Posted on

On comments

If you want to comment, feel free to do so. But keep in mind that all comments are screened and need approval before they will show up. I don’t want the blog spoiled with spam, I think most people hate spam in a blog as much as they hate it in e-mail. To prevent spam, I take the time to scan the comments before having them published. Of course, I’m helped with a public service (luckily).

Your comment comes with both the originating domain and IP-address, and that way I can (and will) trace the origin. That way, I have located a few already. Though you may enter a nice comment (thanks anyway), there may be reasons, for me to decide, not to publish your comment.
If there was no issue with the returning a password by email, I would require registration, but up that time, you’re free to post your comments – as long as it adheares a few simple rules:

  • any comment that is promoting gambling or pharmacy – and you can add ANY other subject that widely is considered spam – will ALWAYS be deleted
  • any comment that is promoting hatred, violance, sexual- and dating sites will ALWAYS be deleted
  • any comment that is clearly originating from a commercial site that may link directly into that site, I may consider inappropiate – in which case, it will be deleted
  • It’s a good habit to sign your comment. I cannot (and will not) force you to publish your email address, but it’s appreciated if you leave it – in some form -in your comment. (of course, it would be great if it is a correct email-address)
    • Posted on

    A few try it (again) over the web

    In last webserver log, there were two similar attempts:

    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:49 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 864
    213.186.50.160 - - [15/Jan/2007:17:59:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 864

    Checking this address, it seems to originate from France:

    inetnum: 213.186.50.128 - 213.186.50.191
    netname: BEWEST
    descr: BEWEST
    country: FR
    admin-c: OK217-RIPE
    tech-c: OK217-RIPE
    status: ASSIGNED PA
    mnt-by: OVH-MNT
    source: RIPE # Filtered

    ...
    % Information related to '213.186.32.0/19AS16276'

    route: 213.186.32.0/19
    descr: OVH ISP
    descr: Paris, France
    origin: AS16276
    mnt-by: OVH-MNT
    source: RIPE # Filtered

    A few days later, there has been another one:

    211.174.62.251 - - [18/Jan/2007:12:51:14 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:15 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:16 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:17 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:18 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:19 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:20 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:21 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:22 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:23 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:24 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:25 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:26 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:27 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:28 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:29 +0100] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 868
    211.174.62.251 - - [18/Jan/2007:12:51:30 +0100] "GET /stats/awstats.pl HTTP/1.0" 404 868

    Whois tells it seems to be Korean, guess it’s spoofed because there is no WHOIS information at all.
    The Forums
    have some issues as well. Some people seem to like to add their name, fake IP address and whatever on the site – where it clearly states its for Dutch VMS users (in Dutch, so what would someone from the US, or Russia, expect). I had to check the code, because the username that pops up when his credentials are accessed, is overwritten by the administartor name. So I decided to remove ALL questionable users and change the administrator password.
    Webmail
    running on VMS is great: Guess a mail with subject “Passionate Kiss” holding an attachement “Greeting Card.exe” – mind the extension… That is simply shown in the button, so I’m warned on beforehand.
    Login failures
    have been located on 21-Jan-2007 – but all on DECNet – and I guess that has to do with the boots last weekend – given the time (around 19:30) quite feasable. And: these can only come from the local network. So I dont mind them – and 22-jan-2007 is all clear:

    ================================================================================
    23-JAN-2007 00:01:01.96 Login failures found
    No login failures found

    Posted on

    23-Jan-2007

    Cluster creation trouble
    Last Sunday, I retried to cluster Diana and the newly arrived Aplhaserver 400, named DIDO, using CLUSTER_CONFIG_LAN procedure – the right way to do it.
    It turned out there were bits and pieces wrong in VOTES and EXPECTED_VOTES system parameters – and to avoid a system hang if during the process something went wrong (due to quorum loss, Diana might be stalled) I added a quorum disk. The one tried first was the web disk, but for some reason (probably to do with voting parameters, these were not yet raised) that failed: Dido – didn’t start. So I chnaged to use the system disk, but errorenously named it “DKA100″‘ (in a way , this is correct – if another system wouldn’t have this disk). Diana came up file, buy again, Dido failed. As it turned out: Dido does have a local device “DKA100” which explains the trouble….I should have mentioned it “$116$DKA100” – the right name since it’s on the shared SCSI. (with some help from the OpenVMS ITRC). Also, I found that the SCSSYSTEMID of Diana was wrong, and had it changed to the right value.
    When this all was done, I succeeded to have DIDO started from the common systemdisk – resulting in the configuration using Autogen and reboot. But there it fails – dramatically. I won’t get into detail here – just take a look on the ITRC entry. But Diana was very happily keeping up – and running.
    No connection
    There was a problem, though, but it wasn’t found before Monday night: NO ACCESS AT ALL to any web, and also SSH and TELNET failed: the system seemed ot of order. The kids though didn’t complain that they couldn’t access the Internet, so that seemed ok. Rushed home and checked Diana, but all seemed well: telnet, ssh, web – but locally – all was working. It was just that it seemd that all access to the EXTERNAL address was blocked: web, ssh, telnet…..Even from the local systems – or Diana itself!
    Solution: reboot the router, and behold: problems done. The lesson: If anything has been done to Diana that may have an effect on exterenal access, the router needs a reset..
    This means that mail between Sunday night (about 23:00) and Monday (up to about 18:00) is LOST….
    Logs Ok
    Scanning of the logfiles is fine now.
    New licenses
    The current licenses would expire 27-Jan-2007 and a new set arrived a week ago, or so. I loaded the new licenses – so I’m fit to run until 27-Jan-2008.