SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Wednesday, May 31

31-May-2006

Phishing attempt
Today, I received an email that looks pretty professional:


Mind you: the text reads:

Alaska USA's UltraBranch Administration always look forward for the high
security of our clients. Some customers have been receiving an email claiming to be from Alaska USA C.U advising them to follow a link to what appear to be a Alaska USA C.U web site, where they are prompted to enter their personal Online Banking details. Alaska USA C.U is in no way involved with this email and the web site does not belong to us.
Actually, we are performing security improvements of our banking community and enforce customers to register their sensitive information for an additionally created free security service to prevent any fraudulent activity against their assets and savings. We, hereby ask you to respond within few hours of current notification and complete security application form via our SSL protected website to apply for this service absolutely for free, otherwise your account(s) may not process posted transactions correctly and on time.
Please visit us to apply

https://ultrabranch.alaskausa.org/efs/servlet/efs/login.jsp




This blue text is the hyperlink in the red box in the image.

You may think: Nice.

But take a good look at the source of the message around this point - that is: just the URL address (for the sake of layout - sorry)

http://211.74.197.218/~kevin/verify/alaska/ultrabranch.alaskausa.org


Please do not reply to this e-mail. Mail sent to this address cannot be answered.<br>
For assistance, log in to your Online Bank account and choose the "Help" link on any page.<br>


I've seen this guy "KEVIN" before, trying to obtain user's credentials!

Of course you shouldn't answer to the return address - he would be disposed.

Data on this message: The header:

Return-Path: confirm@alaskausa.org
Received: from richardinniss.demon.co.uk (80.177.19.229)
by diana.intra.grootersnet.nl (V5.5-ECO1, OpenVMS V8.2 Alpha);
Wed, 31 May 2006 17:32:32 +0200 (CEST)
Received: from 222.48.77.64 by ; Wed, 31 May 2006 19:41:34 +0300
Message-ID: <wuobfmhxntlcfrduof@hotmail.com>
From: "Alaska USA Security Departament" <rm@alaskausa.org>
Reply-To: "Alaska USA Security Departament" <irm@alaskausa.org>
To: xxxxxx@xxxxxxxxxxxxxx
Subject: IMPORTANT: Confirm your account
Date: Wed, 31 May 2006 14:46:34 -0200
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="--43801022623500288"
X-Priority: 3
X-MSMail-Priority: Normal

Note, it was sent from an HOTMAIL account - So I know where to signal abuse.

The originator has an account with a Taiwanese ISP:

% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 211.74.128.0 - 211.74.255.255
netname: SEEDNET-TW
descr: Digital United Inc.
descr: 9F, No. 125, Song Jiang Road.
descr: Taipei Taiwan 100
country: TW
admin-c: CY74-AP
tech-c: CY74-AP
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@twnic.net 20001102
status: ALLOCATED PORTABLE
source: APNIC

person: Chyi-Chuan Yang
nic-hdl: CY74-AP
e-mail: ccyang@du.net.tw
address: 9F, 125, song jiang road
address: Taipei, 104, R.O.C
phone: +886-2-2737-7298
fax-no: +886-2-2739-7512
country: TW
changed: hostmaster@twnic.net.tw 20050531
mnt-by: MAINT-TW-TWNIC
source: APNIC

inetnum: 211.74.197.192 - 211.74.197.223
netname: NANLINGCO.LT-TW
descr: NanlingCo.,Ltd
descr: N/A Taiwan
country: TW
admin-c: CZ13-TW
tech-c: CZ13-TW
mnt-by: MAINT-TW-TWNIC
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at whois.twnic.net.
changed: michaelc@du.net.tw 20031222
status: ASSIGNED NON-PORTABLE
source: TWNIC

person: Chian Ze-Fong
address: NanlingCo.,Ltd
address: N/A Taiwan
e-mail: ricky@nanling.com.tw
nic-hdl: CZ13-TW
changed: hostmaster@twnic.net.tw20031125
source: TWNIC

The second one, given the address. Just try to contact them, who knows...

Monday, May 29

30-May-2006

Bootcamp
Last two weeks I've attended the OpenVMS Bootcamp in Nashua, NH. That is: the week preceeing the bootcamp I followed a Crash Dump Analysis course, so I'm now equipped with enough knowledge to dig down system problems.
During bootcamp, I found out that I should use the WASD server in stead of SWS - merely because the advantage of speed and efficiency. It became clear that SWS - as it is "based on Apache" - is basicly an Unix program, and works as such: inefficient, creating subprocesses (which is an expensive task on VMS), causing heavy loads on the system when subprocesses are involved. It might be the performance problems as I found out using PHP may be caused by that as well, so it's worth to give it a try. The University of Malaga (Spain) seems to be one of the busiest websites in the world - and that uses WASD as well: 76 virtual hosts, on just one WASD instance.....
And since I don't plan to use java - for the same reason - why start Tomcat?
HyperSPI
To be done: enhancing the HyperSPI application, to do some data collection each night. Access will - for obvious reasons - be protected.
Security
Had some time to examine the latest weblogs - I really need a program to scan them to find out intrusion attempts! But I found another few nice attempts. Failed, of course.
These are still to be published.