August 2007 – SYSMGR in the attic

30-Aug-200730-Aug-2007

Ebay – a bit altered

This message arived today – form an Ebay – I mean, Eday member:

With Outlook, Eday is easily read as Ebay…

Fake of course, sent to obtain credentials.
The header shows it’s origin: Australia – given the names, I’d say Melbourne:

Return-Path: member@eday.com Received: from mail.southern-ro.com.au (203.46.24.242) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Thu, 30 Aug 2007 13:40:27 +0100 (CET) Received: from User ([195.84.14.70]) by melbserver.southern-ro.com.au with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Aug 2007 21:40:16 +1000 Reply-To: <member@eday.com> From: "member"<member@eday.com> Subject: message from member Date: Thu, 30 Aug 2007 13:40:15 +0200 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: Return-Path: member@eday.com Message-ID: <MELBSERVERAtC33BcZY00000e29@melbserver.southern-ro.com.au> X-OriginalArrivalTime: 30 Aug 2007 11:40:16.0643 (UTC) FILETIME=[891CAD30:01C7EAFA]
that is: from address 195.84.14.70, and this is NOT an Ebay address, nor is the mailserver that connected (203.46.24.242). Nor would Ebay use Outlook Express. In other words: it is a basic PC. no TO: line either, I wonder how the message got here in the first place.
No name in the message – which is not like ebay would do it.

Almost all links that could require a login, refer to a site at oberleitner.biz. Even the ones wheer you could signal or learn about abuse:

Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank>Learn more about trading safely</A>

A bit more down:

Always remember to complete your transactions on eBay - it's the safer way to trade. Is this message an offer to buy your item directly through email without winning the item on eBay? If so, please help make the eBay marketplace safer by reporting it to us. These external transactions may be unsafe and are against eBay policy. <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank>Learn more about trading safely</A>

and

Learn how you can protect yourself from spoof (fake) emails at: <A href="http://www.oberleitner.biz/cache/ws/eBay_com_Verify_your_eBay_account_files/" target=_blank>https://pages.ebay.com/education/spooftutorial</A>

It looks like Oberleitner.biz’s business is getting user credentials. Or it’s domain is abused.

30-Aug-200730-Aug-2007

FTP and web abuse attempts.

FTP attempts
I walked the FTP logs for a change – it’s very quiet and I don’t bother too much about script kiddies – the vast majority of the attampts are from scripts, and most of them rely on either badly configured Windows systems running the low-end version of IIS (or using Frontpage), and Linux boxes. Like this one a week ago:

In operator.log the attempt to create a directory showed up:

%%%%%%%%%%% OPCOM 20-AUG-2007 21:58:11.02 %%%%%%%%%%% Message from user TCPIP$FTP on DIANA User Name: anonymous Source: M2147P027.adsl.highway.telekom.at Status: NOPRIV -- File access violation Object: WEB_DISK2:[public.anonymous.070820225850p]

Anonymous_ftp.log shows his login and just a few lines – not all:

20-AUG-2007 21:58:09.46 User:anonymous logged in ident:Jgpuser@home.com from Host:M2147P027.adsl.highway.telekom.at 20-AUG-2007 21:58:10.91 User:anonymous ident:Jgpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous] 20-AUG-2007 21:58:12.30 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged 20-AUG-2007 21:58:12.38 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged 20-AUG-2007 21:58:12.45 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD 20-AUG-2007 21:58:12.52 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data 20-AUG-2007 21:58:12.58 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data 20-AUG-2007 21:58:12.66 User:anonymous ident:Jgpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^% 20-AUG-2007 21:58:12.72 User:anonymous ident:Jgpuser@home.com logged out

3 seconds – according this log, and one that is seen more often. The full FTP_run.log shows the script tried Windows and Linus default locations – and the failed attempt to create a directory, before the above were tried:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:09.08 %TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_OBJ, object: /public/incoming/ %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /_vti_txt/ %TCPIP-I-FTP_OBJ, object: /_vti_log/ %TCPIP-I-FTP_OBJ, object: /wwwroot/ %TCPIP-I-FTP_OBJ, object: /anonymous/ %TCPIP-I-FTP_OBJ, object: /public/

next, the attempt to create the directory:

%TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070820225850p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC000EE: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_NODE, client host name: M2147P027.adsl.highway.telekom.at %TCPIP-I-FTP_USER, user name: anonymous

which is signalled in OPERATOR.LOG. It goes on: accessing non-existing directories (either Windows or Linux based):

