Some reboot issues
After the reboot last weekend, there was still a thing or two missing in the startup.
First of all, the PHP environment wasn’t set up, because the procedure that is invoked to do that, referred locations that I moved; and though I thought I had, it seems I forgot to change the procedure accordingly. Once that was settled, I could indeed startup the blogs (that rely on PHP).
The second I found today: The CMS I’m testing requires a number of logicals, all were setup and the executakle was properly installed, but there was one logical that was not defined: the location and name of the configuration file. It is actually on the original home directory, I could move it to the same location as where the executable resides, but defining a logical referring the file is a better (more VMS-like) solution. Plus, I don’t need to restart anything. So that was a simple solution as well – though it took some time to figue it out in the documentation (that’s one thing that is past of this investigation: update the content to the currrent state. It lacked some maintenance :))
VWCMS issues
Now that works again, but then I ran into an issue that took some considerable time to locate the problem: I would like a similar page as my current homepage but I found out that MSIE 9 doesn’t work properly. That is: the editor does show up, I can add data but all is lost on ‘publish’, except the title of the post. Clearly because this isn’t added by the editor but on hitting the ‘New Blog Entry’ button. I thought it was a generic issue, but Firefox works fine. (I sometimes have the same problem with the blogs, but there is something that makes a difference. At times, it’s ok, on other times it fails. “Don’t use MSIE, then” – but at times, I simply need it. Some sites rely on it… And switching between browsers just because of this behaviour isn’t always a good idea either. But that’s another story)
Anyway: Firefox does the trick, and so I can look deeper into my problem: How to display the latest blog entry on the home page, AFTER a generic content. There is a way to immediately show the blog entry but that does not allow display of fixed content the way I want it. At least, not the simple way. I’ll have to find out how to achieve the same principle as on the current site. I do have some ideas, now it’s time to test them.
It takes some time, but I’ll get there.
A bit more on the FTP problem
It’s not FTP itself that causes a problem. I tried the FTP client that comes with the terminal emulater I’m using, and though the interface is not as nice nor extensive as the one from WS-FTP, it is well doable to pass files form or to the VMS box – without a problem. For some reason, WS-FTP requires a lot of additional memory causing the Freepagelist to exhaust and pushing the system into thrashing. Anyway, it looks that way. The only real difference is that the conenction was done in PASSIVE mode, where the FTP client of the emulator runs in ACTIVE mode. Another thing to test – on another machine…:)
27-Oct-2012
Reboot required
Trying to copy a number of files using WSFTP – a Windows FTP client – Diana hang for some reason, and even the DecWindows terminal did not respond – didn’t wake up from the sleeping mode it was in: the screensaver didn’t respond at all. It happened when I try to enter a location that is shared using Samba – so I stopped the WSFTP session on the PC and rebooted, to be sure all connections were really lost. But that didn’t help, so I tried the alternate way: starting Daphne – but I lost the password so I had to startup with UAFALTERNATE set to 1 and STARTUP_P1 to “MIN” to set the password, so I could enter a new one. In that process, Diana suddenly woke up – the processes locking the machine seemed to time out., the screensaver woke up and I was able to login. Nevertheless, I kept working on Daphne to be sure to have a second way into Diana.
Using Accounting I could only find that some FTP-processed were stopped on forced exit.
So I retried the WSFTP session, and found that there was one process running into FPG status = free pages were exhausted, the program disappeared after some time, another such process was started and ran into the same problem – and so on. At some time, I was able to delete such a process, but soon another appeared, and was left in an MWAIT state. Stopped that one, which caused WSFTP to loose connection.
In nitself, there is nothing wrong, but it started when I changed directory in WSFTP, to a location that is shared in Samba. So I stopped Samba, (There are still a number of things to find out about it: because I couldn’t login from the PC at some time – probably because the password was invalid? And resetting it in Samba failed…) but that didn’t make a difference: Retried WSFTP sequence again, but now the system hung again – and became inresponsive. Even from Daphne I couldn’t connect ($ MC SYSMAN, then SET ENVIRONMENT/NODE=DIANA and DO SHO SYS/PROC=*FTP*) – hanging that node as well (I could sissue an interrupt but ANY action next would hang the that node as well.
There was one alternative: reset Diana and boot….
But what causes this FPG state? I googled it and found it might be caused by too little free pagefile space, or a badly fragmented pagefile. Not on Diana, I think, because I have more pagefile space than I have internal memory:
Swap File Usage (8KB pages): Index Free Size
DISK$AXP083:[SYS0.SYSEXE]SWAPFILE.SYS
1 1304 1432
Paging File Usage (8KB pages): Index Free Size
ALPHASYS:[local]PAGEFILE2.SYS;2
251 61489 62496
ALPHASYS:[local]PAGEFILE1.SYS;2
252 61478 62496
ALPHASYS:[local]PAGEFILE.SYS;2
253 61474 62496
DISK$AXP083:[SYS0.SYSEXE]PAGEFILE.SYS
254 7288 8312
Total size of all paging files: 195800
Total committed paging file usage: 37316
The pagefile on AXP083: seems to be contiguous, if I interpret DIR/FULL correctly. I could do an ANA/RMS/STAT on that file but it didn’t reach the end in a sufficient short time. But I cannot examine the files on ALPHASYS:[LOCAL]. Not directly because these are locked, so I dumped INDEXF.SYS and looked to the number of retrieval pointers, and I found that all pagefiles on ALPHASYS:[LOCAL] are fragmented, but not that bad: the worst fragmented is Pagefile.sys, but all fit within the same header file… nevertheless, it could be useful to re-create pagefiles – and with less, or no , fragmentation….
