Posted on

30-Oct-2007

Low memory
One of the problems encountered is shortage of memory. Or better: a lack of free pages. The problem became clear yesterday, when trying to FTP a 500Kb file from Demeter (WindowsXP) to Diana (VMS). The connection reconnected – and reconnected — and kept reconnecting, while, running MONITOR on a telnet session, free pages dropped from about 16K to zero – in seconds. Even in this moment – where MySQL has done some work, and the PHP engine is happily started doing some work as well (and it will be triggered once in a while to get this text saved while not yet commited), it has dropped from 12K to 1.5. A massive 10K pages in use (I have MONITOR running).

The next two images show the memory usage and paging yesterday, when I did the FTP connection at approximately 21:00 (All times GMT)

Memory usage

The blue line is pagefile usage – and I have a massive 3GB online. Being used for about 75% at some point – guess what THAT would have caused if I had my previous 1Gb file….

Paging

It has been so bad, that HyperSpy (the monitor that allows web-based monitoring) didn’t get trhough at some pint – that explains the gap in the memory graph.

What I don’t understand: I reversed the changes I made to accomodate Distributed Netbeans and Webes. Before these changes, there wasn’t really a perfomance issue. At least, I never ran into it. But it’s well possible I overlooked something. Another weird thing: I uploaded a complete set of photograhs and pages this weekend, all in all about 22M – 40 times as much – but that went nice and smooth. The only difference: that was over a 100Mb LAN, not over a 54Mb Wireless access point )on the same network).

He who understands, please explain…

First things first.
MODPARAMS.DAT still contained settings for Advanced Server, that I never got to work, so it was never really installed after I upgraded the system, so I got rid of these settings. Some othter things need to be addressed as well, 256 Gb should be way enough – and I don’t plan to use Java again, on Diana anyway.
So I lurked on the HP site for performance documentation – and the manual on the 8.3 set is VMS 7.3. But I guess most is still valid.

That means: back to the drawing board and calculator, to get at least a somewhat better free list. Having some processes swapped – no big deal if these aren’t heavily used :(. It’s been quite a while since my last tuning job. about 20 years, I reckon….(But that has been a much easier problem)

And of course: MySQL server just crashed again. Not enough core. I’ve seen it.

Posted on

29-Oct-2007

Updates postponed
Due to other priorities, no updates could be installed last weekend. None of them is really critical so they can postponed without problems. It will have to be done some weeks later, there is little space in the coming weeks.
MySQL crash
When accessing the blog this afternoon, the MySQL server crashed – again. Why does the server crash if one thread fails?
Perhaps the value of some variables should be lowered, but why did it work rather well in the past? The server has crashed before, but stability has decreased without obvious reason: just one system parameter changed? It doesn’t make sense….
upload of the logfile fails:
%HTTPD-W-NOTICED, 29-OCT-2007 18:33:41, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, POST (72 bytes) /sysblog/wp-admin/upload.php?style=inline&tab=upload&post_id=-1193677653
-NOTICED-I-SCRIPT, /sysblog/wp-admin/upload.php sysblog:[wp-admin]upload.php (cgi_exe:phpwasd.exe) SYSBLOG:[wp-admin]upload.php
-NOTICED-I-CGI, 2553595354454D2D462D485041524954482C206869676820 (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:7643/0 net:1182/0

where it did work uploading a .JPG file this afternoon (before the server crashed). Well, see if I fet the data uploaded some other time.

Posted on

Phishing using Paypal

Sometimes you see interesting attempts.

paypal phishing attempt

The header looks like this:

Return-Path: service@paypal.com
Received: from XXXXXXXXXX.GROOTERSNET.NL (192.168.0.2)
by xxxxxxxxxxxxx.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Mon, 29 Oct 2007 10:14:17 +0100 (CET)
Received: from www.outsidepride.com ([69.20.59.177] EXTERNAL) (EHLO
www.outsidepride.com) by xxxxxxxxxx.GROOTERSNET.NL ([192.168.0.200])
(PreciseMail V3.0); Sun, 28 Oct 2007 21:34:22 +0100
Received: from User ([89.137.232.120]) (authenticated bits=0) by
www.outsidepride.com (8.12.11.20060308/8.12.11) with ESMTP id l9SKWQo4011442;
Sun, 28 Oct 2007 16:32:27 -0400
Message-Id: <200710282032.l9SKWQo4011442@www.outsidepride.com>
From: "PayPal"<service@paypal.com>
Subject: You have 1 new Security Message Alert !
Date: Sun, 28 Oct 2007 22:32:56 +0200
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by www.outsidepride.com id
l9SKWQo4011442
Blocked by the anti-spam frontend, for the following reasons:

