Category: Security

Apart from the ususal spam, nothing really weird happenend lately.
But it’s good to check the forum’s memberlist now and than. I already removed a number of (non-Dutch) guests on my OpenVMS forums that can’t possibly have an real interest. Given the fact that they refer to non-existing e-mail accounts, or websites full of junk (if not worse), these have been removed.
On one of the Windows machines, howver, I have a problem with a patch that keeps re-appearing after install. According Microsoft support, it may have to do with seettings within Internet Explorer, the cach of it, cookies, firewall settings…I have to follow 7 steps to see if the problem gets away – inclusing messing with security. IF such is really the case, WindowsXP is worse than I thought…
However, I could get around the annoying pop-up that tells me that “New updates are available” by swithcing auto-update off all toegther. Not exactly what I want, but that is workable for the moment. But I’ll need to sit and work on that some day. (an evening is too short). I wonder if they think I have all day to repair the junk they make of it ;(

All quiet on the mail and login front

No remarks in operator.log, no newly banned acesses in accounting.dat… Just the increasingly bigger amount of unsolicited mail that gets blocked – and the increasingly bigger amount of spoofed (or hacked) addresses that cannot be filtered out without scanning the subject and content of the messages.
Phishing
Two phishing attempts – both said to come from EBay. But examining the code showed that some links refer to a coded (and therefore suspicious) address.
Webserver abuse
The web seems one again a nice challenge for someone:

211.239.241.23 - - [15/Dec/2006:19:31:15 +0100] "GET / HTTP/1.0" 200 3147
211.239.241.23 - - [15/Dec/2006:19:31:22 +0100] "OPTIONS / HTTP/1.0" 200 172
211.239.241.23 - - [15/Dec/2006:19:31:23 +0100] "OPTIONS /" 501 694
211.239.241.23 - - [15/Dec/2006:19:31:23 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:29 +0100] "GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0" 404 864
211.239.241.23 - - [15/Dec/2006:19:31:29 +0100] "- -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:30 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:35 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:41 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:46 +0100] "HELP -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:47 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:52 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:31:57 +0100] "
default -" 400 870
211.239.241.23 - - [15/Dec/2006:19:31:58 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:03 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:08 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:14 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:19 +0100] "- -" 0 0
211.239.241.23 - - [15/Dec/2006:19:32:24 +0100] "< NTP/1.0" 501 694 211.239.241.23 - - [15/Dec/2006:19:32:25 +0100] "- -" 0 0 211.239.241.23 - - [15/Dec/2006:19:32:30 +0100] "- -" 0 0
According WHOIS this is a Korean address, but there seems to be no domain connected to is. DIG won't find it either:
$ dig -x 211.239.241.23

; < <>> DiG 9.2.1 < <>> -x 211.239.241.23
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: SERVFAIL, id: 33783 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;23.241.239.211.in-addr.arpa. IN PTR ;; Query time: 2715 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 26 11:32:53 2006 ;; MSG SIZE rcvd: 45 $

SERVFAIL? No, this is NOT an error on Diana. Digging the address of www.hp.com, for instance, does give a valid answer. So the address has likely not been registered in any DNS.

Analysis

of the webserver log, where I encountered the CONNECT attempts, showed it as been tried for some time, but then ceased. The last weird access was on 04-Dec-2006:

209.104.198.4 – – [04/Dec/2006:06:34:10 +0100] “- -” 0 0

and just one address retried to CONNECT to it’s own mailaddress, one a 30 minutes or so, and that was found to fail time after time again, starting on 08-Dec-2006 around midnight:

66.185.126.163 – – [08/Dec/2006:00:40:46 +0100] “CONNECT 66.185.126.163:25 HTTP/1.0” 403 860

trying it each 30 minutes or so, until  the last attempt some hours later:

66.185.126.163 – – [08/Dec/2006:08:45:29 +0100] “CONNECT 66.185.126.163:25 HTTP/1.0” 403 860

I checked the log of a week later – and that shown no more attempts.

I created a commandprocedure (for a colleague, to start with) to run every night, scanning the accounting file for failed logins, using the /SINCE=YESTERDAY quelifier, so I’ll get only the most recent ones. I display name, account, and, if applicable, the address of the remote site.

Usually, it just shows:

================================================================================
21-NOV-2006 00:01:02.27 Login failures found
================================================================================
Time                 Username     UIC                  Account             
                     RemoteID             System
                     Code      TEXT
——————————————————————————–
================================================================================
No login failures found
but to have a clear view on what happened before, I used /SINCE=01-Jan-2004 – which gave me all entries since December 2005, and nothing before. Obvious, since that’s when this VMS instance came alive (I will need to run the test on the old accounting file to get more)

That revealed a few interesting attemps. What to think of a script from a Windows box:

13-MAY-2006 16:40:03 Administrato [TCPIP$AUX,TCPI                     
                     FTP_18F2BB1A         rrcs-24-242-187-26.sw.biz.rr.com
                     00D380F4  %LOGIN-F-NOSUCHUSER, no such user

** Repeated 2281 times **
13-MAY-2006 16:54:39 Administrato [TCPIP$AUX,TCPI                     
                     FTP_18F2BB1A         rrcs-24-242-187-26.sw.biz.rr.com
                     00D380F4  %LOGIN-F-NOSUCHUSER, no such user
About a month later, it was attempted a second time:

12-JUN-2006 21:50:29 Administrato [TCPIP$AUX,TCPI                     
                     FTP_DD8B3219         221.139.50.25
                     00D380F4  %LOGIN-F-NOSUCHUSER, no such user

** Repeated 2281 times **
12-JUN-2006 22:16:50 Administrato [TCPIP$AUX,TCPI                     
                     FTP_DD8B3219         221.139.50.25
                     00D380F4  %LOGIN-F-NOSUCHUSER, no such user
Quite recent, but seen the number of attempts, probabbly just an error or someone who is more or less knowing what he’s doing:

 8-OCT-2006 03:49:37 root         [TCPIP$AUX,TCPI                     
                     FTP_40394046         drizzle.bluegravity.com
                     00D380F4  %LOGIN-F-NOSUCHUSER, no such user
8-OCT-2006 03:49:37 root         [TCPIP$AUX,TCPI                     
                     FTP_40394046         drizzle.bluegravity.com
                     00D380F4  %LOGIN-F-NOSUCHUSER, no such user
I hope this time posting doestn’t fail. I tried twice today and both attempts went wrong due to a HPARITHM error