On the other hand: straight FTP is not giving any trouble, so it may have to do with WSFTP itself….
One message, many phishing attempts
The spam filter does a good job in blocking messages, and at times I take a look on what reasons a message is blocked – especially where the reported sender (From: in the header) is one I could expect a mail from.
One such message I received today, it appears to be sent by LinkedIn, but the ful header told me otherwise:
From: "LinkedIn.Invitations" <4930A7EA@binggu.net>
Forged, no doubt.
The full header showed more information on why:
Return-Path: 4930A7EA@binggu.net
Received: from DIANA.INTRA.GROOTERSNET.NL (192.168.0.2)
by diana.intra.grootersnet.nl (V5.6-ECO5, OpenVMS V8.3 Alpha);
Wed, 17 Oct 2012 07:32:51 +0000 (UTC)
X-PMAS-MAIL-FROM: 4930A7EA@binggu.net
Received: from unknown ([190.65.67.127] EXTERNAL) (EHLO [190.65.67.127]) by
diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Wed, 17 Oct
2012 02:45:11 +0000
From: "LinkedIn.Invitations" <4930A7EA@binggu.net>
To: <willem@grootersnet.nl>
Date: Tue, 16 Oct 2012 21:44:55 -0500
Subject: Invitation
Message-ID: <20121016214455.5D4E447FEC53518BE995C.JavaMail.app@WISAJUWIJHO-PC>
Accept-Language: en-US
Content-Language: en-US
x-linkedin-template: inv_exp_member_02
x-linkedin-class: INVITE-MBR
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-PMAS-External: unknown [190.65.67.127] (EHLO [190.65.67.127])
X-PMAS-Software: PreciseMail V3.2 [121016] (diana.intra.grootersnet.nl)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REP_URI-PHISH: URI reputation check: Known phishing URI (5.000)
X-PMAS-REPUTATION_URI_SPAM: URI reputation check (1.000)
X-PMAS-VMF-OK: Envelope FROM: check: Source accepts mail for address (0.000)
X-PMAS-HDR-FROM_HAS_MIXED_NUMS: From: contains numbers mixed in with letters
(0.000)
X-PMAS-HDR-CTYPE_JUST_HTML: HTML-only mail, with no text version (1.500)
X-PMAS-HDR-RCVD_FROM_UNKNOWN: Message received from host without DNS entry
(4.000)
X-PMAS-BDY-TEENY_FONT: Message tries to hide text in teeny-tiny font (5.000)
X-PMAS-META-DEAR_EMAIL_ADDR: Message has "Dear user@domain" greeting (4.000)
X-PMAS-Final-Score: 20.500
X-PMAS-Spam-Level: ********************+
X-PMAS-Spam: Yes
X-PMAS-Quarantined: PreciseMail
X-PMAS-Filename:
PMAS_ROOT:[QUARANTINE.121017.C]SPAM$2012101702451912WIL279F70EA.SPAM
The fact it was sent from another domain than LinkedIn is sufficient reason, and so is each of the known phishing URI messages. To get some insight, I accepted it for easier examination (PMAS’ output is not really helpfull in these), and examined it using the webmail client:
Apart that the greeting is weird (Why would LinkedIn use my email address?) and the content is absolutely rediculous – if some company would request something like this, I would most cetainly NOT accept…), that should raise suspision in the first place. And as it turned out, each link shows a site that appears to be hacked, but some have taken action already (or the hack missed it’s target):
The accept button refers to “http://www.erlebnistour-lausitz.de/a5KYrCG/index.html” (404: Not Found)
The Ignore button refers to “http://mardamusic.com/frH62gSL/index.html”
The signature refers to “http://www.cypressgardenservices.org.uk/AN7iR9/index.html” (403: Forbidden)
“Unsubscribe” refers to “http://www.datalogger.gen.tr/Gw5enj3X/index.html”
“Learn why we include this” refers to “http://ftp.koneks.com.tr/G6mWAUPs/index.html” (404: Not Found)
I’ve investigated similar attempts before, but normally, all possible links refer to the same site. So this one is more elaborate.
Each site does exist, and each site now has a directory added that has a random name. I’m rather suspicious in these cases, my expectation is that the docroots of these sites are not set to ReadOnly, or even inaccessable from the outside, and that someone was able to push data onto these roots – phishing, for instance, or for installing a trojan.
