBL 221.195.64.100
21-JAN-2006 04:02:13.46 CLNTINRBL 211.173.180.253
21-JAN-2006 06:30:32.35 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
21-JAN-2006 08:24:19.83 BADMF rogert@yahoo.com
21-JAN-2006 08:24:28.60 BADMF rogert@yahoo.com
21-JAN-2006 08:24:36.03 BADMF rogert@yahoo.com
22-JAN-2006 23:47:25.21 BADMF mznjkh80i0c1j6@yahoo.com.tw
22-JAN-2006 17:56:25.88 NOSPAMRLY 221.140.55.169 smtphunter22@daum.net
22-JAN-2006 18:10:11.48 CLNTINRBL 195.56.171.253
... and 3 more every 8 minutes until
22-JAN-2006 18:10:42.68 CLNTINRBL 195.56.171.253

19-Jan-2006

Creating a VAMP
will be a future project after I finished the small introductory course at HP's leaning center - I'm halfway actualy: V(ms) and A(pache) already installed, up and running, where M(ySQL) and P(HP) are installed but not yet enabled. That will be, in a not so far away future.
Seti-BOINC
is stalled for the moment, I'm currently looking into required extra packages and builing these
Security
Just mail, two more blacklisted sites. tried to dump their message. One 17-Jan-2006 trying every 4-5 minutes or so, with some other ones in between - in total 73 messages, and one on 19-Jan-2006, once every 6-7 minutes, and there were about 24 of them. Besides a few others of course, blocked by their domains, and one that shows up almost every day.

17-JAN-2006 01:38:45.46 CLNTINRBL 211.211.65.123
...
17-JAN-2006 01:40:18.49 CLNTINRBL 211.211.65.123
17-JAN-2006 01:40:19.82 BADMF gore.sierra1ne0@gmail.com
17-JAN-2006 01:40:22.31 CLNTINRBL 211.211.65.123
...
17-JAN-2006 01:40:26.91 CLNTINRBL 211.211.65.123
17-JAN-2006 01:40:29.98 BADMF maccarrick.arkell9o3@gmail.com
17-JAN-2006 01:40:31.72 CLNTINRBL 211.211.65.123
...
17-JAN-2006 01:43:58.32 CLNTINRBL 211.211.65.123
18-JAN-2006 00:18:09.21 CLNTINRBL 69.175.36.149
18-JAN-2006 01:43:10.18 CLNTINRBL 218.17.251.185
18-JAN-2006 02:57:14.69 CLNTINRBL 66.67.189.166
18-JAN-2006 07:15:28.04 CLNTINRBL 70.115.182.153
19-JAN-2006 00:34:55.63 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
19-JAN-2006 01:33:53.79 CLNTINRBL 201.155.115.55
...
19-JAN-2006 01:41:16.97 CLNTINRBL 201.155.115.55
19-JAN-2006 02:07:42.49 CLNTINRBL 125.192.110.24
19-JAN-2006 15:58:09.77 BADMF philip@yahoo.com
19-JAN-2006 15:58:20.71 BADMF philip@yahoo.com
19-JAN-2006 15:58:30.93 BADMF philip@yahoo.com
19-JAN-2006 18:15:35.29 CLNTINRBL 62.159.137.36
19-JAN-2006 23:50:28.39 NOSPAMRLY 125.188.61.77 gjwns_44@daum.net

The first big one is from Korea:

IPv4 Address : 211.211.64.0-211.211.65.255
Network Name : HANANET-INFRA
Connect ISP Name : HANANET
Connect Date : 20010502
Registration Date : 20041014
Publishes : Y
[ Organization Information ]
Organization ID : ORG3930
Org Name : Hanaro Telecom Inc.
Address : Yeoeuido-dong Yeongdeungpo-gu SEOUL
Detail address : 17-7 Asia One Bldg.
Zip Code : 150-874

and the second one seems Mexican:

inetnum: 201.152/14
status: reallocated
owner: Uninet S.A. de C.V.
ownerid: MX-USCV4-LACNIC
responsible: Arturo Zaldivar Mendez
address: Periferico Sur, 3190,
address: 01900 - Ciudad de México - DF
country: MX
phone: +52 5 54907049 []
owner-c: DCA
tech-c: SRU
inetrev: 201.152/16

(What would happen if I would allow the well known relay-attempt of 125.188.61.77 to gjwns_44@daum.net, just for once? Would that open a flood of messages, or break0in attempts from that address?)

