09-Apr-2014

Webserver updates
The WASD mailing list sent out a notice of a vulnerability of OpenSSL, nicknamed “heartbleed” and since this server is built using OpenSSL (be it the WADS version) it coul be effected as well. Mark Daniel has taken a look into his sources and plugged the hole – and the new kit has been made available, send out word and recommended a rebuild of WASD.
And since the latest version (10.3) was already planned, I did both in one go. So now the server runs WASD 10.3, linked with (WASD) OpenSSL 1.0.1G. In the process, I also updated the webmail program (now 1.7.0), and some other products are waiting. But Soymail returns an error:
Internal consistency failure ... language file. and WATCH doesn’t show anything weird..
It’s not something to be worried about too much. Just a nuisance.

31-Jan-2014

CoĂ¯ncidence: NTP DOS?
Yesterday morning, Thomas Heim send out a warning on the OpenVMS SIG list that he had seen evidence on his systems of an exploit of a hole in older versions of NTP, and his warning was “Beware”.

That evening, when heading for bed, I heard my VMS server beep every few seconds. It normally does if a mail message comes in but at this rate, that means trouble.

And yes, I got loads of messages, that all concerend massive outgoing UDP traffic on port 123 – the NTP server, to a limited number of addresses but dirfferent ports on each of them. At times, there was a message concerning traffic to port 80 that was suspected to be torrent-based (quite unlikely to have UDP-traffic to a webserver…) so I got these as well.

Quite a coincidence?

Stopping the NTP server stopped the flood of messages, but after I restarted it, it restarted within a minute. So I turned my attention to the fireewall where port 123 (the standard NTP port) was still open. So I closed it and blocked all incoming traffic on port 123 – from any address.

Restarted NTP and after that, at least the flood of mail messages stopped so I wouldn’t be kept from sleeping. Whether I have to worry about time keeping remained to be seen. But a quick glance this morning reveled that time services still ru and do get an answer (the log states [Pass], so I think I don’t have to worry anymore for my time-keeping.

But there is still a lot of investigation to be done. The whole sequence styarted just after 21:00 and went on to justr after 22:00 when I stopped the NTP server; Restarted it at 22:10, the circus commenced so stopped it again at 22:11. Blocked the port in the firewall and restarted NTP at 22:16.
Just one (!) message blocked, and no problems ever since.

Next step is to investigate – as far as possible. I’ll keep the logfiles at hand (tonight they will be moved to the archives by the monthly maintenance job…).

27-Sep-2013

It’s a phisherman!
One of the sites I encountered a few days ago now appears to be a bad guy. Though the header appears to be valid:

Return-Path: internationalcardservices.notificationiare@mailing.internationalcardservices.nl
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Fri, 27 Sep 2013 10:57:27 +0000 (UTC)
X-PMAS-MAIL-FROM:
internationalcardservices.notificationiare@mailing.internationalcardservices.nl
Received: from unknown ([87.106.96.232] EXTERNAL) (EHLO s16978676) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Fri, 27 Sep
2013 10:05:41 +0000
Received: from mailing.internationalcardservices.nl ([127.0.0.1]) by s16978676
with Microsoft SMTPSVC(7.5.7601.17514); Fri, 27 Sep 2013 12:05:28 +0200
From: International Card Services
<internationalcardservices.notificationiare@mailing.internationalcardservices.nl>
To: (my address)
Subject: Uw rekeningoverzicht bekijken en betalen
Date: 27 Sep 2013 12:05:26 +0200
Message-ID:
<20130927112751.4EA0D4FB379FEEC7@mailing.internationalcardservices.nl>
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0012_219D19A8.7D241EFA"
Return-Path:
internationalcardservices.notificationiare@mailing.internationalcardservices.nl
X-OriginalArrivalTime: 27 Sep 2013 10:05:28.0797 (UTC)
FILETIME=[17F140D0:01CEBB69]
<internationalcardservices>

and the content as welll, it is a phising attempt.
First, ICS normally sends just one reminder, and not two within a few hours. Nor will ISC send from an unknown address:

Received: from unknown ([87.106.96.232] EXTERNAL) (EHLO s16978676)

So I was triggered to check the included URL, and that is definitly NOT an ISCCards address:

href="http://www.lemrith.net/images/ICS.php"

Of course, the address has no longer access to the my network.
Lemmrith.net is actually a valid site: a small town in Germany (it is safe to check www.lemrith.net) but they have not secuired their site – given the fact that someone dropped a .PHP file on thein images directory. They have been notified.

