30-Oct-2007

Low memory
One of the problems encountered is shortage of memory. Or better: a lack of free pages. The problem became clear yesterday, when trying to FTP a 500Kb file from Demeter (WindowsXP) to Diana (VMS). The connection reconnected – and reconnected — and kept reconnecting, while, running MONITOR on a telnet session, free pages dropped from about 16K to zero – in seconds. Even in this moment – where MySQL has done some work, and the PHP engine is happily started doing some work as well (and it will be triggered once in a while to get this text saved while not yet commited), it has dropped from 12K to 1.5. A massive 10K pages in use (I have MONITOR running).

The next two images show the memory usage and paging yesterday, when I did the FTP connection at approximately 21:00 (All times GMT)

Memory usage

The blue line is pagefile usage – and I have a massive 3GB online. Being used for about 75% at some point – guess what THAT would have caused if I had my previous 1Gb file….

Paging

It has been so bad, that HyperSpy (the monitor that allows web-based monitoring) didn’t get trhough at some pint – that explains the gap in the memory graph.

What I don’t understand: I reversed the changes I made to accomodate Distributed Netbeans and Webes. Before these changes, there wasn’t really a perfomance issue. At least, I never ran into it. But it’s well possible I overlooked something. Another weird thing: I uploaded a complete set of photograhs and pages this weekend, all in all about 22M – 40 times as much – but that went nice and smooth. The only difference: that was over a 100Mb LAN, not over a 54Mb Wireless access point )on the same network).

He who understands, please explain…

First things first.
MODPARAMS.DAT still contained settings for Advanced Server, that I never got to work, so it was never really installed after I upgraded the system, so I got rid of these settings. Some othter things need to be addressed as well, 256 Gb should be way enough – and I don’t plan to use Java again, on Diana anyway.
So I lurked on the HP site for performance documentation – and the manual on the 8.3 set is VMS 7.3. But I guess most is still valid.

That means: back to the drawing board and calculator, to get at least a somewhat better free list. Having some processes swapped – no big deal if these aren’t heavily used :(. It’s been quite a while since my last tuning job. about 20 years, I reckon….(But that has been a much easier problem)

And of course: MySQL server just crashed again. Not enough core. I’ve seen it.

29-Oct-2007

Updates postponed
Due to other priorities, no updates could be installed last weekend. None of them is really critical so they can postponed without problems. It will have to be done some weeks later, there is little space in the coming weeks.
MySQL crash
When accessing the blog this afternoon, the MySQL server crashed – again. Why does the server crash if one thread fails?
Perhaps the value of some variables should be lowered, but why did it work rather well in the past? The server has crashed before, but stability has decreased without obvious reason: just one system parameter changed? It doesn’t make sense….
upload of the logfile fails:
%HTTPD-W-NOTICED, 29-OCT-2007 18:33:41, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, POST (72 bytes) /sysblog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1193677653
-NOTICED-I-SCRIPT, /sysblog/wp-admin/upload.php sysblog:[wp-admin]upload.php (cgi_exe:phpwasd.exe) SYSBLOG:[wp-admin]upload.php
-NOTICED-I-CGI, 2553595354454D2D462D485041524954482C206869676820 (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:7643/0 net:1182/0

where it did work uploading a .JPG file this afternoon (before the server crashed). Well, see if I fet the data uploaded some other time.

Phishing using Paypal

Sometimes you see interesting attempts.

paypal phishing attempt

The header looks like this:

Return-Path: service@paypal.com
Received: from XXXXXXXXXX.GROOTERSNET.NL (192.168.0.2)
by xxxxxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 29 Oct 2007 10:14:17 +0100 (CET)
Received: from www.outsidepride.com ([69.20.59.177] EXTERNAL) (EHLO
www.outsidepride.com) by xxxxxxxxxx.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.0); Sun, 28 Oct 2007 21:34:22 +0100
Received: from User ([89.137.232.120]) (authenticated bits=0) by
www.outsidepride.com (8.12.11.20060308/8.12.11) with ESMTP id l9SKWQo4011442;
Sun, 28 Oct 2007 16:32:27 -0400
Message-Id: <200710282032.l9SKWQo4011442@www.outsidepride.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Date: Sun, 28 Oct 2007 22:32:56 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by www.outsidepride.com id
l9SKWQo4011442

Blocked by the anti-spam frontend, for the following reasons:

X-PMAS-External: www.outsidepride.com [69.20.59.177] (EHLO
www.outsidepride.com)
X-PMAS-Software: PreciseMail V3.0 [071027] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_FTP_TO_IP: Uses a dotted-decimal IP address in URL (1.000)
X-PMAS-BDY-IMAGE_LINK: Image that links to web site (3.000)
X-PMAS-BDY-INCREASE_YOUR_SOMETHING: Message has phrase "Increase your..."
(3.000)
X-PMAS-BDY-FOR_MORE_INFO2: Includes "for more information" (1.500)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format
(5.000)
X-PMAS-META-1PIXEL_IMG: Message includes 1x1 img link (20.000)
X-PMAS-META-PHISHING_02: Message appears to be a phishing scam (10.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-DEAR_SOMETHING: Contains generic 'Dear (something)' (1.596)
X-PMAS-META-STOP_RECEIVING: Specific spam text "to stop receiving" (5.000)
X-PMAS-Final-Score: 78.732
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from the fact that the sender server is not within the Paypal domain 🙂

The interesting part is on the inside.
Most often, links refer to some site using the http protocol (never https, of course), but this one is different – twice using FTP got get your data:

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Travelling
confirmation Here</a></td>

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Re-activate your account Here</a></td>

The addresses mentioned are Romanian, at least, two of them.

  • 192.102.104.2 is indeed owned by onix.ro – it is possible that it;s a source of abuse: an internet cafe, probably
  • 217.156.19.129 is owend by vl.ro – named analog Digital Systems Inc. RDS – Radio Data Systems? That makes sense. But ause like this, I doubt it!
  • 62.177.188.59 is owned by bbeyond – a Dutch network operator without a Romanian domain: bbeyond.ro does not exist.
  • The address mentioned in the liks refers to a network operator in Canada, and there is an abuse address in their Whois data. So I’ll forward the message to them.

    26-Oct-2007

    New installs
    Some time tonight to prepare some software updates (got the patches off the HP OpenVMS site and stored them on Diana) and to install some ne stuff. Availability Manager, to start with. The 2.4 version doesn’t work on 8.3, appearantly, so I got the 2.6 version and installed it – and have it running now.
    Updated SWB (Mozilla) tp 17.13, and tried to install the X11vnc server and VNC , but both fail. The first because theet is no [.VNS]TEST.*;* file, the second (to be built first, I guess) because some include file is missing.

    It was too late to handle this.

    This weekend, I plan to install the patches so the system may be down for some time tomorrow night.
    Math
    I’ve got to do some math on the system parameters, to enhance system performance. In other words: tune the box. I’ll do that some time, now it runs relatively well. It could be better. Well, lets gather some data. T4 runs all the time, I should be able to get out some results! Perhaps TDC? I’ll look into that as well.

    WordPress isn’t one of the updates, I still have to test 2.3, and 2.3-1 is due to come out soon.

    20-Oct-2007

    Power down a while
    I had to do some work on the power grid in the house, so all systems have been down for about 90 minutes. I could have restarted Diana somewhat quicker but cleaning up a bit was thought to be more important.
    Diana has been shut off actually – completely – before I removed power, and when power came up and the switch was thrown – nothing happned. That is: Diana did some work, poker the keyboard twice, and suddenly seemed to stop. No reel beeps. I restarted the HSZ50, I didn’t shutdown the controller when owering down the grid, perhaps that might have caused some trouble. After I restarted it, Diana did start.
    No problems like the previous restart, though there is an attempt – again – to start the WEBES stuff. Well, it has all been removed – but the script rus in VERIFY mode. I couldn’t find yest where this sript is launched. It might be a script mentioned in the startup-database. Indeed it is:

    SYSMAN> startup show file
    %SYSMAN-I-COMFIL, contents of component database on node DIANA
    Phase Mode File
    ------------ ------ ---------------------------------
    LPMAIN DIRECT WCCPROXY$STARTUP.COM
    LPMAIN DIRECT DESTA$STARTUP.COM
    LPMAIN DIRECT CCAT$STARTUP.COM

    These files need to be removed (de-installing the product didn’t work, since a procedure is simply missing….):

    SYSMAN> startup remove file WCCPROXY$STARTUP.COM
    SYSMAN> startup remove file DESTA$STARTUP.COM
    SYSMAN> startup remove file CCAT$STARTUP.COM
    SYSMAN> startup show file
    %SYSMAN-I-NODERR, error returned from node DIANA
    -STARTUP-E-COMFILEMTY, STARTUP component file is empty.

    Hope that did it 🙂

    Hyperpsi – the web-based program I use to have a look on yesterday’s performance – hadn’t run since last boot, because one logical wasn’t setup properly, but this time, it’s all smoothly started. I miss the data between 17-Oct-2007 21:00 until today’s reboot at 17:00 but that should not be a hell of a problem.
    I think trouble has been triggered by WEBES starting that time, causing a far to high load for programs to initialize properly. I can only guess – but now WEBES isn’t started (the whole directoty tree has neem removed) it seems to make a difference.