Charon to be re-installed
at least - for some time. I have to set up a VPN, tried that before but for some reason, it did not succeed. Cerberus doesn't show blocked connections and that router is actually too small to handle our requiremenst: there is too little space for allowed traffic to be configured, and not showing blocked traffic is something I would like to see.
I'm also looking for ways to automate forensic research even more so lists as above might be generated automaticly from the logs....

BEWARE !

Phishing attempt

Do you have a Paypal account? Then beware of attempts to retrieve you account password - and therefore gain acess to your accouint at Paypal - which may include your creditcard information, or use your account for fraud.

It's the second phishing attempt I received - assuming I'm stupid. I got a similar message on
on 15-Jan-2006, appearantly from an Italian site using a Polish (Apple MAC-based?) mailserver - to direct me to a (hacked?) site. Just this afternoon, I received another one. I didn't get to the site (of course) but displayed the HTML-code. It contains a message stating:

Attention! Your PayPal account has been violated!

Someonewith ip address 149.225.126.87 tried to access your personal
account!

Please click the link below and enter your account information to confirm that you are not currently away. You have 3 days to
confirm accountinformation or your account will be locked.

The "link below" reads:

<a target="_blank"href="http://202.29.41.99/src/.cgi-bin/.paypal/index.htm">Click here to activate your account</a>

and it also specifies:

You can also confirm your email address by logging into your PayPal account
at < a target="_blank" href="http://202.29.41.99/src/.cgi-bin/.paypal/index.htm"><br>http://paypal.com/</a>.

Who is 202.29.41.99:

inetnum: 202.28.0.0 - 202.29.255.255
netname: THAINET-TH
descr: UniNet(Inter-university network)
descr: Office of Information Technology Administration
descr: for Educational Development
descr: Ministry of University Affairs
country: TH
admin-c: YT7
admin-c: UV1-AP
tech-c: UNOC1-AP
remarks: UniNet is the outgrowth of THAINET
notify:
email('noc-uninet', 'it.chula.ac', 'th', 'noc-uninet@it.chula.ac.th');
noc-uninet@it.chula.ac.th
notify:
email('noc', 'uni.net', 'th', 'noc@uni.net.th');
noc@uni.net.th
mnt-by: APNIC-HM
mnt-lower: MAINT-TH-UNINET
status: ALLOCATED PORTABLE

and more.
No PAYPAL, therfore.
Since this seems to be a university account, it might be a signal the machine is tampered - University sites are notoriously badly secured.
Also, this is quite likely a Unix box - given the name of the directories (/(dot)cgi-bin/(dot)paypal/ - these directories are hidden from normal view.

Who is said to access the account (145225.126.87)

inetnum: 149.225.0.0 - 149.225.255.255
remarks:
remarks: This inetnum has been transfered as part of the ERX.
remarks: It was present in both the ARIN and RIPE databases, so
remarks: the information from both databases has been merged.
remarks: If you are the mntner of this object, please update it
remarks: to reflect the correct information.
remarks:
remarks: Please see the information for this process:
remarks: http://www.ripe.net/db/erx/erx-ip/network-149.html
remarks:
remarks: **** INFORMATION FROM ARIN OBJECT ****
remarks: netname: CUMULUS-1
descr: EUnet Deutschland GmbH
descr: Emil-Figge-Str. 80
descr: D-44227 Dortmund
remarks: country: DE
admin-c: UH266-RIPE
tech-c: UH266-RIPE
remarks: changed: hostmaster@arin.net 19970728
remarks: changed: hostmaster@arin.net 20030121
remarks: **** INFORMATION FROM RIPE OBJECT ****
netname: CUMULUS
descr: UUNET Deutschland GmbH
descr: Sebrathweg 20
descr: D-44149 Dortmund
country: DE
admin-c: HE15-RIPE
tech-c: HE15-RIPE
status: ASSIGNED PI
remarks: date of original assignment unknown, possibly 1991-1992
mnt-by: UUNETDE-I
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
source: RIPE # Filtered

Might be the source of the attempt - or a random number.