One message, many phishing attempts

The spam filter does a good job in blocking messages, and at times I take a look on what reasons a message is blocked – especially where the reported sender (From: in the header) is one I could expect a mail from.

One such message I received today, it appears to be sent by LinkedIn, but the ful header told me otherwise:
From: "LinkedIn.Invitations" <4930A7EA@binggu.net>
Forged, no doubt.
The full header showed more information on why:
Return-Path: 4930A7EA@binggu.net
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Wed, 17 Oct 2012 07:32:51 +0000 (UTC)
X-PMAS-MAIL-FROM: 4930A7EA@binggu.net
Received: from unknown ([190.65.67.127] EXTERNAL) (EHLO [190.65.67.127]) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Wed, 17 Oct
2012 02:45:11 +0000
From: "LinkedIn.Invitations" <4930A7EA@binggu.net>
To: <willem@grootersnet.nl>
Date: Tue, 16 Oct 2012 21:44:55 -0500
Subject: Invitation
Message-ID: <20121016214455.5D4E447FEC53518BE995C.JavaMail.app@WISAJUWIJHO-PC>
Accept-Language: en-US
Content-Language: en-US
x-linkedin-template: inv_exp_member_02
x-linkedin-class: INVITE-MBR
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-PMAS-External: unknown [190.65.67.127] (EHLO [190.65.67.127])
X-PMAS-Software: PreciseMail V3.2 [121016] (diana.intra.grootersnet.nl)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REPUTATION_URI_SPAM: URI reputation check (1.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-FROM_HAS_MIXED_NUMS: From: contains numbers mixed in with letters
(0.000)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry
(4.000)
X-PMAS-BDY-TEENY_FONT: Message tries to hide text in teeny-tiny font (5.000)
X-PMAS-META-DEAR_EMAIL_ADDR: Message has "Dear user@domain" greeting (4.000)
X-PMAS-Final-Score: 20.500
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes
X-PMAS-Quarantined: PreciseMail
X-PMAS-Filename:
PMAS_ROOT:[QUARANTINE.121017.C]SPAM$2012101702451912WIL279F70EA.SPAM

The fact it was sent from another domain than LinkedIn is sufficient reason, and so is each of the known phishing URI messages. To get some insight, I accepted it for easier examination (PMAS’ output is not really helpfull in these), and examined it using the webmail client:

Apart that the greeting is weird (Why would LinkedIn use my email address?) and the content is absolutely rediculous – if some company would request something like this, I would most cetainly NOT accept…), that should raise suspision in the first place. And as it turned out, each link shows a site that appears to be hacked, but some have taken action already (or the hack missed it’s target):

The accept button refers to “http://www.erlebnistour-lausitz.de/a5KYrCG/index.html” (404: Not Found)
The Ignore button refers to “http://mardamusic.com/frH62gSL/index.html”
The signature refers to “http://www.cypressgardenservices.org.uk/AN7iR9/index.html” (403: Forbidden)
“Unsubscribe” refers to “http://www.datalogger.gen.tr/Gw5enj3X/index.html”
“Learn why we include this” refers to “http://ftp.koneks.com.tr/G6mWAUPs/index.html” (404: Not Found)

I’ve investigated similar attempts before, but normally, all possible links refer to the same site. So this one is more elaborate.

Each site does exist, and each site now has a directory added that has a random name. I’m rather suspicious in these cases, my expectation is that the docroots of these sites are not set to ReadOnly, or even inaccessable from the outside, and that someone was able to push data onto these roots – phishing, for instance, or for installing a trojan.

So I installed lynx on Diana. This is a text-only web-browser that allows you to examine the full content, and does not execute any scripting immediately – you are able to store it on disk. Though it is available on many platforms, including Windows, the investigation is done on VMS – because that is virtually immune for malware đŸ™‚
Next, I accessed the first site, and I got the message “Connecting to server”. It comes from the HTML source like:

<html>
<table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></html>

next, there are three pieces of javascript, different per accessable site:
<script type="text/javascript" src="http://mediaess.com/LBXxwGQa/js.js"></script>
<script type="text/javascript" src="http://s154138659.onlinehome.us/FDaCCZkr/js.js"></script>
<script type="text/javascript" src="http://www.baumbach-keramik.de/LwAH4gUo/js.js"></script>

and
<script type="text/javascript" src="http://location-vallee-aspe.com/xSmXWBZW/js.js"></script>
<script type="text/javascript" src="http://patitaspets.com/C44cbsPE/js.js"></script>
<script type="text/javascript" src="http://videosxxx.bz/yYJZQt0x/js.js"></script>

and the file ends normally

</body>
</html>

That code may cause the installation of malware, so next I accessed the first javascript file (at mediaess.com) and I got:
[trans.gif] [logo_sl_header.gif] HACKER SAFE certified sites prevent over 99.9% of hacker crime. [text_sl_pnums.gif]
[pic_sl_livechat.gif]

