April 2007 – Page 2 – SYSMGR in the attic

16-Apr-200716-Apr-2007

16-Apr-2007

Missing layout
for the blog. It came up with the default this morning. It could easily be repared but it shouldn’t happen in the first place. There must have been a glitch again in the PHP engine, it ahppens once in a while. something to ask on the bootcamp: When will there be a new (more up-to-date) PHP-engine?
Web redesign
is progessing slow – It tunred out I have the original pictures of a few days of 2003’s holiday, and what’s available needs to be redone to keep size as big as possible – near original. So that won’t happen for every day. Pity – but that’s life.
For 2004, 2005 and 2006 all pictures are available – and quite likely, I don’t have to do a lot for these.
Bootcamp ahead
I’m thinking of creating either a blog or forum for the bootcamp – I tried Phorum, as used by OpenVMS.org, but that would require MySQL 4.3, and the current version on VMS is 4.1 (I still haven’t located 5.0…), I have run it on a XPAMP machine and it looks good – there is much less available for it, some plugins and some about the view – but none that I really like. I could try WordPress 2.1 for that…
Stay tuned….

16-Apr-200716-Apr-2007

Busy day

as the log shows for April 10th: two kiddies running scripts agains the webserver:
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET //README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde2//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde3//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.5//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.6//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.7//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /horde-3.0.8//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /horde-3.0.9//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mail//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /email//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /webmail//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /newmail//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mails//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mailz//README HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET //chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chats//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /forum//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /phpMyChat-0.14.3//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat1//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat2//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat3//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /community//chat/messagesL.php3 HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:04:25 +0100] "GET /cacti//graph_image.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:04:25 +0100] "GET /stats//graph_image.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:04:26 +0100] "GET //graph_image.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlrpc/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //blog/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //drupal/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //community/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogs/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogs/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blog/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //b2/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //wordpress/xmlrpc.php HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //phpgroupware/xmlrpc.php HTTP/1.1" 302 360
A new log needed to be loaded, it seems, because it was quiet for 6 minuets, and than:
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //cgi-bin/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //scgi-bin/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scripts/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi-bin/stats/awstats.pl HTTP/1.1" 302 360 217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //stats/awstats.pl HTTP/1.1" 302 360
Just a few hours later, number two tried his script:
209.85.66.40 - - [10/Apr/2007:14:38:31 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:36 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868 209.85.66.40 - - [10/Apr/2007:14:38:36 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
and what about:
217.199.186.146 - - [10/Apr/2007:18:36:24 +0100] "GET /guppy/ HTTP/1.0" 404 868 59.117.140.22 - - [10/Apr/2007:20:13:40 +0100] "GET http://www.scanproxy.com:80/p-80.html HTTP/1.0" 403 864 213.193.214.44 - - [11/Apr/2007:09:00:49 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
(The latter shows up more often from different IP addresses).

I’ll need to enhance the scanning-script a bit to remover references now showing up that i know are legal.

11-Apr-200711-Apr-2007

11-Apr-2007

New content
in the Dutch OpenVMS forum: two of the How-to’s have been translated into this area: the one on shared SCSI and those about WASD installation and configuration.
Now layout in progress
Work on the new layout is slow, but steady – it takes a lot of work to re-work the holiday pictures. There are so many to have a lool to. Perhaps it’s easier (and quicker) to redo the generation….

6-Apr-20076-Apr-2007

“Funny” guy…

at least, this person

thinks

he is. It’s a dummy registration in PHPBB – guess his email-address:

069@phpbbspam.org

(removed, of course)

It would be a good thing if PHPBB could validate the e-mail address. The domain resolves in WHOIS

IP-Address: 58.65.239.50
IP-Location: – PK – Pakistan
Response Code:
HTTP/1.1 200 OK Server Type:
Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/4.4.5 mod_perl/1.29 FrontPage/5.0.2.2510

