abuse – SYSMGR in the attic

24-Apr-2012

Bogus users – again
Today, I removed about 15 bogus accounts. All residing from domains I’ve seen as spam related elsewhere, and mainly from China:
163.com
21cn.com
yeah.com

and some seem to have a Hotmail acount, but the names simply don’t match.

As a precaution – I don’t want to cleanup the mess every day – I have disabled the creation of accounts, for now.

Spam?
There are still loads of messages that seem to pass the SPAM filter and are next handled by the SMTP settings – at least: it looks that way. If I relate these OPER signals with times in the router logs, these seem to reside from outside the local network – and they are rejected by PMAS. But why do I see them in my OPERATOR.LOG? I’ll ask Process, but I wonder whether I will receive an answer: I have no support….

13-Apr-2012

Mail bomber blocked?
For weeks, I’ve been receiving – as shown in operator.log – many, many messages that for some reason were accepted by the spam filter but were caught by the SMTP-client itself. They never made it to the inbox. Quite likely they were passed since the enveloppe_from was from within my own domain, but these headers were al forged: they were not sent from my domain:

X-PMAS-MAIL-FROM: backpedaledsupw@siaminet.com Received: from unknown ([188.54.93.212] EXTERNAL) (EHLO device.lan) by diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr 2012 02:18:37 +0000 Received: from 188.54.93.212 (account HELO grootersnet.nl) by grootersnet.nl (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 712770485 for ; Mon, 9 Apr 2012 05:18:36 +0300 From:

(I don’t use Communigate – I know the product, I even tested it)

X-PMAS-MAIL-FROM: undecipherablex63@realliving.com Received: from HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de ([95.208.15.185] EXTERNAL) (EHLO HSI-KBW-095-208-015-185.hsi5.kabel-badenwuerttemberg.de) by diana.INTRA.GROOTERSNET.NL ([192.168.0.200]) (PreciseMail V3.2); Mon, 09 Apr 2012 11:09:39 +0000 Received: from apache by mdbaensicmbdedm.iztzg.hr with local (Exim 4.67) (envelope-from < >) id MHY1YI-HP2T4L-B6 for ; Mon, 9 Apr 2012 12:09:38 +0100 To:

(I don’t use apache or Exim)

These are just two examples, but the majority have similar signatures..All have been forged!

What caused this flood to stop, all of a sudden? It might be an addtional rule in the filter, rejecteing any text that I found in the messages that were quarantained (I think PMAS did its job in a second pass?)…
Bogus accounts?
I need to shift attention a bit.
Where it was rather usual to find bogus users in the Wiki (and requiring me to de-spam the wiki on a regular (almost daily…) basis, It seems this blog attracts ‘users’. Probably assuming they can abuse the blog, but the default role is ‘subscriber’ so they are not able to spoil the blog with ther ‘content’. Though there is a possibility to tyry to abuse the comments – but again, I have taken precautions: there is a spam-test in place and comments need to be approved before publication.
The last additions seem to originate in China, based on names and domains: a few of the latter are well know to me: the PMAS anti-relay feature logs these domains quite often if there are\ large numbers of relay attempts….
To mention that latest I’ve seen:
126.com
163.com
yeah.com
These are not forged: there is a mail check in the program and if an email-address is fake, I’ll be noticed. (I would like MoinMoin to have the same feature…)
I don’t mind subscribers…But these are known to me to be domains accepting abusive Internet users. So I’m quite willing to rule ANY user from these domains off the blog.

13-Jan-201216-Jan-2012

13-Jan-2012

DoS attacks on blogs – part 2
One of the things I did after the server was restarted, was to define s throttle on the blogs, the wiki and the download area. This wioll oprevent this number of concurrent accesses to them, limiting the risks. It may mean that when I get a lot of requests, some will have to wait a bit longer, or will be queued for some time, or get a “Server busy” error. The issue is clearly visisble in yesterday’s history. Not so much in CPU – there are some spikes up to 25%:

At times there have been peaks in CPU, normally it’s just a few\percent, these spikes up to 25 are remarkable, esepcially in the timeframe in which they occur…
In memory usage – especially pagefile usage – the problem is clear:

Free memory is exhausted, but there is space enough avaliable in the pagefile, and far more cqan be paged into the files; but since none of the processes clearly ran out of virtual memory, there is something else that blocked processing. The only culprit in that case, might be MySQL….
The number of processes:

runs in to the roof – in steps, and it follows memory usage: starting to rise at six to stablize just a few minutes later, until the numbert of processes increases again at 7, again stabilizes at 9, and again increasing in steps until the system of out of slots at 10; in the next half hour, is seems some processes com to an end but immediately, that free slot is taken again….From that moment on, until the system is rebootes at 21:00, no new processes can be created; once in a while one ends, but another will take the slot immedeately…
Paging show2s a massive peak at 6:00 and 7:00.