16-Jan-2005

Seti-Boinc porting
I read the porting guide as specified by the people behind 4ovms.dyndns.org (they are in the process porting OpenOfice to VMS) and followed the recommendations, but that didn't help much. At least, I didn't get errors now but executing ./configure -C seems to hang - as before.
The script config.guess has some problems as well (it's not used - as far as I can see - bu tyhe configure script): It assumes that
$ uname -m
returns the processor name but in GNV it returns the machine name: "Digital_Personal_Workstation" in stead of "alpha". What is intended here - as can be deducted from the comment - is achived using
$ uname -p
which gives "Alpha" - not "alpha". A minor issue, perhaps, but since Unix is case sensitive by nature, with major consequences.
Had this signalled to the GNV developers.
On the other hand: Someone seems to be busy with porting seti-Boinc to VMS so I'll contact that person for some assistance as well.
Security
Just mail - all messages since last publication:
9-JAN-2006 03:09:36.23 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
9-JAN-2006 09:49:03.08 CLNTINRBL 81.192.161.6
9-JAN-2006 09:50:46.56 CLNTINRBL 64.72.61.161
9-JAN-2006 22:45:41.98 CLNTINRBL 221.214.226.55
9-JAN-2006 22:46:09.44 CLNTINRBL 85.177.23.119
9-JAN-2006 22:46:55.29 CLNTINRBL 69.108.184.254
9-JAN-2006 22:47:17.08 CLNTINRBL 203.158.188.4
9-JAN-2006 22:48:08.56 CLNTINRBL 61.168.52.220
9-JAN-2006 22:48:52.29 CLNTINRBL 82.78.214.224
9-JAN-2006 22:49:02.22 CLNTINRBL 63.206.130.146
9-JAN-2006 22:49:45.87 CLNTINRBL 205.196.133.20
9-JAN-2006 22:50:50.54 CLNTINRBL 213.202.48.222
10-JAN-2006 03:47:43.04 CLNTINRBL 61.50.142.227
10-JAN-2006 06:31:23.61 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
10-JAN-2006 07:35:52.00 CLNTINRBL 67.182.32.239
10-JAN-2006 10:36:13.90 BADMF serier@gmail.com

Need to allow this one.

