Missing layout
for the blog. It came up with the default this morning. It could easily be repared but it shouldn’t happen in the first place. There must have been a glitch again in the PHP engine, it ahppens once in a while. something to ask on the bootcamp: When will there be a new (more up-to-date) PHP-engine?
Web redesign
is progessing slow – It tunred out I have the original pictures of a few days of 2003’s holiday, and what’s available needs to be redone to keep size as big as possible – near original. So that won’t happen for every day. Pity – but that’s life.
For 2004, 2005 and 2006 all pictures are available – and quite likely, I don’t have to do a lot for these.
Bootcamp ahead
I’m thinking of creating either a blog or forum for the bootcamp – I tried Phorum, as used by OpenVMS.org, but that would require MySQL 4.3, and the current version on VMS is 4.1 (I still haven’t located 5.0…), I have run it on a XPAMP machine and it looks good – there is much less available for it, some plugins and some about the view – but none that I really like. I could try WordPress 2.1 for that…
Stay tuned….
Busy day
as the log shows for April 10th: two kiddies running scripts agains the webserver:
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET //README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde2//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde3//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.5//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.6//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:07 +0100] "GET /horde-3.0.7//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /horde-3.0.8//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /horde-3.0.9//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mail//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /email//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /webmail//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /newmail//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mails//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:09:54:08 +0100] "GET /mailz//README HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET //chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chat//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpchat//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chatroom//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /chats//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /forum//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:08 +0100] "GET /phpMyChat//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /phpMyChat-0.14.3//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /phpMyChat-0.14.4//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat1//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat2//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /chat3//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:02:09 +0100] "GET /community//chat/messagesL.php3 HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:04:25 +0100] "GET /cacti//graph_image.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:04:25 +0100] "GET /stats//graph_image.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:04:26 +0100] "GET //graph_image.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlrpc/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //xmlsrv/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:09:59 +0100] "GET //blog/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //drupal/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //community/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogs/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogs/xmlsrv/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blog/xmlsrv/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //b2/xmlsrv/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //b2evo/xmlsrv/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //wordpress/xmlrpc.php HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:10:00 +0100] "GET //phpgroupware/xmlrpc.php HTTP/1.1" 302 360
A new log needed to be loaded, it seems, because it was quiet for 6 minuets, and than:
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //cgi-bin/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //scgi-bin/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:18 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi/awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi/awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scripts/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi-bin/awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi-bin/awstats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //cgi-bin/stats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //scgi-bin/stats/awstats.pl HTTP/1.1" 302 360
217.115.141.165 - - [10/Apr/2007:10:16:19 +0100] "GET //stats/awstats.pl HTTP/1.1" 302 360
Just a few hours later, number two tried his script:
209.85.66.40 - - [10/Apr/2007:14:38:31 +0100] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:32 +0100] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:33 +0100] "GET /ads/adxmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:34 +0100] "GET /blog/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /drupal/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /community/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:35 +0100] "GET /blogs/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:36 +0100] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
209.85.66.40 - - [10/Apr/2007:14:38:36 +0100] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 868
and what about:
217.199.186.146 - - [10/Apr/2007:18:36:24 +0100] "GET /guppy/ HTTP/1.0" 404 868
59.117.140.22 - - [10/Apr/2007:20:13:40 +0100] "GET http://www.scanproxy.com:80/p-80.html HTTP/1.0" 403 864
213.193.214.44 - - [11/Apr/2007:09:00:49 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 893
(The latter shows up more often from different IP addresses).
I’ll need to enhance the scanning-script a bit to remover references now showing up that i know are legal.
11-Apr-2007
New content
in the Dutch OpenVMS forum: two of the How-to’s have been translated into this area: the one on shared SCSI and those about WASD installation and configuration.
Now layout in progress
Work on the new layout is slow, but steady – it takes a lot of work to re-work the holiday pictures. There are so many to have a lool to. Perhaps it’s easier (and quicker) to redo the generation….
“Funny” guy…
at least, this person
- thinks
he is. It’s a dummy registration in PHPBB – guess his email-address:
069@phpbbspam.org
(removed, of course)
It would be a good thing if PHPBB could validate the e-mail address. The domain resolves in WHOIS
IP-Address: 58.65.239.50
IP-Location: – PK – Pakistan
Response Code:
HTTP/1.1 200 OK Server Type:
Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/4.4.5 mod_perl/1.29 FrontPage/5.0.2.2510
05-Apr-2007
Sudden activity
has been noticed on 04-Apr-2007, between 14:30 and 14:40 – arount that time, when observing the system performance this morning, where the amount of free memory decreased to zero, causing a larger number of processes to stall for a moment and introducing a big increase in pagefile usage – it used to be about 30% in use and all of a sudden (more or less) it was up to 50% – even more, but gradually decreasing.
