I created a commandprocedure (for a colleague, to start with) to run every night, scanning the accounting file for failed logins, using the /SINCE=YESTERDAY quelifier, so I’ll get only the most recent ones. I display name, account, and, if applicable, the address of the remote site.
Usually, it just shows:
================================================================================
21-NOV-2006 00:01:02.27 Login failures found
================================================================================
Time                Username    UIC                 Account            Â
                    RemoteID            System
                    Code     TEXT
——————————————————————————–
================================================================================
No login failures found
but to have a clear view on what happened before, I used /SINCE=01-Jan-2004 – which gave me all entries since December 2005, and nothing before. Obvious, since that’s when this VMS instance came alive (I will need to run the test on the old accounting file to get more)
That revealed a few interesting attemps. What to think of a script from a Windows box:
13-MAY-2006 16:40:03 Administrato [TCPIP$AUX,TCPIÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
                    FTP_18F2BB1A        rrcs-24-242-187-26.sw.biz.rr.com
                    00D380F4 %LOGIN-F-NOSUCHUSER, no such user
** Repeated 2281 times **
13-MAY-2006 16:54:39 Administrato [TCPIP$AUX,TCPIÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
                    FTP_18F2BB1A        rrcs-24-242-187-26.sw.biz.rr.com
                    00D380F4 %LOGIN-F-NOSUCHUSER, no such user
About a month later, it was attempted a second time:
12-JUN-2006 21:50:29 Administrato [TCPIP$AUX,TCPIÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
                    FTP_DD8B3219        221.139.50.25
                    00D380F4 %LOGIN-F-NOSUCHUSER, no such user
** Repeated 2281 times **
12-JUN-2006 22:16:50 Administrato [TCPIP$AUX,TCPIÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â
                    FTP_DD8B3219        221.139.50.25
                    00D380F4 %LOGIN-F-NOSUCHUSER, no such user
Quite recent, but seen the number of attempts, probabbly just an error or someone who is more or less knowing what he’s doing:
 8-OCT-2006 03:49:37 root        [TCPIP$AUX,TCPI                   Â
                    FTP_40394046        drizzle.bluegravity.com
                    00D380F4 %LOGIN-F-NOSUCHUSER, no such user
8-OCT-2006 03:49:37 root        [TCPIP$AUX,TCPI                   Â
                    FTP_40394046        drizzle.bluegravity.com
                    00D380F4 %LOGIN-F-NOSUCHUSER, no such user
I hope this time posting doestn’t fail. I tried twice today and both attempts went wrong due to a HPARITHM error