X-PMAS-External: www.outsidepride.com [69.20.59.177] (EHLO
www.outsidepride.com)
X-PMAS-Software: PreciseMail V3.0 [071027] (diana.GROOTERSNET.NL)
X-PMAS-DYN_URI-OK_URL: Dynamic URI check: OK URL (0.000)
X-PMAS-REPUTATION_URI_NONSPAM: URI reputation check (0.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-MISSING_HEADERS: Missing To: header (1.035)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-NO_SPACE_FROM: From: header is poorly formatted (no space) (5.000)
X-PMAS-URI-NORMAL_FTP_TO_IP: Uses a dotted-decimal IP address in URL (1.000)
X-PMAS-BDY-IMAGE_LINK: Image that links to web site (3.000)
X-PMAS-BDY-INCREASE_YOUR_SOMETHING: Message has phrase "Increase your..."
(3.000)
X-PMAS-BDY-FOR_MORE_INFO2: Includes "for more information" (1.500)
X-PMAS-META-FORGED_OUTLOOK_HTML: Outlook can't send HTML message only (1.101)
X-PMAS-META-FORGED_OUTLOOK_TAGS: Outlook can't send HTML in this format
(5.000)
X-PMAS-META-1PIXEL_IMG: Message includes 1x1 img link (20.000)
X-PMAS-META-PHISHING_02: Message appears to be a phishing scam (10.000)
X-PMAS-META-PHISHING_03: Message appears to be a PayPal phishing scam (20.000)
X-PMAS-META-DEAR_SOMETHING: Contains generic 'Dear (something)' (1.596)
X-PMAS-META-STOP_RECEIVING: Specific spam text "to stop receiving" (5.000)
X-PMAS-Final-Score: 78.732
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes

Apart from the fact that the sender server is not within the Paypal domain 🙂

The interesting part is on the inside.
Most often, links refer to some site using the http protocol (never https, of course), but this one is different – twice using FTP got get your data:

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Travelling
confirmation Here</a></td>

<td class="pp_sansserif" align="center"><a
href="ftp://futangiu:futangiu@209.202.224.140/index.htm">Re-activate your account Here</a></td>

The addresses mentioned are Romanian, at least, two of them.

  • 192.102.104.2 is indeed owned by onix.ro – it is possible that it;s a source of abuse: an internet cafe, probably
  • 217.156.19.129 is owend by vl.ro – named analog Digital Systems Inc. RDS – Radio Data Systems? That makes sense. But ause like this, I doubt it!
  • 62.177.188.59 is owned by bbeyond – a Dutch network operator without a Romanian domain: bbeyond.ro does not exist.

    • The address mentioned in the liks refers to a network operator in Canada, and there is an abuse address in their Whois data. So I’ll forward the message to them.

    Posted on

    26-Oct-2007

    New installs
    Some time tonight to prepare some software updates (got the patches off the HP OpenVMS site and stored them on Diana) and to install some ne stuff. Availability Manager, to start with. The 2.4 version doesn’t work on 8.3, appearantly, so I got the 2.6 version and installed it – and have it running now.
    Updated SWB (Mozilla) tp 17.13, and tried to install the X11vnc server and VNC , but both fail. The first because theet is no [.VNS]TEST.*;* file, the second (to be built first, I guess) because some include file is missing.

    It was too late to handle this.

    This weekend, I plan to install the patches so the system may be down for some time tomorrow night.
    Math
    I’ve got to do some math on the system parameters, to enhance system performance. In other words: tune the box. I’ll do that some time, now it runs relatively well. It could be better. Well, lets gather some data. T4 runs all the time, I should be able to get out some results! Perhaps TDC? I’ll look into that as well.

    WordPress isn’t one of the updates, I still have to test 2.3, and 2.3-1 is due to come out soon.

    Posted on

    20-Oct-2007

    Power down a while
    I had to do some work on the power grid in the house, so all systems have been down for about 90 minutes. I could have restarted Diana somewhat quicker but cleaning up a bit was thought to be more important.
    Diana has been shut off actually – completely – before I removed power, and when power came up and the switch was thrown – nothing happned. That is: Diana did some work, poker the keyboard twice, and suddenly seemed to stop. No reel beeps. I restarted the HSZ50, I didn’t shutdown the controller when owering down the grid, perhaps that might have caused some trouble. After I restarted it, Diana did start.
    No problems like the previous restart, though there is an attempt – again – to start the WEBES stuff. Well, it has all been removed – but the script rus in VERIFY mode. I couldn’t find yest where this sript is launched. It might be a script mentioned in the startup-database. Indeed it is:

    SYSMAN> startup show file
    %SYSMAN-I-COMFIL, contents of component database on node DIANA
    Phase Mode File
    ------------ ------ ---------------------------------
    LPMAIN DIRECT WCCPROXY$STARTUP.COM
    LPMAIN DIRECT DESTA$STARTUP.COM
    LPMAIN DIRECT CCAT$STARTUP.COM

    These files need to be removed (de-installing the product didn’t work, since a procedure is simply missing….):

    SYSMAN> startup remove file WCCPROXY$STARTUP.COM
    SYSMAN> startup remove file DESTA$STARTUP.COM
    SYSMAN> startup remove file CCAT$STARTUP.COM
    SYSMAN> startup show file
    %SYSMAN-I-NODERR, error returned from node DIANA
    -STARTUP-E-COMFILEMTY, STARTUP component file is empty.

    Hope that did it 🙂

    Hyperpsi – the web-based program I use to have a look on yesterday’s performance – hadn’t run since last boot, because one logical wasn’t setup properly, but this time, it’s all smoothly started. I miss the data between 17-Oct-2007 21:00 until today’s reboot at 17:00 but that should not be a hell of a problem.
    I think trouble has been triggered by WEBES starting that time, causing a far to high load for programs to initialize properly. I can only guess – but now WEBES isn’t started (the whole directoty tree has neem removed) it seems to make a difference.