So I installed lynx on Diana. This is a text-only web-browser that allows you to examine the full content, and does not execute any scripting immediately – you are able to store it on disk. Though it is available on many platforms, including Windows, the investigation is done on VMS – because that is virtually immune for malware 🙂
Next, I accessed the first site, and I got the message “Connecting to server”. It comes from the HTML source like:
<html>
<table width="275" border="1" cellpadding="3" bordercolor="#0000FF"><tr><td><div align="center">Connecting to server...</div></td></tr></table></html>
next, there are three pieces of javascript, different per accessable site:
<script type="text/javascript" src="http://mediaess.com/LBXxwGQa/js.js"></script>
<script type="text/javascript" src="http://s154138659.onlinehome.us/FDaCCZkr/js.js"></script>
<script type="text/javascript" src="http://www.baumbach-keramik.de/LwAH4gUo/js.js"></script>
and
<script type="text/javascript" src="http://location-vallee-aspe.com/xSmXWBZW/js.js"></script>
<script type="text/javascript" src="http://patitaspets.com/C44cbsPE/js.js"></script>
<script type="text/javascript" src="http://videosxxx.bz/yYJZQt0x/js.js"></script>
and the file ends normally
</body>
</html>
That code may cause the installation of malware, so next I accessed the first javascript file (at mediaess.com) and I got:
[trans.gif] [logo_sl_header.gif] HACKER SAFE certified sites prevent over 99.9% of hacker crime. [text_sl_pnums.gif]
[pic_sl_livechat.gif]
HOME PRODUCTS SUPPORT TESTIMONIALS AFFILIATES ABOUT US VDECK
[sl_snav_sublinks.gif]
Customer Login
Username:
_____________________
Password:
_____________________
Log In
[sl_indexv2_midcurve.gif]
This site has been suspended
If you manage this site and have a question about why the site is not available, please contact us directly.
Home | Hosting | Support | Testimonials | Affiliates | About Us | Site Map | Web Site Hosting
Copyright © 2007 StartLogic. Read our Terms of Service. All rights reserved.
[trans.gif]
so I wondered….If I would access the link under “Customer name” a cookie would have been placed – but I refused that.
Same for the third and sixth one, that directly referred to the home page, but without login and the third one requesting a cookie, that I did accept.
The second and fourth cannot be accessed (403, the fourth stating this access required authentication)
But the fifth indeed carried a javascript file js.js, that I store on disk to examine. It runs a piece of PHP code:
document.location='http://2.bajawinery.com/links/assure_numb_engineers.php';
but when I accessed that URL, the host 2.bajawinery.com, could not be found – from Diana anyway.
Running TCPIP$DIG however, did find that site, but not as expected:
$ dig bajawinery.com
;; reply from unexpected source: 188.142.0.6#53, expected 192.168.0.33#53
; < <>> DiG 9.3.1 < <>> bajawinery.com
;; global options: printcmd
;; connection timed out; no servers could be reached
$but this is a DNS server at my ISP.
The state may have been changed and action taken, and I couldn’t find the cookie I saved…so there the trail ended….
03-Oct-2012
Nothing much to worry about
I closed the firewall for a number of Chinese networks (completely. They won’t notice by this blog when they use these addresses 🙂 because ALL access is denied) because of high volume FTP abuse attempts) and that also limited the number of relay attempts dramatically:
PMAS statistics for September
Total messages : 10226 = 100.0 o/o
DNS Blacklisted : 3184 = 31.1 o/o (Files: 30)
Relay attempts : 10 = .0 o/o (Files: 30)
Accepted by PMAS : 7032 = 68.7 o/o (Files: 30)
Handled by explicit rule
Rejected : 6527 = 92.8 o/o (processed), 63.8 o/o (all)
Accepted : 195 = 2.7 o/o (processed), 1.9 o/o (all)
Handled by content
Discarded : 91 = 1.2 o/o (processed), .8 o/o (all)
Quarantained : 188 = 2.6 o/o (processed), 1.8 o/o (all)
Delivered : 31 = .4 o/o (processed), .3 o/o (all)
Explicit rules seem to work fine…
Apart from the number of relay attempts (due to blocking notoriously bad behaving FTP users): the number of abusive web accesses have been limited as well, but I didn’t get into the details yet. But the impression is that Chinese abuse is now tackled – for now.
Work at hand
On this subject, I’m almost finished with scanning all relevant logfiles so I can correlate any type of access and the result. There is a slight problem, though. Both PMAS and HP’s TCPIP do not always contain the sender accesses in their messages so there is still some investigation needed. But with the amount of data that is now available, it should be possible tp come up with a scheme to relate the router data with what happens in the VMS box 🙂
On the front page – and all behind – work on the Gazette is ongoing. Taking my current home page as a guinea pig, it wont be much longer before I can make the transition.
A major overhaul of the whole site is eminent -you will be informed.
(What is most annoying on CSWB – the (Alpha) VMS version on Mozilla (based on SeaMonkey) – is that it will taken up to 100% CPU for a few minutes at times, for a minute or two. Without warning, without apparent reason. And though it will prompt for a newer version – which doesn’t exist for Alpha – there is not much to be done against it….)