    17-Oct-2007

    MySQL crashed – again
    Just after posting the Babelfish interpretation of “Flushing Cache”, MySQL server went down. This time, it took a few hours to get up again – because I had no access to the systems. It’s been pretty much the same: value 12, “not enough core”, this time on read.
    Reverse changes
    I took the chance to reverse a few changes made in favout of the IDE server for Distributer Detbenas and WEBES and lowered some of the system parameters that wer increased as their requirement, but since RdB is to be installed some day, I kept an eye on the requirements. The only one needed a permanent increase comapred to the original setings, is CHANNELCNT – set to 2050, just less than twice the original amount. The rest have been restored to the original.
    Next I rebooted Diana (some of them are not dynamic) but something strange happened: It looks like some command procedure has “SET VERIFY” in it and the whole listing was sped out on the screen. MySQL was started but the remains of the procedure seemed to be bypassed. Running it separately revealed no troubles at all, so what happened here, I don’t know. The log didn’t shbow anything either….
    But the system is now working again.

    Paypal phishing attempt blocked

    The phishing attemps are now blocked by the anti-spam gateway so they do no longer arrive in any of my mailboxes. Which, of course, is what it is the intended use, plus it allows a closer look to the message code without having the message actually delivered.

    This one came in a few days ago:

    <p><b><font face="Verdana" size="2">You are required to upgrade your PayPal
    Account by subscribing to our New Security Center.</font></b></p>
    <p><font face="Verdana" size="2">Please <b> <a href="http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php">click here</a></b> in order to upgrade your PayPal account.</font></p>
    <p><font face="Verdana" size="2">If you not perform the update now, your account will be placed on hold. On hold accounts can still send money, but they cannot withdraw or receive funds.</font></p>

    Mind the hyperlink-address:

    http://202.67.156.66/www.paypal.com/cgi-bin/webscrcmd=_login-run/update.php

    This is NOT a paypal address.

    PMAS signalled this – as is shown in the message header:


    Received: from unknown ([72.54.216.109] EXTERNAL) (EHLO mail.iei-web.net) by
    xxxxxxxxxxxxxxxxxxxx ([192.168.0.200]) (PreciseMail V3.0); Sun, 07 Oct
    2007 06:41:42 +0100
    Received: from User [62.14.249.101] by iei-web.net with ESMTP (SMTPD-9.10) id
    A0F40294; Sat, 06 Oct 2007 23:39:00 -0600
    Reply-To: <member_service@paypalsecurity.com>
    From: "PayPal Inc."<member_service@paypalsecurity.com>
    Subject: New Paypal Security Center: Update Your Account
    Date: Sun, 7 Oct 2007 07:40:01 +0200
    MIME-Version: 1.0
    Content-Type: text/html; charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Message-Id: <200710062339882.SM03048@User>

    What are the findings:


    X-PMAS-External: unknown [72.54.216.109] (EHLO mail.iei-web.net)
    X-PMAS-Software: PreciseMail V3.0 [071006] (diana.GROOTERSNET.NL)
    X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
    X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)

    Quite well so far – except the “unknown” external address.
    But now the problems show up:


    X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
    X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
    X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry (4.000)
    X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
    X-PMAS-URI-NORMAL_HTTP_TO_IP: Uses a dotted-decimal IP address in URL (0.942)
    X-PMAS-URI-IP_LINK_PLUS: Dotted-decimal IP address followed by CGI (0.708)
    X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
    X-PMAS-META-MISSING_BODY_TAG: Message has </BODY> tag, but no <BODY> tag (3.000)
    X-PMAS-META-MISSING_HTML_TAG: Message has </HTML> tag, but no <HTML> tag (3.000)
    X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format (5.000)

    You learn something new every day


    X-PMAS-META-NO_HTML_BEGIN: Message has </html> but not <html> (3.500)
    X-PMAS-META-PHISHING_01: Message is a phishing scam (50.000)
    X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
    X-PMAS-META-LAME_PAYPAL_SCAM: Claims to be from PayPal, but no PayPal URIs (20.000)

    I thought so 🙂


    X-PMAS-META-CLICK_BELOW: Asks you to click below (0.727)
    X-PMAS-META-BLIND_DATE3: Blind date spam (3) (20.000)
    X-PMAS-Final-Score: 139.513
    X-PMAS-Spam-Level: ********************+
    X-PMAS-Spam: Yes

    Apart from what is unusual in Paypal: no addressing header (should use your Paypal name).

