30-Jan-2007

Weird…
Looking into the WordPress issue stated yesterday, checked the webserver log but couldn’t find anyhing related. Checked the database (using MyPHPAdmin) but found nothing wrong. Checked the base configuration: nothing wrong either. Retried this blog – and all is fine!
PHP engine errors
While checking the webserver log, I found these errors:
%HTTPD-W-NOTICED, 23-JAN-2007 20:23:51, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, GET (60 bytes) /sysblog/wp-admin/inline-uploading.php?post=38&action=upload
-NOTICED-I-SCRIPT, /sysblog/wp-admin/inline-uploading.php sysblog:[wp-admin]inline-uploading.php (cgi_exe:phpwasd.exe) SYSBLOG:[wp-admin]inline-uploading.php
-NOTICED-I-CGI, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (62 bytes) %DEBUGBOOT-W-CHN, assign channel system service request failed
-NOTICED-I-RXTX, err:0/0 raw:916/0 net:916/0

on different pages in WordPress.
Quite a lot of these errors on the Forums:
%HTTPD-W-NOTICED, 23-JAN-2007 20:36:39, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, GET (60 bytes) /forums/admin/index.php?sid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-NOTICED-I-SCRIPT, /forums/admin/index.php forums:[admin]index.php (cgi_exe:phpwasd.exe) FORUMS:[admin]index.php
-NOTICED-I-CGI, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:831/0 net:831/0

Not just by myself but from external sources as well.
Given the location (PC=00000000001E9C94) my guess it’s in the PHPSHR.EXE image used by the WASD engine – used as-is, and delivered by HP.
(E107 still crashes the engine…)

29-Jan-2007

Easy times
Taking chances – but it IS very quiet. On the VMS front, that is. Except for the usual – some SPAM (and another address I should allow) and the few that try to promote their sites over the forum. The latter are removed – as usual.
On the Windows front however, there’s more concern about stability. Or better – lack of it. On Aphrodite, the video card’s fan is working overtime on startup, and has to be slowed down by resetting it’s settings each time the system is booted, and once downloaded and installed patches keep re-appearing and must be set to “hidden” explicitly. Microsoft is aware of the problem (I hope) but a solution has not been issued so far. On Demeter, the wireless is now working without extra cards, it required a setting of the access point to be chnaged but that’s not a big problem. The stability of Windows is not as it should be (and has been), especiaslly if the laptop has been in standby-mode for hours: It simply won’t shutdown normaly.
But for the rest – it’s easy going. Hope it’ll stay that way
Redesigning the site
I now have a failry strong idea how the web should look like, in structure, that is. It requires quite a lot of pages be re-created: All holiday picture albums, for instance, will be moved. But that takes time – a lot of time.
Something’s wrong
with the WordPress management pages: I’m missing crucial parts: Excerpt, upload and so on. There seems to be a syntax error somewhere….

On comments

If you want to comment, feel free to do so. But keep in mind that all comments are screened and need approval before they will show up. I don’t want the blog spoiled with spam, I think most people hate spam in a blog as much as they hate it in e-mail. To prevent spam, I take the time to scan the comments before having them published. Of course, I’m helped with a public service (luckily).

Your comment comes with both the originating domain and IP-address, and that way I can (and will) trace the origin. That way, I have located a few already. Though you may enter a nice comment (thanks anyway), there may be reasons, for me to decide, not to publish your comment.
If there was no issue with the returning a password by email, I would require registration, but up that time, you’re free to post your comments – as long as it adheares a few simple rules:

  • any comment that is promoting gambling or pharmacy – and you can add ANY other subject that widely is considered spam – will ALWAYS be deleted
  • any comment that is promoting hatred, violance, sexual- and dating sites will ALWAYS be deleted
  • any comment that is clearly originating from a commercial site that may link directly into that site, I may consider inappropiate – in which case, it will be deleted
  • It’s a good habit to sign your comment. I cannot (and will not) force you to publish your email address, but it’s appreciated if you leave it – in some form -in your comment. (of course, it would be great if it is a correct email-address)
  • A few try it (again) over the web

    In last webserver log, there were two similar attempts:

    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 864

    Checking this address, it seems to originate from France:

    inetnum: 213.186.50.128 - 213.186.50.191
    netname: BEWEST
    descr: BEWEST
    country: FR
    admin-c: OK217-RIPE
    tech-c: OK217-RIPE
    status: ASSIGNED PA
    mnt-by: OVH-MNT
    source: RIPE # Filtered

    ...
    % Information related to '213.186.32.0/19AS16276'

    route: 213.186.32.0/19
    descr: OVH ISP
    descr: Paris, France
    origin: AS16276
    mnt-by: OVH-MNT
    source: RIPE # Filtered

    A few days later, there has been another one:

    211.174.62.251 - - [18/Jan/2007:12:51:14 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:16 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:19 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:21 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:24 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:26 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:29 +0100] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /stats/awstats.pl HTTP/1.0" 404 868

    Whois tells it seems to be Korean, guess it’s spoofed because there is no WHOIS information at all.
    The Forums
    have some issues as well. Some people seem to like to add their name, fake IP address and whatever on the site – where it clearly states its for Dutch VMS users (in Dutch, so what would someone from the US, or Russia, expect). I had to check the code, because the username that pops up when his credentials are accessed, is overwritten by the administartor name. So I decided to remove ALL questionable users and change the administrator password.
    Webmail
    running on VMS is great: Guess a mail with subject “Passionate Kiss” holding an attachement “Greeting Card.exe” – mind the extension… That is simply shown in the button, so I’m warned on beforehand.
    Login failures
    have been located on 21-Jan-2007 – but all on DECNet – and I guess that has to do with the boots last weekend – given the time (around 19:30) quite feasable. And: these can only come from the local network. So I dont mind them – and 22-jan-2007 is all clear:

    ================================================================================
    23-JAN-2007 00:01:01.96 Login failures found
    No login failures found