These will be the moments that the large amount of processes are created. It matches the graph seen yesterday on the amount of requests on these moments.
The graph of buffered IO shows the same peaks:

So the problem started at 6:00, stabalized until 7:00, and then contibued until the system ran out of resources at about 10:30 (local time, which is UTC without DST on the system).

Armed with these data, I searched the access log.
At 4:00, 66.249.66.186 requested a few pages in the SYSMGR blog, but there were a few minutes between them and that is hardly noticble. Nothing weird, actually, this happens more often.
But at 6:00, 204.11.219.95 kicks in. Within 16 minutes this address fires 50 subsequent GETs on the Tracks blog index; the fist 20 succee; he get’s 503 errors on the next 5; the next 5 succeed, the next 6 result in 502 errors followed by succeeding.
About 15 minutes later, at 6:39, addresses 66.249.66.186 and 66.249.71.152 start accessing the SYSMGR blog index with straight requests. Several other addesses do the same for RSS feeds, others scanning for monthly indices to be displayed. Not that often – verey few minutes, but continuously. Most, of course, ending in a 500-style error after 10:30….

These 66.xxx.xxx.xxx addresses are owned by Google, and so do some of the RSS feeds. This is no big deal, it’s rather nomal. These come with a larger interval. The real culprit seems to be 204.11.219.95:
$ dig -x 204.11.219.95

; < <>> DiG 9.3.1 < <>> -x 204.11.219.95 ;; global options: printcmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NXDOMAIN, id: 6130 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0


;; QUESTION SECTION:

;95.219.11.204.in-addr.arpa.    IN      PTR
;; ANSWER SECTION:

95.219.11.204.in-addr.arpa. 43200 IN    CNAME   95.219.11.204.in-addr.networkvirtue.com.
;; AUTHORITY SECTION:

networkvirtue.com.      2560    IN      SOA     a.ns.networkvirtue.com. hostmaster.networkvirtue.com. 1305226632 16384 2048 1048576

2560
;; Query time: 5843 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Fri Jan 13 13:10:14 2012

;; MSG SIZE  rcvd: 149
$

$ whois 204.11.219.95

----Server: whois.arin.net [AMERICAS] response for 204.11.219.95

#

# Query terms are ambiguous.  The query is assumed to be:

#     "n 204.11.219.95"

#

# Use "?" to get help.

#
#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=204.11.219.95?showDetails=true&showARIN=false&ext=netref2

#
Peak Web Hosting Inc. PEAK-WEB-HOSTING (NET-204-11-216-0-1) 204.11.216.0 - 204.11.223.255

Gal Halevy GAL-HALEVY-NETWORK (NET-204-11-219-64-1) 204.11.219.64 - 204.11.219.127
#

# ARIN WHOIS data and services are subject to the Terms of Use

# available at: https://www.arin.net/whois_tou.html

#

So I know where to signal abuse.
By the way: Mail reception stalled as well:
%%%%%%%%%%% OPCOM 12-JAN-2012 10:14:27.38 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP SMTP Abort Request from Host: 192.168.0.2 Port: 54120

%%%%%%%%%%% OPCOM 12-JAN-2012 10:14:27.38 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP AUXS failure Status = %SYSTEM-F-NOSLOT

Same problem….