So tonight I took a look to the webserver log and indeed: two or three processes, more or less concurrently, acccessed the blog in the same time.
It started with rather innocent looking requests:
59.162.117.59 - - [04/Apr/2007:14:34:07 +0100] "GET /sysblog/xmlrpc.php?rsd HTTP/1.1" 200 1045
74.6.73.219 - - [04/Apr/2007:14:34:47 +0100] "GET /family/Holiday2003/12-jul/imagepages/image10.html HTTP/1.0" 200 5030
59.162.117.59 - - [04/Apr/2007:14:34:07 +0100] "GET /sysblog/xmlrpc.php HTTP/1.1" 200 252
59.162.117.59 - - [04/Apr/2007:14:34:07 +0100] "GET /sysblog/index.php?m=200702 HTTP/1.1" 200 16296
Next, accessing the blog, pretty normal:
59.162.117.59 - - [04/Apr/2007:14:35:16 +0100] "GET /sysblog/index.php?page_id=2 HTTP/1.1" 200 9333
59.162.117.59 - - [04/Apr/2007:14:35:16 +0100] "GET /sysblog/index.php?page_id=38 HTTP/1.1" 200 10249
59.162.117.59 - - [04/Apr/2007:14:36:24 +0100] "GET /sysblog/index.php?p=64 HTTP/1.1" 200 9956
59.162.117.59 - - [04/Apr/2007:14:36:27 +0100] "GET /sysblog/index.php?p=60 HTTP/1.1" 200 594
and next, another this address seased access, another (normally behaving) did two requests, after which the second “bad guy” introduced himself:
59.162.117.59 - - [04/Apr/2007:14:36:24 +0100] "GET /sysblog/index.php?p=61 HTTP/1.1" 200 10451
74.6.75.12 - - [04/Apr/2007:14:37:06 +0100] "GET /robots.txt HTTP/1.0" 200 430
74.6.72.41 - - [04/Apr/2007:14:37:06 +0100] "GET /family/March2005/res/favicon.ico HTTP/1.0" 200 13499
71.0.167.105 - - [04/Apr/2007:14:38:39 +0100] "GET /Family.css HTTP/1.1" 404 887
Pretty normal again, but the system must have been somewhat overloaded, because all of a suddent, there is twist in the timing:
but soemwa, one of them issuing direct requests uisng some session ID that – for obvious reasons – failed. But some request seems to have triggered a stall in the PHP engine, because THIS is weird:
71.0.167.105 - - [04/Apr/2007:14:38:39 +0100] "GET /family/Rita/Quilt/quilting.htm HTTP/1.1" 200 1768
71.0.167.105 - - [04/Apr/2007:14:38:39 +0100] "GET /openVMS/HOW_TO/index.htm HTTP/1.1" 200 3100
71.0.167.105 - - [04/Apr/2007:14:37:24 +0100] "GET /sysblog/index.php?p=59 HTTP/1.1" 502 0
71.0.167.105 - - [04/Apr/2007:14:37:25 +0100] "GET /sysblog/index.php?p=55#respond HTTP/1.1" 502 0
Mind the log time! These have been issues earlier but are somewhat delayed in delivery.
After some (obscuring?) norrmal requests, he starts direct requests – to services that are not enabled for such a request:
71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /openVMS/HOW_TO/SharedSCSI/Controller.htm HTTP/1.1" 200 5320
71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /family/Holiday2005/index.html HTTP/1.1" 200 19191
71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /family/March2005/ HTTP/1.1" 200 9365
71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /cgi-bin/query/./index.php?sid=56e3771a2ca5e56773c41c6ac261113f HTTP/1.1" 404 767
71.0.167.105 - - [04/Apr/2007:14:39:36 +0100] "GET /cgi-bin/query/./search.php?sid=56e3771a2ca5e56773c41c6ac261113f HTTP/1.1" 404 7
Some automated requests, by the way, seen the times.
At 14:40 was his last attempt:
71.0.167.105 - - [04/Apr/2007:14:40:05 +0100] "GET /cgi-bin/query/profile.php?mode=editprofile&sid=56e3771a2ca5e56773c41c6ac261
71.0.167.105 - - [04/Apr/2007:14:40:05 +0100] "GET /cgi-bin/query/privmsg.php?folder=inbox&sid=56e3771a2ca5e56773c41c6ac261113f
204.104.55.243 - - [04/Apr/2007:14:40:28 +0100] "GET /forums/templates/Galaxian/images/icon_mini_members.gif HTTP/1.1" 304 187
In exacty this timeframe, there have been two major increases of used memory and increased paging.
I did a lookup on these addresses but neither of them results in a valid reference. This may mean someone used an anonimizer.
I’ll need to investigate further.