10-JAN-2006 11:30:51.13 CLNTINRBL 220.50.40.234
10-JAN-2006 12:40:15.97 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
10-JAN-2006 13:00:19.41 CLNTINRBL 82.158.77.167
10-JAN-2006 13:00:29.82 CLNTINRBL 82.158.77.167
10-JAN-2006 13:00:40.83 CLNTINRBL 82.158.77.167
10-JAN-2006 13:18:37.98 CLNTINRBL 82.158.77.167
10-JAN-2006 13:18:46.75 CLNTINRBL 82.158.77.167
10-JAN-2006 13:18:56.36 CLNTINRBL 82.158.77.167
10-JAN-2006 15:20:47.97 CLNTINRBL 202.75.41.46
11-JAN-2006 01:00:48.36 CLNTINRBL 67.186.18.213
11-JAN-2006 01:00:55.53 CLNTINRBL 67.186.18.213
11-JAN-2006 01:01:01.13 CLNTINRBL 67.186.18.213
11-JAN-2006 14:50:56.90 NOSPAMRLY 219.84.0.120 dvdr_mail2000@yahoo.com.cn
11-JAN-2006 16:26:40.21 CLNTINRBL 82.114.69.178
11-JAN-2006 16:27:52.75 CLNTINRBL 82.114.69.178
11-JAN-2006 16:28:56.21 CLNTINRBL 82.114.69.178
11-JAN-2006 16:29:36.65 CLNTINRBL 82.114.69.178
11-JAN-2006 16:30:29.11 CLNTINRBL 82.114.69.178
11-JAN-2006 16:30:52.53 CLNTINRBL 82.114.69.178
11-JAN-2006 16:31:20.71 CLNTINRBL 82.114.69.178
11-JAN-2006 16:32:19.63 CLNTINRBL 82.114.69.178
11-JAN-2006 16:33:32.10 CLNTINRBL 82.114.69.178
11-JAN-2006 16:34:04.73 CLNTINRBL 82.114.69.178
11-JAN-2006 16:35:04.99 CLNTINRBL 82.114.69.178
11-JAN-2006 22:22:46.47 CLNTINRBL 80.51.159.1
11-JAN-2006 22:22:54.81 CLNTINRBL 80.51.159.1
12-JAN-2006 01:02:10.55 CLNTINRBL 86.143.3.120
12-JAN-2006 01:02:20.51 CLNTINRBL 86.143.3.120
12-JAN-2006 01:02:27.33 CLNTINRBL 86.143.3.120
12-JAN-2006 03:25:53.28 NOSPAMRLY 58.236.183.201 hisyw9@hanmail.net
12-JAN-2006 05:46:47.24 CLNTINRBL 71.195.163.180
12-JAN-2006 05:46:54.79 CLNTINRBL 71.195.163.180
12-JAN-2006 05:47:02.20 CLNTINRBL 71.195.163.180
12-JAN-2006 09:45:36.24 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
13-JAN-2006 00:50:09.85 CLNTINRBL 166.102.167.2
13-JAN-2006 00:50:17.23 CLNTINRBL 166.102.167.2
13-JAN-2006 00:50:24.44 CLNTINRBL 166.102.167.2
13-JAN-2006 05:33:08.31 CLNTINRBL 67.140.163.181
13-JAN-2006 05:33:15.04 CLNTINRBL 67.140.163.181
13-JAN-2006 05:33:21.45 CLNTINRBL 67.140.163.181
13-JAN-2006 09:08:00.17 CLNTINRBL 82.45.40.235
13-JAN-2006 09:08:13.42 CLNTINRBL 62.68.92.52
13-JAN-2006 09:08:24.05 CLNTINRBL 204.57.111.13
13-JAN-2006 09:08:35.67 CLNTINRBL 84.28.95.201
13-JAN-2006 09:08:44.49 CLNTINRBL 210.78.148.166
14-JAN-2006 02:27:34.52 CLNTINRBL 65.189.203.191
14-JAN-2006 09:26:44.87 CLNTINRBL 220.97.217.183
14-JAN-2006 18:02:15.42 CLNTINRBL 194.165.107.51
14-JAN-2006 18:02:28.99 CLNTINRBL 194.165.107.51
14-JAN-2006 18:02:43.80 CLNTINRBL 194.165.107.51
14-JAN-2006 18:02:53.01 CLNTINRBL 194.165.107.51
15-JAN-2006 03:48:21.40 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net
15-JAN-2006 05:51:20.18 CLNTINRBL 67.182.136.22
15-JAN-2006 05:51:26.96 CLNTINRBL 67.182.136.22
15-JAN-2006 05:51:34.57 CLNTINRBL 67.182.136.22
15-JAN-2006 05:55:54.66 CLNTINRBL 85.187.175.222
15-JAN-2006 08:10:58.29 BADMF microsoflalnew93@yahoo.com
15-JAN-2006 10:00:22.14 CLNTINRBL 82.158.238.6
15-JAN-2006 14:22:37.67 CLNTINRBL 80.219.221.247
15-JAN-2006 14:22:44.40 CLNTINRBL 80.219.221.247
15-JAN-2006 14:22:52.20 CLNTINRBL 80.219.221.247
15-JAN-2006 17:25:05.69 CLNTINRBL 67.176.151.160
15-JAN-2006 19:16:29.33 CLNTINRBL 211.237.251.55
15-JAN-2006 19:17:03.77 CLNTINRBL 12.223.156.59
15-JAN-2006 22:58:14.00 CLNTINRBL 70.111.204.151
16-JAN-2006 07:48:39.98 CLNTINRBL 58.79.166.33
16-JAN-2006 12:10:49.85 CLNTINRBL 218.39.149.135
16-JAN-2006 12:10:56.02 CLNTINRBL 218.39.149.135
16-JAN-2006 20:06:38.03 CLNTINRBL 24.180.42.223
16-JAN-2006 21:29:13.73 CLNTINRBL 220.234.193.84
16-JAN-2006 21:29:58.47 CLNTINRBL 83.60.66.69
16-JAN-2006 23:43:29.89 CLNTINRBL 200.176.34.110
16-JAN-2006 23:44:10.14 CLNTINRBL 68.203.162.229
16-JAN-2006 23:58:11.92 CLNTINRBL 68.174.19.71

Who's what to be determined - and published?

Webserver logs are now in the copy-script as well. New logs will be created on a weekly basis and the files copied to the operator website. This went Ok thsi morning - but ACCESS_LOG isn't copied. Dunno why - have to take a look to logfile to find out what missed it.

15-Jan-2006

Hardware issues
Daphne has KZPBA in stead of KZPBA as PKB0, SCSI-ID in SRM has been set to 5 but the card has configuration in on-board flash so that should be the reason that Daphne did not start. I found the required software (eeromcfg.exe) but it requires the machine to be started as an NT box - using ARC in stead of SRM. That, in turn, requires a re-programming of the Alpha firmware on an Alphastation 200 - and a floppy disk since the required hardware is not available on the firmware CD.....And Daphne does not carry a floppy drive nor is one available.