HOME PRODUCTS SUPPORT TESTIMONIALS AFFILIATES ABOUT US VDECK

[sl_snav_sublinks.gif]
Customer Login
Username:
_____________________
Password:
_____________________
Log In
[sl_indexv2_midcurve.gif]

This site has been suspended

If you manage this site and have a question about why the site is not available, please contact us directly.

Home | Hosting | Support | Testimonials | Affiliates | About Us | Site Map | Web Site Hosting
Copyright © 2007 StartLogic. Read our Terms of Service. All rights reserved.

[trans.gif]
so I wondered….If I would access the link under “Customer name” a cookie would have been placed – but I refused that.
Same for the third and sixth one, that directly referred to the home page, but without login and the third one requesting a cookie, that I did accept.
The second and fourth cannot be accessed (403, the fourth stating this access required authentication)
But the fifth indeed carried a javascript file js.js, that I store on disk to examine. It runs a piece of PHP code:

document.location='http://2.bajawinery.com/links/assure_numb_engineers.php';

but when I accessed that URL, the host 2.bajawinery.com, could not be found – from Diana anyway.
Running TCPIP$DIG however, did find that site, but not as expected:
$ dig bajawinery.com
;; reply from unexpected source: 188.142.0.6#53, expected 192.168.0.33#53

; < <>> DiG 9.3.1 < <>> bajawinery.com
;; global options: printcmd
;; connection timed out; no servers could be reached
$
but this is a DNS server at my ISP.

The state may have been changed and action taken, and I couldn’t find the cookie I saved…so there the trail ended….

11-Apr-2011

Identiy Theft
Since yesterday there seems to be quite some messages around that use my email-address in Return-Path:, From: (as the real address for a nickname) or Reply-To:. I _know_ these messages don’t come from my site, since they all lack the address of my mail server.

For example (of course, the email address of the recipient is removed)


Return-Path: <willem@grootersnet.nl>
Received: from [93.62.200.186] (93-62-200-186.ip24.fastwebnet.it [93.62.200.186])
by mx1.xxx.xx (8.13.1/8.13.1) with ESMTP id p3B88VmN013149
for <xxx@xxx.xx>; Mon, 11 Apr 2011 10:08:31 +0200
Message-ID: <c61a10a054ccaae438328276ee88c61a(JFR4IU1>
From: "clementius zhigang" <willem@grootersnet.nl>
To: "dionisio kaveh" <xxxx @xxx.xx>

Received: from [151.56.14.97] ([151.56.14.97] verified)
by post.yyyy.yy (CommuniGate Pro SMTP 4.2.8)
with ESMTP id 60263607 for yyyy@yyyy.yy; Mon, 11 Apr 2011 10:05:26 +0200
Date: 11 Apr 2011 08:31:04 +0100
From: “lane jamie” <willem@grootersnet.nl>
X-Priority: 3
Message-ID: <503249808.201104110902@grootersnet.nl>
To: “car zhigang” <yyyy@yyyy.yy>

This way, you may end up in any spam database – without your fault.

The addresses from where these messages were sent are as follows – if I read the headers well:

from [93.62.200.186] (93-62-200-186.ip24.fastwebnet.it [93.62.200.186])
from [151.56.14.97] ([151.56.14.97] verified)
from [84.14.117.130] (HELO host.86.241.23.62.rev.coltfrance.com)
from [208.124.242.230] ([208.124.242.230] verified)
from 15.Red-80-36-135.staticIP.rima-tde.net (80.36.135.15)
from [116.68.64.53] ([116.68.64.53])
from [95.76.105.228] (unknown [95.76.105.228])
from [151.56.14.97] (unknown [151.56.14.97])
from [117.194.41.73] (unknown [117.194.41.73]) (this is a tricky one)
from [194.152.245.26] (unknown [194.152.245.26])
from [117.194.41.73] [117.194.41.73]
from LSt-Amand-152-31-19-235.w193-253.abo.wanadoo.fr ([193.253.222.235])

and that may hold a clue to the originator of the message.

