INFO-VAX Thu, 19 Jul 2007 Volume 2007 : Issue 391 Contents: %NONAME-W-NOMSG Re: %NONAME-W-NOMSG Re: Debugging shareable images weirdness Re: Disk repair (soft / logical) Re: Disk repair (soft / logical) Re: Disk repair (soft / logical) DS10 Deal for the rest of January Re: DS10 Deal for the rest of January Re: DS10 Deal for the rest of January Re: DS10 Deal for the rest of January Re: PC EDT keypad (was EDT Replacement) Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: What's up with Google - Groups today? Re: XML for VMS ---------------------------------------------------------------------- Date: Wed, 18 Jul 2007 15:56:00 -0700 From: lalo Subject: %NONAME-W-NOMSG Message-ID: <1184799360.803523.99850@z24g2000prh.googlegroups.com> hola amigos, Today I execute one program by submit command and I found this message on a queue batch. On the log file, i havent found no one error, so whats these message means? Job CARGA_TBACK_JDA_CT (queue SYS$BATCH, entry 58) terminated with error status %NONAME-W-NOMSG, Message number 00000000 On google, i find no one article belonged to this topic, so I want to know your opininons about this. The server is running under OpenVMS version is v.7.3-2. Thanks a lot, Eduardo Chumbes ------------------------------ Date: Wed, 18 Jul 2007 18:17:16 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: %NONAME-W-NOMSG Message-ID: <07071818171627_202003EE@antinode.org> From: lalo > hola amigos, Today I execute one program by submit command and I found > this message on a queue batch. On the log file, i havent > found no one error, so whats these message means? > > Job CARGA_TBACK_JDA_CT (queue SYS$BATCH, entry 58) terminated with > error status > > %NONAME-W-NOMSG, Message number 00000000 _Which_ "one program"? Knowing nothing, I'd guess that you have some UNIX-oriented program which actually gets an exit status value of zero (UNIX success) past the C RTL, which normally converts zero to SS$_NORMAL (= 1 = VMS success). ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 18 Jul 2007 13:53:04 -0400 From: gzhlon Subject: Re: Debugging shareable images weirdness Message-ID: Hi yet again. Sorry, I was using Google Groups to post to and monitor this thread and it's causing me no end of grief. If the postings I recently made thru Google eventually pop up here please ignore them. So to reiterate: Jeff - yes the break is reached. What I have also found since the original post is that spurious SYSTEM-F-BREAK_ARCH exceptions can also occur. Not always, but if I STEP (in the dark) enough times ocassionally a SYSTEM-F-BREAK_ARCH occurs. Here's such a session log: $ r main OpenVMS I64 Debug64 Version V8.3-009 %DEBUG-I-INITIAL, Language: C, Module: MAIN %DEBUG-I-NOTATMAIN, Type GO to reach MAIN program DBG> go break at routine MAIN\main 1604: routineInShareableImage("Hello World"); DBG> set ima shareable_image DBG> set modu shareable_image DBG> set b routineInShareableImage DBG> g break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s break at routine SHAREABLE_IMAGE\routineInShareableImage 1602: printf("in routineInShareableImage\n"); DBG> s %SYSTEM-F-BREAK_ARCH, unknown architected break instruction fault, break code=00 000000000005C0, PC=0000000000042030, PS=0000001B break on unhandled exception preceding SHAREABLE_IMAGE\routineInShareableImage\% LINE 1602+31 1602: printf("in routineInShareableImage\n"); DBG> s %DEBUG-I-CONFROMEXC, WARNING: continuing after severe error; integrity not guaranteed in routineInShareableImage stepped to SHAREABLE_IMAGE\routineInShareableImage\%LINE 1603 1603: printf(string); DBG> This also shows the STEPping in the dark effect. Note this session is just using a simple test code I wrote to reproduce the problem as reported by a developer. Here're the sources and build procedure: //MAIN.C extern void routineInShareableImage(char* string); main() { routineInShareableImage("Hello World"); } //SHAREABLE_IMAGE.C #include void routineInShareableImage(char* string) { printf("in routineInShareableImage\n"); printf(string); printf("\n"); printf("returning from routineInShareableImage\n"); } $ CC/DEBUG/NOOPT/MACH/LIS MAIN $ CC/DEBUG/NOOPT/MACH/LIS SHAREABLE_IMAGE $ LINK/DEBUG/SHAREABLE/MAP/FULL SHAREABLE_IMAGE, SYS$INPUT/OPT GSMATCH=LEQUAL,1,1 SYMBOL_VECTOR=(routineInShareableImage=PROCEDURE) $ LINK/DEBUG/MAP/FULL MAIN, SYS$INPUT/OPT SHAREABLE_IMAGE/SHAREABLE After this I install SHAREABLE_IMAGE.EXE with /SHARE and define an appropriate process logical name for SHAREABLE_IMAGE. And bang. I don't think it's a language issue as the devloper is using BASIC and BLISS and my test code is in C. I have already logged this with HP support and believe it is already with engineering. Please send a private message if you want the details. Regards -Neil -- gzhlon ------------------------------------------------------------------------ gzhlon's Profile: http://techiegroups.com/member.php?userid=6232 View this thread: http://www.techiegroups.com/showthread.php?t=135504 ------------------------------ Date: Wed, 18 Jul 2007 19:05:45 -0400 From: JF Mezei Subject: Re: Disk repair (soft / logical) Message-ID: <77444$469e9d12$cef8887a$7698@TEKSAVVY.COM> Syltrem wrote: > But still, I cannot do it as all hell will break loose in my applications. > I'd rather do a shutdown. Would it be possible to do a SET FILE/ENTER based on the file-id of the "lost" files ? Then you would have a bona-fide pointer to a file and could then use "install delete" to remove that installed image, and then do a proper delete on the file. If you had caught this early enough, you might have been able to use an undelete utility (included in DFU) to restore the deleted directory file at which point, you'd have fixed the problem. You can still try it. The old directory file might still be recovable. Another option you might have is to recreate a new directory of the same name, and create a new version of the executable, and then