So I returned the KZPSA and now Daphne does boot - but as it seems, not into the cluster (still to be determined what caused this) and I will use Diana to set the KZPBA's firmware because that machine can switch easily between SRM and ARC.

Found that Daphne's power-fan is broken: won't rotate by itself, needs a hand. New fan required?

08-Jan-2006

Just the ususal stuff
Blocked mail is all that shows up:

7-JAN-2006 01:25:02.77 CLNTINRBL 68.65.105.217
7-JAN-2006 08:33:14.13 BADMF reginald@yahoo.com
7-JAN-2006 08:33:22.52 BADMF reginald@yahoo.com
7-JAN-2006 08:33:29.74 BADMF reginald@yahoo.com
7-JAN-2006 14:11:46.63 CLNTINRBL 12.148.51.27
7-JAN-2006 14:11:54.59 CLNTINRBL 12.148.51.27
7-JAN-2006 14:12:00.20 CLNTINRBL 12.148.51.27
8-JAN-2006 07:22:56.59 CLNTINRBL 67.175.247.245
8-JAN-2006 07:47:11.25 CLNTINRBL 24.86.182.3
8-JAN-2006 09:44:37.12 CLNTINRBL 69.141.132.110
8-JAN-2006 14:16:07.62 CLNTINRBL 24.210.64.193
8-JAN-2006 17:41:01.35 CLNTINRBL 65.190.250.90
8-JAN-2006 17:41:39.74 CLNTINRBL 65.190.250.90
8-JAN-2006 17:42:02.57 CLNTINRBL 65.190.250.90
8-JAN-2006 17:42:36.20 CLNTINRBL 65.190.250.90
8-JAN-2006 17:42:54.06 CLNTINRBL 62.23.138.107
8-JAN-2006 17:43:19.85 CLNTINRBL 65.190.250.90
8-JAN-2006 17:44:22.51 CLNTINRBL 65.190.250.90
8-JAN-2006 18:07:39.40 CLNTINRBL 58.142.232.195
8-JAN-2006 18:07:52.63 CLNTINRBL 83.165.18.145
8-JAN-2006 18:08:01.61 CLNTINRBL 59.150.155.76
8-JAN-2006 18:08:11.02 CLNTINRBL 202.112.113.113
8-JAN-2006 18:09:03.69 CLNTINRBL 82.78.231.68
8-JAN-2006 18:09:16.50 CLNTINRBL 222.89.15.243

Nothing particular...

Who's who
68.65.105.217: Adelphia Cable Communications (USA)
12.148.51.27 : AT&T WorldNet Services ATT (USA)
67.175.247.245: Comcast Cable Communications, IP Services ATT-COMCAST (USA)
24.86.182.3: Shaw Communications Inc. (Canada) (*)
69.141.132.110: Comcast Cable Communications, Inc (USA) (*)
24.210.64.193: Road Runner (USA) (*)
65.190.250.90: Road Runner (USA) (*)
62.23.138.107: FR-LUDOPIA-INTERACTIVE (France) - fr.colt.net (*)
58.142.232.195: C&M Communication Co.,Ltd (Korea) - cnm.co.kr, apnic.net
83.165.18.145 : R Cable y Telecomunicaciones Galicia S.A. (Spain) - cablegalicia.com
59.150.155.76: DREAMLINE CO. (Korea) - cjdream.com, nida.or.kr
202.112.113.113: Renmin University of China (China) - net.edu.cn
82.78.231.68 : Romania Data Systems (Romania) - rdsnet.ro (*)
222.89.15.243: CHINANET henan province network (China) - ns.chinanet.cn.net,hntele.com

(*) - have an abuse address, will be notified

New design coming up
Started working on the new webdesign, won't be there soon, but one day ;-)

06-Jan-2006

Again minimal
Just some mail signals:

5-JAN-2006 05:07:36.59 NOSPAMRLY 125.188.61.77 gjwns_22@daum.net

Doing it again....

5-JAN-2006 06:42:25.14 CLNTINRBL 58.224.170.20
5-JAN-2006 17:05:02.20 CLNTINRBL 24.71.140.63
6-JAN-2006 10:11:31.43 CLNTINRBL 60.228.222.145
6-JAN-2006 10:12:20.25 CLNTINRBL 213.41.176.147
6-JAN-2006 10:12:27.03 CLNTINRBL 213.41.176.147
6-JAN-2006 10:12:34.24 CLNTINRBL 213.41.176.147
6-JAN-2006 13:06:14.05 NOSPAMRLY 61.224.71.157 support@microsoft.com

I guess this is some virus...