%TCPIP-I-FTP_OBJ, object: /outgoing/ %TCPIP-I-FTP_OBJ, object: /temp/ %TCPIP-I-FTP_OBJ, object: /tmp/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /anonymous/incoming/ %TCPIP-I-FTP_OBJ, object: /mailroot/ %TCPIP-I-FTP_OBJ, object: /ftproot/ %TCPIP-I-FTP_OBJ, object: /anonymous/pub/ %TCPIP-I-FTP_OBJ, object: /anonymous/public/ %TCPIP-I-FTP_OBJ, object: /_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /_private/ %TCPIP-I-FTP_OBJ, object: /cgi-bin/ %TCPIP-I-FTP_OBJ, object: /usr/ %TCPIP-I-FTP_OBJ, object: /usr/incoming/ %TCPIP-I-FTP_OBJ, object: /home/

and finally the ones signalled in anonymous_ftp.log:

%TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^% %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from M2147P027.adsl.highway.telekom.at at 20-AUG-2007 21:58:12.75

There have been more accesses but these seemed to cut the connection:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 57.c-servers.com at 21-AUG-2007 16:29:30.44 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from unknown76.120.65.69.defenderhosting.com at 21-AUG-2007 19:55:13.88 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 202.62.224.90 at 23-AUG-2007 12:06:20.27 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 23-AUG-2007 16:12:06.56 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 69.1.239.133 at 23-AUG-2007 17:40:18.96 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from us1.dnsbu.com at 24-AUG-2007 00:03:16.19 %TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 78.129.138.101 at 25-AUG-2007 15:08:13.28

The weblog shows it’s finally realised that overrun attempts will surely fail. That FORUM has been disabled shows up in the log: last week gave just one attempt to push a fake registration directly, and one address tried twice – 3 times at a row – to do so by querying the site, and gave up:

219.207.8.140 - - [21/Aug/2007:01:10:03 +0100] "GET http://www.grootersnet.nl/forums/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 403 864 ... 66.232.125.138 - - [21/Aug/2007:01:10:29 +0100] "GET http://www.grootersnet.nl/ HTTP/1.0" 403 864 66.232.125.138 - - [21/Aug/2007:01:10:30 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [21/Aug/2007:01:10:31 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 ... 66.232.125.138 - - [22/Aug/2007:02:10:56 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [22/Aug/2007:02:10:57 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748 66.232.125.138 - - [22/Aug/2007:02:10:58 +0100] "GET /cgi-bin/query/profile.php?mode=register&agreed=true&sid=845cd552b395f6d1ef4b63d53879d6cf HTTP/1.0" 404 748

There have also been some other attempts I’ve seen before:

193.195.42.197 - - [25/Aug/2007:00:40:33 +0100] "GET /%20+%20/ HTTP/1.0" 404 868 85.17.181.227 - - [25/Aug/2007:06:45:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893 85.17.181.227 - - [25/Aug/2007:06:46:43 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893 62.193.242.99 - - [25/Aug/2007:15:55:18 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893

The errors (4xx) show these all failed. Of course.

I want to make some fun: I’m thinking of creating a file Docroot:[w00tw00t.at.ISC.SANS.DFind]Ãndex.html” or redirect that location to “Noservice”.
See what happens…

29-Aug-200730-Aug-2007

29-aug-2007

Googlebot is back🙁
After I removed the link to anonymous FTP, I (finally) got rid of googlebot after August 1st. The location still exists, but the link is gone.

Much to my surprise, googlebot is back. As it turned out: since last Monday, as it shows up in Anonymous_ftp.log:

27-AUG-2007 05:13:32.66 User:anonymous logged in ident:googlebot@google.com from Host:crawl-66-249-66-2.googlebot.com 27-AUG-2007 05:13:33.29 User:anonymous ident:googlebot@google.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous.perl] 27-AUG-2007 05:13:33.58 User:anonymous ident:googlebot@google.com logged out

In ftp_run.log, there a bit more information:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-66-2.googlebot.com at 27-AUG-2007 05:13:32.32 %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-66-2.googlebot.com at 27-AUG-2007 05:13:33.61

That Monday afternoon, with some spare time, I decided to clean it up: No more Perl 5.8.4, since 5.8.6 is available on the the 8th edition of the OpenVMS Freeware CD’s, and what was more on the directory was outdated as well. I just copied the program I wrote for converting web access logs to t4 compatible files (counting the numbers of requests) to the location but did not restore the link on the static pages – nor on the blog.