If a mail has it’s origin form my site, it will ALWAYS carry the mailserver as a receiver – either from itself, if I use the web mail client, or as the site’s mail server, as is described in this page

I’m not sure yet what the next step might be. Post the whole bunch at the police and let them have it? Because accessing each postmaster, or domain owner, is way too much work – and at times, even POSTMASTER@target.domain does not exist (despite the fact the standards prescibes the identity…)

14-Feb-2011

A slight change
It’s getting exceedingly problamatic to login as administartor on the blogs. It all boils down to the PHP installation and mapping, so I’ll upgrade both Wasd, PHP and WordPress as soon as possible – probably next weekend. That also means that the view of these blogs will change…Hopefully it will solve these (and other) issues; I’ve tried so using Daphne – that runs WASD 10.0.2, the lastest PHP port by Mark Berryman and WordPress 3.0.1. And since the latest vesrion seems to be 3.0.5 (shown on the banner on the admin pages) that would be a major upgrade. But the greatest chnage will be in the WASD envrionment. Luckily, it has been set up on Dahpne so it’s merely a matter op copying the files.
I hope…
To get around a few issues, I changed the design of the Trips, Tracks and Travels blog – using another theme, which loads faster – and allows login from it. The Dust Theme always required by restart of the browser, and somethimes this helped….
DDoS attempts
It has been quiet on the (D)Dos front fro some time, but this weekend there has been another attempt, from different addresse; it might have been a distributed atgtack, or ifrom one route over different anonymizers – but the addresses have been noted; action is planned.\
Fiber coming
According the plans, laying the galss fiber in our street will start this week – and within a few weeks I’ll have my FAST access. Originally I opted for a 10Mb connection, but since 50Mb (symmetrical) is not that much extra, I’ll make my move.

24-Jan-2011

More malicious attempts blocked at the gate
I expected it to happen: When one network is blocked, attempts will come from another source. So in the cause of a few days, I blocked a few more subnets. It seems to help, since the number of alerts dropped, and accessing the site is more constant and stable. I’m working on a method to report on abusive access – no matter in what way: DoS, Spam, FTP store, HTTP(s) attempts to break into software I don’t run (or on a different location). And than I’ll be able to publish them…
One package though needs closer attention, as I think chnaging it’ s locations to ReadOnly is trouiblesome, I need some advise from the specialist in that area. But I removed a possible cause of trouible – when looking to it’s name, I suspect it was – and cleaned quite a lot of rubbish tghat is must have left behind. Also, the users I previously disabled have now been deleted, and the caches cleared.

(The Dutch railways offer Internet in some of the fast trains – free until 2012, according their site. That’s where I wrote the entry)

19-Jan-2010

Bandwith management
My son has bought a laptop some weeks ago and now he’s consuming all bandwidth downloading. At some point the software he uses had over 4000 sessions open, causing a severe access problem – both from outrside as inside. Most of this traffic seems to be outgoing – synchronisaton, probably?.
First, I squeezed the number of sessions from his laptop to a max of 200 – that helped somewhat, but still the outgoing traffic took almost all available space on the 1Mb channel. So this evening, I limited his upload bandwidth to 200Kb – and that caused his download speed to be much lower as well.
This shows immediately in the traffic graph:

Drop in traffic when bandwidth filters set

Stupid program ….
Another side effect is that the SYSLOG files grows VERY FAST. Where it took a few days – or a week – to exceed 25000 blocks, now it took just severakl hours…Each day, the log grows to a 125.000 blocks. This squeezing may decrease the growth as well – less traffic means less entries.
Space is not a real issue, but I’ll have to keep a keen eye on the size…
Blocking abuser
Another ability the router / firewall offers is blocking access from specific addresses – or subnets. That allows me to block a complete subnet: 69.25.7.0. This network offers the possibility of DoS attacks over Trace_rt – that doe occur severely at tgimes, overfilling my mailbox by the number of alerts due tgo these attemps, from the network, ending by a number ending in a mulitple of 4. We’ll see what happens next. Of course, this blocking is logged.
BTW: The owner – according WHOIS – has been notified of the abuse. But I didn’t receive confirmation – yet.
Disk trouble – continued
I got a message from the recovering firm that the disk heads and platters are in such a state that with the current replacement of the head assembly, it was almost impossible to retrieve any real data…But not all is lost ; there still is a chance that data can be recovered. But it will take some time and effort. Luckily it is both fixed price and no-cure-no-pay. If they succeed, tke UK holiday report can be extended with the tracking data (meaning I may have to re-generate and ere-install the album, but that’s just a matter of a few minutes :).
The replacement disk – 320 Gb – has been installed and initialized, so I’m still better off in terms of storage space.
Spam decrease
A few days ago I learned that a server that was heavily used by spam-sending botnets, was taken offline last month. That explains the downfall of the numbers of spam messages. A decrease I have observed as well. But as expected, it gradually re-increases….