13-Jan-201213-Jan-2012

12-Jan-2012

DoS attack on blogs
This morning, the web was unreliable in both speed of access and success. Webmail, which normally works like a charm, would react slowly, cause a 503 error, or time-out. The same to the opertion desk: the home page is a plain HTML file – no withles nor bells. That would load fine, although slow, but access to functions within the menu could cause similar problems.
Luckily, the WASD web-pages were acecsable.
Looking at what could cause the problems, I looked at the activity on the system, and I notices a really large number of PHP-server processes: meaning that someone was trying to blow the blogs to pieces.
So the next action was to stop these processes, but it seemed an impossible task: for any process I killed, another one was created. Or processes were said to be ‘suspended’…
Next stop: restart the webserver – which normally causes all pending PHP-servers to disappear. But not so this time; that is: the server list of running processes showed them gone, but SHOW SYSTEM still had them….So I retried – wityh no luck.
At some point, an error 500 (unexpected server error) was returned whenever a rfequest was send that would the webserver require to create a new process; but since the admin apges are handled internally, WATCH could show me the reason: “no pcb available”. The system was simply out of gas….But not completely, wherever the webserver could handle requests itself, like the admin pages, the images beyond the Trips,Tracks&Travels blog, or download files, that worked as before. Also mail and other processes normally running kept running as usual; a bit slower, perhaps.
It was not until later in the afternoon that I had the ability to solve the problem, because of this lack of process blocks, login wasn’t possible either – I just had to work from the console.
To my luck, the DecWindows session on my console was still up and running, so from there, I could try to clean up the mess. Each slot tahat would normally be open, was now occupied by a ser4ver-subprocess running PHP, in either LEF or LEFO state. So I stopped each of them. Next re-showing what was running, the processes re-appeared, to I tried again – with no result.
The only solution I had than was to reboot the server. After that, the webs worked like they should.

Next thing is to examine what happened….

26-Aug-200927-Aug-2009

26-Aug-2009

Getting on with PHP
I found s number of reasons why PHPMyAdmin didn’t work.
First, I had copied the PHP.INI file that comes with PHPWASD, and running PHP_INFO revealed that the MySQL extension wasn’t loaded – no wonder, since it was missing in that file. So I included all that came with the HP distribution, and now PHPMySQL was known as an extension. Next, PHP_Info show it was available, so the next stop was running PHPMyAdmin.
First it shows that module MCRYPT couldn’t be loaded. It wasn’t mentioned in neither of tyhe PHP.INI files, but it does exist on the [extensions] directory. Stopped the PHPWASD images, and restarted PHPMyADMIN: Now the module is loaded; However, There was a complaint:

plus that changing the language (default, in IE8 on my laptop, was Dutch) or entering user-name and password, and hitting the Start button, both ended in an error page: the page could not be displayed. WASD’s WATCH utility however showed there was nothing wrong with the PHP output…Switched the browser to comptability mode (I’m using IE8 – by company standard) seemed to solve the problem of switching language but login again failed to show the right page.
Firefox had no issue whatsoever: No error message, and the default language popping up was English. Login gave the message the server did not respond, but at least I got that message.

Since PHPMyadmin runs on the laptop, and the database resides on the server, that might well be a cause of problems. I didn’t create a service op port the default port, but that should not be required.
I changed the configuration file: modified the database-server host from name to address, just to check: but still the server does not respond.
Telnet to that port should be possible, or at least, wait for input. But it keeps trying to connect, and at end times out:

$ telnet 192.168.0.2 3306 %TELNET-I-TRYING, Trying ... 192.168.0.2 %TELNET-E-CONNFAIL, Failed to connect to remote host -SYSTEM-F-TIMEOUT, device timeout

Next is to check if that really is the problem: use a linux distribution that runs Apache and PHPMyAdmin to connect to the MySQl database on Diana – from the LAN since the external access to the MySqL database is locked – for obvious reasons.

UPDATE
I had a brainwave just before falling asleep: I suddenly realized there is a good reason why it didn’t work
These tests are run on an emulated Alpha on my laptop, and the emulator wasn’t started with network access in mind; it can be accessed from my laptop using the console (which is a PuTTY window on the default port of the emulator), and the loopback interface on Vista. That makes it possible to access the webserver on the emulator from the laptop only, and allows the emulated system no access to anywhere else than the laptop. The database however is located on Diana – on the network – and therefore, there is no access to the database from the emulated Alpha, in any way…Well, next time start the emulator sharing the NIC on the laptop, and see what happens.

Holidays are over
Students getting back to their computers, switch them on again and try hacking again. Or their systems are infected with some rootkit of botnet, spreading spam and trying to break into web- and FTP sites. I can see it in the logfiles; the number of rejected mail messages and HTTP requests has been low for a few weeks but is now getting to more normal proportions.

April 2024
M	T	W	T	F	S	S
« Nov
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30