That, of course, causes a problem for the crawler:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from crawl-66-249-66-2.googlebot.com at 27-AUG-2007 17:14:55.04 %TCPIP-I-FTP_NODE, client host name: crawl-66-249-66-2.googlebot.com %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: perl %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00101: Failed to set default directory %TCPIP-E-FTP_BADDIR, invalid directory %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from crawl-66-249-66-2.googlebot.com at 27-AUG-2007 17:14:55.69

The program seems rather primitive since it continues to access a location I removed. That will be fun if the website changes structure!

Well, that’s Google’s problem.

Spam increases
The amount of fake email increases. Of all arriving mail, about 80% is filtered off due to unresolvable domain, non backtracable, or blacklisted addresses – and some from domains I explicitly lock out.
However, the spammers abuse either other peoples machines within otherwise good domains, or simply fake their address by using a geniune domain, or poison the world-wide DNS system with fake domains so there will be a resolution. The software from PROCESS hasn’t arrived yet – they may try to mail me a message but use an MX address, it’s filtered off…The sales person I contacted will be back next week, hopefully I’ll get the sofware soon.
Linux and Windows stuff
The preparation for the new web (content, mainly) takes most of the time.
I haven’t done much on the Linux box. I just moved the files to the (hopefully) right location but didn’t get any further. Chances are it still won’t build. Well, there is no hurry. Web content is a higher priority at the moment.
For Windows, just the regular updates. For the web content, I installed a new version of ExpertGPS, and GoogleEarth, because ExpertGPS can map tracks on Googlemap. It might be usable, it’s a nice feature, but the result is, well, not publishable. Not good enough, without paying Google a fistfull of dollars for something I cannot use. And publishing a screen dump might even be “illegal”.
So I decided: If people want to map the track on GoogleEarth, they’ll have to do it themselves. The tracks will be downloadable (don’t try it out now – they’re simply not available yet :)) and they can install (and pay) their own version of the requiered software.

26-Aug-200726-Aug-2007

Another job offer

I received another job offer today. The same one as two days ago – from a different sender, for the same company and another link.

The new header runs:

Return-Path: akstcxylbmnsdgs@xylb.com Received: from 87-205-210-108.adsl.inetia.pl (87.205.210.108) by xxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha); Fri, 24 Aug 2007 23:14:43 +0100 (CET) Return-Path: <akstcxylbmnsdgs @xylb.com> Received: from 218.66.102.106 (HELO mail.xylb.com) by grootersnet.nl with esmtp (?< ?*A+.7,/0 >)(7) id S.DCAR-TAHH0N-+) for willem@grootersnet.nl; Fri, 24 Aug 2007 21:15:33 -0100 Message-ID: <01c7e693$e85df080$6c822ecf@akstcxylbmnsdgs> From: "Enid Mullen" </akstcxylbmnsdgs>l<akstcxylbmnsdgs @xylb.com> To: (me) Subject: job for you Date: Fri, 24 Aug 2007 21:15:33 -0100 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-2"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.2663 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663</willem></akstcxylbmnsdgs>

So the sender – or relay – is Polish. Or it’s a zombie.
The message-ID is bogus (I didn’t even bother checking), so it the return address. Don’t try explaining a user “akstcxylbmnsdgs” would actually exist. I don’t think theer is such a user on XYLB.COM.
However: XYLB.COM does exist (and is valid) otherwise it wouldn’t get so far anyway.

Did the previous sender use MSN, this one seems to use good old Outlook Express. Hardly a professional method, I’d say.

If you follow the link you’ll end up on JSB Register – like the previous job offer – but the link is different:

http://58.65.239.116/zaka/
and in the page, the hiodden data is:

<input type="hidden" name="icq" value="zaka">

25-Aug-200726-Aug-2007

25-aug-2007

Anti-Spam in progress
I just received my license for PROCESS software: PreciseMail Anti-Spam gateway, and I downloaded the documentation – the kits themselves should be there as well but were missing for some reason – well, that will come another day. Just read the manuals first and prepare installation and configuration, for a smooth integration with VMS mail. According Process software it should be sufficient; perhaps the current restrictions can be lifted, at least in part.
Web redesign
gets on. I’ve done some of the longer tracks we did in Germany and quite a lot of short tracks without, or with jus a few photos are almost done. The idea of for a VMS-native program to create dynamic pages, develops but is still far from realization – but it will be there one day.

(Just found that spell check works on my Demeter as well. So it’s not a Linux issue!)

August 2007
M	T	W	T	F	S	S
« Jul				Sep »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31