02-Nov-2010

Stupid…
I accessed a website I shouldn’t have accessed – but at times you’re just curious, and normally, havoc is prevented by the malware detection on the system.
Not so good, this time. But you’ll only find out when harm is done. No matter your precautions:

The site really was unsafe: it uploaded a JAVA application onto Aphrodite, that tried to access the Internet. Of course, this was blocked by the malware detection I have always running; but nevertheles, some ‘malware detection product’ seemed to be installed. The malware tracker alarmed that a trojan was encountered, and I started a scan, during which I removed some weirdly named .EXE and .JAR files on the system, dated today; the .EXE files must have been included in the .JAR files that were tansferred to the system, I’d seen the names of the executables in the intercepted traffic attempts.
The virus-scan revealed one ‘Potentially Unwanted program’ but was unable to remove it on request – asking for a reboot. And so I did.
I shouldn’t have done.
It turned out that Aphrodite didn’t boot into Windows any more. Even in a minimal mode: safe mode with command prompt. On screen, you would only see three files loaded – the last being MDCOM.DLL, and then boot stalled. No more activity at all. I could do a boot from the Windows XP installation CD, but there was no way to restore the system in a short while. The Ubuntu environment however does boot nicely, so it’s definitely a Windows problem. I looked around and it will mean I have to re-install the system in repair mode…
What will happen to the current Linux-based boot-loader, remains to be seen.
But one luck: the C-drive doesn’t contain a lot of data, and what data there is, can easily be moved off that disk. However, the Ubuntu environment does not accept the WD Passport disk on a USB port. At least, I haven’t encountered a solution to this problem.

It might be a point to reconsider XP. I do need a Windows environment (since some of the programs I use have no Linux equivalent, and the company relies on the Office suite) so I might move on and instalkl Windows7 professional – for $299 ‘only’. (I’ve checked before and the system does match the requirements – after I double the memory :))

01-Sep-2010

Cleanup

The cleaning job has run last night, and I ran into a timing problem: The operator log has been copied, a new index page was created — after which the logfiles must have been archived. So yesterdays log that could show something on the connection issue, was no longer available on-line.

Update< ./font>:I checked the operlog, and the event shows up:

%%%%%%%%%%% OPCOM 30-AUG-2010 20:20:49.75 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@Unknown at Aug 30 19:28:50 ...
Vigor: WAN 1 is down.

%%%%%%%%%%% OPCOM 30-AUG-2010 20:20:50.20 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@Unknown at Aug 30 19:28:50 ...
Vigor: WAN 1 is UP.

%%%%%%%%%%% OPCOM 30-AUG-2010 20:30:23.42 %%%%%%%%%%%
Message from user SYSTEM on DIANA
Message from syslogd@Unknown at Aug 30 19:38:20 ...
Vigor: --SendMailAlert--

The alert didn’t arrive so that is still to be settled in the router.

I would have expected a mail of last month’s mail statistics but that didn’t arrive either, so there is still something wrong.
Update< ./font>: No it’s Ok. It will show up in the log, it isn’t mailed.

Password reset requested?
I got a mail this morning from Twitter, that a new password was requested. Must have been someone else, so I accessed Twitter.com directly and changed my password. All others as well, whereever I could access the pages. But this was my intention anyway.

Update< ./font>: ALL passwords have been changed. The Bootcamp2008 blog seems to have been compromise3d, so it has been disabled – it will now render a 404 error.

Mail statistics
PMAS statistics for August
Total messages    : 9140 = 100.0 o/o
DNS Blacklisted   : 1875 =  20.5 o/o (Files: 31)
Relay attempts    : 5940 =  64.9 o/o (Files: 31)
Processed by PMAS : 1325 =  14.4 o/o (Files: 31)
       Discarded :  139 =  10.4 o/o (processed),   1.5 o/o (all)
    Quarantained :  350 =  26.4 o/o (processed),   3.8 o/o (all)
       Delivered :  836 =  63.0 o/o (processed),   9.1 o/o (all)

More important: on 25-August, there have been – again – a massive amount of relay attempts; the file is 564 blocks in size – 2300 lines alltogether. Second are attempts 10 days earlier, about 2100 times. These files need to be more closely examined, but on first glance, the sender’s address is known. Reason enough to block 126.com and sina.com.

By the way: the license needs to be renewed, it will expire tomorrow.