5-Apr-2007

05-Apr-2007

Sudden activity
has been noticed on 04-Apr-2007, between 14:30 and 14:40 – arount that time, when observing the system performance this morning, where the amount of free memory decreased to zero, causing a larger number of processes to stall for a moment and introducing a big increase in pagefile usage – it used to be about 30% in use and all of a sudden (more or less) it was up to 50% – even more, but gradually decreasing.
So tonight I took a look to the webserver log and indeed: two or three processes, more or less concurrently, acccessed the blog in the same time.
It started with rather innocent looking requests:
59.162.117.59 - - [04/Apr/2007:14:34:07 +0100] "GET /sysblog/xmlrpc.php?rsd HTTP/1.1" 200 1045 74.6.73.219 - - [04/Apr/2007:14:34:47 +0100] "GET /family/Holiday2003/12-jul/imagepages/image10.html HTTP/1.0" 200 5030 59.162.117.59 - - [04/Apr/2007:14:34:07 +0100] "GET /sysblog/xmlrpc.php HTTP/1.1" 200 252 59.162.117.59 - - [04/Apr/2007:14:34:07 +0100] "GET /sysblog/index.php?m=200702 HTTP/1.1" 200 16296
Next, accessing the blog, pretty normal:
59.162.117.59 - - [04/Apr/2007:14:35:16 +0100] "GET /sysblog/index.php?page_id=2 HTTP/1.1" 200 9333 59.162.117.59 - - [04/Apr/2007:14:35:16 +0100] "GET /sysblog/index.php?page_id=38 HTTP/1.1" 200 10249 59.162.117.59 - - [04/Apr/2007:14:36:24 +0100] "GET /sysblog/index.php?p=64 HTTP/1.1" 200 9956 59.162.117.59 - - [04/Apr/2007:14:36:27 +0100] "GET /sysblog/index.php?p=60 HTTP/1.1" 200 594
and next, another this address seased access, another (normally behaving) did two requests, after which the second “bad guy” introduced himself:
59.162.117.59 - - [04/Apr/2007:14:36:24 +0100] "GET /sysblog/index.php?p=61 HTTP/1.1" 200 10451 74.6.75.12 - - [04/Apr/2007:14:37:06 +0100] "GET /robots.txt HTTP/1.0" 200 430 74.6.72.41 - - [04/Apr/2007:14:37:06 +0100] "GET /family/March2005/res/favicon.ico HTTP/1.0" 200 13499 71.0.167.105 - - [04/Apr/2007:14:38:39 +0100] "GET /Family.css HTTP/1.1" 404 887
Pretty normal again, but the system must have been somewhat overloaded, because all of a suddent, there is twist in the timing:
but soemwa, one of them issuing direct requests uisng some session ID that – for obvious reasons – failed. But some request seems to have triggered a stall in the PHP engine, because THIS is weird:
71.0.167.105 - - [04/Apr/2007:14:38:39 +0100] "GET /family/Rita/Quilt/quilting.htm HTTP/1.1" 200 1768 71.0.167.105 - - [04/Apr/2007:14:38:39 +0100] "GET /openVMS/HOW_TO/index.htm HTTP/1.1" 200 3100 71.0.167.105 - - [04/Apr/2007:14:37:24 +0100] "GET /sysblog/index.php?p=59 HTTP/1.1" 502 0 71.0.167.105 - - [04/Apr/2007:14:37:25 +0100] "GET /sysblog/index.php?p=55#respond HTTP/1.1" 502 0
Mind the log time! These have been issues earlier but are somewhat delayed in delivery.
After some (obscuring?) norrmal requests, he starts direct requests – to services that are not enabled for such a request:
71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /openVMS/HOW_TO/SharedSCSI/Controller.htm HTTP/1.1" 200 5320 71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /family/Holiday2005/index.html HTTP/1.1" 200 19191 71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /family/March2005/ HTTP/1.1" 200 9365 71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /cgi-bin/query/./index.php?sid=56e3771a2ca5e56773c41c6ac261113f HTTP/1.1" 404 767 71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /cgi-bin/query/./search.php?sid=56e3771a2ca5e56773c41c6ac261113f HTTP/1.1" 404 7
Some automated requests, by the way, seen the times.
At 14:40 was his last attempt:
71.0.167.105 - - [04/Apr/2007:14:40:05 +0100] "GET /cgi-bin/query/profile.php?mode=editprofile&sid=56e3771a2ca5e56773c41c6ac261 71.0.167.105 - - [04/Apr/2007:14:40:05 +0100] "GET /cgi-bin/query/privmsg.php?folder=inbox&sid=56e3771a2ca5e56773c41c6ac261113f 204.104.55.243 - - [04/Apr/2007:14:40:28 +0100] "GET /forums/templates/Galaxian/images/icon_mini_members.gif HTTP/1.1" 304 187
In exacty this timeframe, there have been two major increases of used memory and increased paging.
I did a lookup on these addresses but neither of them results in a valid reference. This may mean someone used an anonimizer.
I’ll need to investigate further.

April 2007
M	T	W	T	F	S	S
« Mar				May »
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30