6-JAN-2006 18:53:56.90 CLNTINRBL 66.168.208.216
6-JAN-2006 20:23:38.62 CLNTINRBL 24.235.41.11

04-Jan-2006

Quiet day
even on the security front:

4-JAN-2006 02:46:50.15 NOSPAMRLY 125.188.61.77 gjwns_44@daum.net
4-JAN-2006 06:45:12.12 CLNTINRBL 68.81.171.164
4-JAN-2006 09:55:00.94 CLNTINRBL 24.126.206.123
4-JAN-2006 13:03:30.13 CLNTINRBL 24.126.206.123
4-JAN-2006 19:43:36.02 BADMF hugh@yahoo.com

And I copied a lot of files off Irene for off-line storage.

T't't't'that's all, Folks

03-Jan-2006

Mailbomb?
There was just one interesting issue today, when examining the blocked-mail log. It contained the normal isues:

3-JAN-2006 05:51:38.99 NOSPAMRLY 125.188.61.77 gjwns_44@daum.net
3-JAN-2006 19:16:13.89 CLNTINRBL 24.242.158.132
3-JAN-2006 21:34:02.15 CLNTINRBL 72.25.8.250
3-JAN-2006 21:34:05.44 CLNTINRBL 72.25.8.250
3-JAN-2006 21:34:07.64 CLNTINRBL 72.25.8.250
3-JAN-2006 21:34:12.65 CLNTINRBL 72.25.8.250

but the bulk of the mail was from one address:

3-JAN-2006 21:05:41.38 CLNTINRBL 83.119.50.254

673 more with an interval of about 10 seconds until the last:

3-JAN-2006 22:44:01.44 CLNTINRBL 83.119.50.254

Who's that!

inetnum: 83.119.0.0 - 83.119.255.255
netname: WANADOO-NL-ADSL-DIRECT
descr: Wanadoo Nederland BV
descr: Muiderstraat 1
descr: 1011 PZ Amsterdam
country: NL
admin-c: EIAR1-RIPE
tech-c: EIAR1-RIPE
status: ASSIGNED PA
mnt-by: EURONET-MNT
source: RIPE # Filtered

role: EuroNet Internet Administrative Role Account
address: Wanadoo Nederland BV (formerly EuroNet Internet BV)
address: Network Department
address: Muiderstraat 1
address: 1011 PZ Amsterdam
address: The Netherlands
phone: +31 20 535 5555
fax-no: +31 20 535 5400
e-mail: eiar1@euro.net
admin-c: AW2096-RIPE
admin-c: RK31337-RIPE
tech-c: BL78
tech-c: FB1141-RIPE
tech-c: GD31337-RIPE
tech-c: HT772-RIPE
nic-hdl: EIAR1-RIPE
remarks: In case of abuse issues, please contact abuse@wanadoo.nl
mnt-by: EURONET-MNT
source: RIPE # Filtered

Fine - an abuse address. They have been signalled.
But this address is in an RBL list - see what happens.

02-Jan-2006

Just a security update:
Filtered mail:

2-JAN-2006 07:15:41.48 NOSPAMRLY 125.188.61.77 gjwns_44@daum.net
2-JAN-2006 11:38:33.79 CLNTINRBL 62.43.184.131
2-JAN-2006 21:29:39.93 CLNTINRBL 59.112.164.74
2-JAN-2006 21:59:27.34 CLNTINRBL 82.139.8.9
2-JAN-2006 22:03:18.87 BADMF robert@yahoo.com
2-JAN-2006 22:03:27.77 BADMF robert@yahoo.com
2-JAN-2006 22:03:38.26 BADMF robert@yahoo.com

Seen them before.

FTP found just one, from France this time:

%%%%%%%%%%% OPCOM 2-JAN-2006 21:40:40.55 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: ARennes-352-1-117-149.w86-203.abo.wanadoo.fr
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060102214048p]

Again just a short time:

2-JAN-2006 21:40:38.39 User:anonymous logged in ident:Hgpuser@home.com from Host:ARennes-352-1-117-149.w86-203.abo.wanadoo.fr
2-JAN-2006 21:40:40.35 User:anonymous ident:Hgpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
2-JAN-2006 21:40:43.08 User:anonymous ident:Hgpuser@home.com logged out

and the obvious list:

%TCPIP-I-FTP_NODE, client host name: ARennes-352-1-117-149.w86-203.abo.wanadoo.fr
%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: /pub/%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00004: Failed to set default directory
%SYSTEM-W-BADIRECTORY, bad directory file format
%TCPIP-I-FTP_NODE, client host name: ARennes-352-1-117-149.w86-203.abo.wanadoo.fr
%TCPIP-I-FTP_USER, user name: anonymous

and more based on IIS, it seems.