    Updating FORTRAN code

    I’m in the process of porting code written on VAX in FORTRAN77 – and some routines have optional parameters. FORTRAN 77 cannot handle these, but on VAX, it’s easy to retrieve them using a small MACRO module. Not so on Alpha, and Itanium would be even more troublesome – if possible at all due to the architectural differences and processor technology. (See earlier thredas in this catergory).

    So I have to choose: re-write the code in another language, or update it to a newer FORTRAN version that allows checking of arguments, as Hoff suggested.

    I choose the latter – it proved a far less troublesome task than anticipated.

    Consider a routine A, with 4 arguments K, L M and N. K being required and L, M and N optional; however, any of these could be present.

    This is the basic FORTRAN 77 code:


    SUBROUTINE A (K, L, M, N)

    C arguments

    INTEGER*4 K
    INTEGER*4 L (*)
    CHARACTER*(*) M
    LOGICAL*4 N

    C Local variables

    INTEGER*4 S, nmbr, mask

    C Routine used to see whether args are present
    C Bits in Mask will be set when present

    INTEGER*4 GETARGS

    C main code

    S = GETARGS (Nmbr, Mask)
    ...
    IF (BTEST (Mask,2)) THEN
    C
    C Parameter L is present
    C
    ENDIF
    ....

    This routine can be called as:

    F = 1
    G(1) = 1
    G(2) = 1
    G(3) = 1
    H = "This can be a text of arbitrary length"
    I = 0

    CALL A (F,G,H,I)
    CALL A (F,,H) ! so L and N are missing

    Updating the routine to FORTRAN 95 so the optional parameters can be handled, are really minimal: add a line that specifies which arguments are optional, remove the call of the GETARG routine, and use PRESENT (arguments) in stead of BTEST(Mask, bit).
    The FORTRAN95 code look like this:

    SUBROUTINE A (K, L, M, N)

    C arguments

    INTEGER*4 K
    INTEGER*4 L (*)
    CHARACTER*(*) M
    LOGICAL*4 N

    OPTIONAL :: L, M, N

    C Local variables

    INTEGER*4 S

    C main code

    ...
    IF (PRESENT (L)) THEN
    C
    C Parameter L is present
    C
    ENDIF
    ....

    To use this, the routine calling this subroutine must specify the interface. If a routine is heavily used, it’s worthwhile to create an INCLUDE file containing the interface:


    INTERFACE
    SUBROUTINE A (K, L, M, N)

    C arguments

    INTEGER*4 K
    INTEGER*4 L (*)
    CHARACTER*(*) M
    LOGICAL*4 N

    OPTIONAL :: L, M, N
    END SUBROUTINE
    END INTERFACE

    Add this into calling routines:


    INCLUDE 'A_IF.INC'
    ...
    F = 1
    G(1) = 1
    G(2) = 1
    G(3) = 1
    H = "This can be a text of arbitrary length"
    I = 0

    CALL A (F,G,H,I)
    CALL A (F,,H) ! so L and N are missing

    This is still to be done, but it looks good!

    I ran into one problem still to cope with:
    CALL B (%VAL (Args))
    does not compile: %VAL is out of context here.
    The routine in which this code occurs is rather basic – and the mechanism is used heavily in calling routines, where the addresses of allocated memory are passed….
    UPDATE
    It turned out pretty straight forward. This particular reference turned out to be a parameter to a routine that could easily be bypassed by assigning the right value to a separate variable and use that one instead.

    Well, all modules have been built now – except for the ones requiring a missing file but I don’t need that one in due time – and the libraries are created. Next is translating the macro containing the translation vectors into an option file, and vreate the shared image. Afther that, I can start creating the drivers to test it all

    14-Oct-2007

    Persephone updated
    Last week, a new version of Personal Alpha was released. Still a DEC3000 but enhanced to 128 Mb internal memory, and the full SRM console. This has been installed over the previous version, with some trouble: I should have de-installed it before installing the new one. This wasn’t mentioned! But after I did, the first invocation installed it and got it running. (Part of the issue was the relation between the .EMU extension and the assiciated program. Once that was solved, it’s all done)

    PMAS crashed
    One of the PMAS workers has crashed – I still have to check the logs ;(

    %%%%%%%%%%% OPCOM 13-OCT-2007 12:02:51.30 %%%%%%%%%%%
    Message from user SYSTEM on DIANA
    %PTSMTP-E-WORKERDIED, worker PTSMTP 0001 (20200150) terminated unexpectedly
    -SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=000000000000FE79, PC=FFFFFFFF81F6CFC8, PS=0000001B
    -PTSMTP-I-WORKERCONN, while processing connection from 86.57.187.251,2132

    Perhaps because theer was something illegal from this site?

    The main program was not effected so mail just went on. It’s just this connection.