%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060102214048p]
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /cgibin/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /img/
%TCPIP-I-FTP_OBJ, object: / /
%TCPIP-I-FTP_OBJ, object: / /

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from ARennes-352-1-117-149.w86-203.abo.wanadoo.fr at 2-JAN-2006 21:40:43.21

Given the one of yesterday: Do they try to copy their own systems?

01-Jan-2006

Wishing you a happy, secure, and stable 2006

Free from Virusses, Trojans, Spyware, and unintended Adware...
(that won't be a big problem if you stick to OpenVMS...)

Plans for this year:

• Get the single-system-disk cluster running - including redesign of startup
• Installation of new language versions (C, C++, FORTRAN, PASCAL,COBOL, Perl, Python)
• Installation of new databases (RDB 7.2, MySQL 4.1 (and 5.0?))
• Installation of SWS 21. and all that is connected: Tomcat, Perl, PHP)
• Installation of PHPBB and Wordprsss (or some othter blog program) and some CMS
• Redesign of the personal webs
• Update scanning of logs (and publish results publicly)
• And keep happy using VMS!

Security update
Of couse: a few free days and so there are the ususal attempts:
Mail is just a few:
1-JAN-2006 23:55:25.94 CLNTINRBL 80.34.206.36
1-JAN-2006 23:56:10.81 CLNTINRBL 208.0.111.131
1-JAN-2006 23:56:31.43 CLNTINRBL 61.105.25.223
1-JAN-2006 02:07:03.76 NOSPAMRLY 125.188.61.77 gjwns_44@daum.net
FTP just one:
%%%%%%%%%%% OPCOM 1-JAN-2006 21:43:57.33 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: mal59-1-82-241-161-144.fbx.proxad.net
Status: NOPRIV -- File access violation
Object: WEB_DISK:[public.anonymous.060101214401p]
Connection lasted about 5 seconds:
1-JAN-2006 21:43:55.61 User:anonymous logged in ident:Ugpuser@home.com from Host:mal59-1-82-241-161-144.fbx.proxad.net
1-JAN-2006 21:43:57.08 User:anonymous ident:Ugpuser@home.com status:00010001 CWD dir:WEB_DISK:[public.anonymous]
1-JAN-2006 21:44:03.25 User:anonymous ident:Ugpuser@home.com status:000186D4 CWD dir:WEB_DISK:[public.anonymous]
1-JAN-2006 21:44:03.42 User:anonymous ident:Ugpuser@home.com status:000186D4 CWD dir:WEB_DISK:[public.anonymous] 1-JAN-2006 21:44:04.29 User:anonymous ident:Ugpuser@home.com logged out

It starts normal:
%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from mal59-1-82-241-161-144.fbx.proxad.net at 1-JAN-2006 21:43:55.21
%TCPIP-I-FTP_NODE, client host name: mal59-1-82-241-161-144.fbx.proxad.net%TCPIP-I-FTP_USER, user name: anonymous
%TCPIP-I-FTP_OBJ, object: WEB_DISK:[public.anonymous.060101214401p]
%TCPIP-I-FTP_CHINFO, TCPIP$FTPC00001: Failed to create directory
%SYSTEM-F-NOPRIV, insufficient privilege or object protection violation
%TCPIP-I-FTP_NODE, client host name: mal59-1-82-241-161-144.fbx.proxad.net
%TCPIP-I-FTP_USER, user name: anonymous

But this list is more extensive than I have seen so far:

%TCPIP-I-FTP_OBJ, object: /_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /upload/
%TCPIP-I-FTP_OBJ, object: /home/
%TCPIP-I-FTP_OBJ, object: /public/
%TCPIP-I-FTP_OBJ, object: /pub/
%TCPIP-I-FTP_OBJ, object: /temp/
%TCPIP-I-FTP_OBJ, object: /wwwroot/
%TCPIP-I-FTP_OBJ, object: /cgi-bin/
%TCPIP-I-FTP_OBJ, object: /cgibin/
%TCPIP-I-FTP_OBJ, object: /incoming/
%TCPIP-I-FTP_OBJ, object: /in/
%TCPIP-I-FTP_OBJ, object: /_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /_vti_txt/
%TCPIP-I-FTP_OBJ, object: /_vti_log/
%TCPIP-I-FTP_OBJ, object: /anonymous/
%TCPIP-I-FTP_OBJ, object: /outgoing/
%TCPIP-I-FTP_OBJ, object: /tmp/
%TCPIP-I-FTP_OBJ, object: /mailroot/
%TCPIP-I-FTP_OBJ, object: /ftproot/
%TCPIP-I-FTP_OBJ, object: /images/
%TCPIP-I-FTP_OBJ, object: /_private/
%TCPIP-I-FTP_OBJ, object: /usr/
%TCPIP-I-FTP_OBJ, object: /pub/incoming/
%TCPIP-I-FTP_OBJ, object: /public/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /anonymous/incoming/
%TCPIP-I-FTP_OBJ, object: /anonymous/pub/
%TCPIP-I-FTP_OBJ, object: /anonymous/public/
%TCPIP-I-FTP_OBJ, object: /usr/incoming/
%TCPIP-I-FTP_OBJ, object: /com1/
%TCPIP-I-FTP_OBJ, object: /com2/
%TCPIP-I-FTP_OBJ, object: /com3/
%TCPIP-I-FTP_OBJ, object: /com4/
%TCPIP-I-FTP_OBJ, object: /com5/
%TCPIP-I-FTP_OBJ, object: /com6/
%TCPIP-I-FTP_OBJ, object: /com7/
%TCPIP-I-FTP_OBJ, object: /040910183125p/
%TCPIP-I-FTP_OBJ, object: /040924193255p/
%TCPIP-I-FTP_OBJ, object: /040924194307p/
%TCPIP-I-FTP_OBJ, object: /040903145448p/
%TCPIP-I-FTP_OBJ, object: /040905091823p/
%TCPIP-I-FTP_OBJ, object: /040907165515p/
%TCPIP-I-FTP_OBJ, object: /040924193254p/
%TCPIP-I-FTP_OBJ, object: /040924194359/
%TCPIP-I-FTP_OBJ, object: /logFiles/
%TCPIP-I-FTP_OBJ, object: /includes/
%TCPIP-I-FTP_OBJ, object: /Email/
%TCPIP-I-FTP_OBJ, object: /adimages/
%TCPIP-I-FTP_OBJ, object: /transfer/
%TCPIP-I-FTP_OBJ, object: /search/_vti_cnf/
%TCPIP-I-FTP_OBJ, object: /lang/
%TCPIP-I-FTP_OBJ, object: /docs/
%TCPIP-I-FTP_OBJ, object: /NEW/
%TCPIP-I-FTP_OBJ, object: /NEW/images/
%TCPIP-I-FTP_OBJ, object: /PDF/
%TCPIP-I-FTP_OBJ, object: /system_logs/
%TCPIP-I-FTP_OBJ, object: /delevery_logs/
%TCPIP-I-FTP_OBJ, object: /cli_logs/
%TCPIP-I-FTP_OBJ, object: /ftpd_logs/
%TCPIP-I-FTP_OBJ, object: /ldap_logs/
%TCPIP-I-FTP_OBJ, object: /mail_logs/
%TCPIP-I-FTP_OBJ, object: /c:/
%TCPIP-I-FTP_OBJ, object: /d:/
%TCPIP-I-FTP_OBJ, object: /Admin/
%TCPIP-I-FTP_OBJ, object: /IT_Services/
%TCPIP-I-FTP_OBJ, object: /TaGGedO/
%TCPIP-I-FTP_OBJ, object: /www/
%TCPIP-I-FTP_OBJ, object: /pub/images /pub/_vti_pvt/
%TCPIP-I-FTP_OBJ, object: /pub/_vti_txt/ /wwwroot/
%TCPIP-I-FTP_OBJ, object: /wwwroot/incoming/
%TCPIP-I-FTP_OBJ, object: /wwwroot/pub/
%TCPIP-I-FTP_OBJ, object: /~temp/
%TCPIP-I-FTP_OBJ, object: /~tmp/

Not just Windows (IIS) but Linux as well.

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from mal59-1-82-241-161-144.fbx.proxad.net at 1-JAN-2006 21:44:04.43