use INSTALL REPLACE, and this could free up the ghost installed image. ------------------------------ Date: Thu, 19 Jul 2007 00:11:59 GMT From: John Santos Subject: Re: Disk repair (soft / logical) Message-ID: JF Mezei wrote: > Syltrem wrote: > >> But still, I cannot do it as all hell will break loose in my >> applications. I'd rather do a shutdown. > > > > Would it be possible to do a SET FILE/ENTER based on the file-id of the > "lost" files ? Then you would have a bona-fide pointer to a file and > could then use "install delete" to remove that installed image, and then > do a proper delete on the file. > > If you had caught this early enough, you might have been able to use an > undelete utility (included in DFU) to restore the deleted directory file > at which point, you'd have fixed the problem. > > You can still try it. The old directory file might still be recovable. > > Another option you might have is to recreate a new directory of the same > name, and create a new version of the executable, and then use INSTALL > REPLACE, and this could free up the ghost installed image. Was the directory deleted, or the contents of the directory deleted, or both? If the directory was deleted (shouldn't be possible without first set file/remove or deleting all the files in it), then ana/disk/repair should put the files in [syslost]. Do you have sufficient privileges to do this (you would need at least write access to [000000] on the disk, or BYPASS, IIRC.) If the files are deleted, then because they are marked for delete, I think ANA/DISK/REP will ignore them, and wait for them to go away when they are closed (when the "open count" goes to zero, which for installed images won't happen until they are removed and no process has them mapped.) If the system crashes or the disk is improperly dismounted in the interim (for example, it goes offline and then into mount verify timeout), I think you'll have to wait for a reboot, and then ana/disk/repair to make them go away, but in this case, they'll just be taking up space; after the reboot, the system won't know about them as installed images any more. Have you checked if DFU's undelete function will bring them back? Since they are installed, the blocks they are using on the disk and their headers are safe from re-use, they just have a delete-pending bit set in memory somewhere and in their headers, and they are no longer entered in any directory. If DFU can clean up the delete-pending bits, ana/disk/repair should put them in [syslost], and then you can create (or recreate) the directory and rename them from [syslost] to [desired_directory], thus restoring the system state. Are they read-only shareable images (typical of executables or runtime libraries), in which case retrieving them from your backups would be fine, and you could let things continue to run indefinitely with existing processes using the deleted copies and any new processes using the restored copies. Or are they read/write (shared data sections), in which case you probably want the data back? If worst came to worst, you could track down the headers, dump out the retrieval pointers, and then DUMP/BLOCK=(start=x,count=y) DISK: to get back the contents (depending on how dynamic the data is.) Then a SMOP on the dump file to convert back to binary and Bob's your uncle. Then think about your backup procedures and user privileges and protection codes on files and directories to prevent this from happening again and to make it easier to recover! -- John Santos Evans Griffiths & Hart, Inc. 781-861-0670 ext 539 ------------------------------ Date: Wed, 18 Jul 2007 22:00:14 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: Disk repair (soft / logical) Message-ID: "Syltrem" writes: >"JF Mezei" wrote in message >news:24b16$469e4c87$cef8887a$24343@TEKSAVVY.COM... >> ANA/DISK/REPAIR will restore those files to the [SYSLOST] directory. But >> whiles it runs, IO on that disk grinds to a halt. >> >It's not in [SYSLOST] as it was purposely deleted >And yes, I have to do this on Sundays only... or if I can't sleep at 3:00 AM >Someone else ? If the files were deleted, I suspect they will be treated the same way as any other file that was held open while deleted. It lives on the disk but not in any directory, with a "delete pending" flag. When the (last) application to hold the file open actually closes it, it will be deleted. If the system crashes the file will still be there, and $ ANALYZE/DISK will flag it, and will delete it if /REPAIR is specified. What I'll guess is the file exists with delete pending set, and will exist until INSTALL PURGE is executed, or the system is shut down cleanly (which does an INSTALL PURGE). I suggest: 1) Don't worry about it. 2) Reboot the system if 1) doesn't work for you. 3) If the system crashes without shutting down cleanly, do an $ANALYZE/DISK/REPAIR to get rid of it after the system reboots. ------------------------------ Date: Wed, 18 Jul 2007 15:28:20 -0400 From: "David Turner, Island Computers" Subject: DS10 Deal for the rest of January Message-ID: <139sqe5314kp908@news.supernews.com> In stock In excess of 70 systems Configuration special Alphaserver DS10 466Mhz 1GB Memory, Dual 10/100 Ethernet Front Access Disk Cage with Low Profile CDROM Dual 36GB 10KRPM Hot PLug Disk U160 Dual Channel SCSI Controller 4 PCI slots (one taken by U160 Ctr) Works with all power variants worldwide Only $2075 1 Yr Warranty on everything ! -- David B Turner Island Computers US Corp 2700 Gregory St, Suite 180 Savannah GA 31404 T: 877-6364332 x201 Intl: 001 912 447 6622 E: dturner@islandco.com F: 912 201 0402 W: http://www.islandco.com ------------------------------ Date: Wed, 18 Jul 2007 15:43:49 -0400 From: "David Turner, Island Computers" Subject: Re: DS10 Deal for the rest of January Message-ID: Yes I know - I just put Jan instead of July to attract your attention This is a good deal Call around to other dealers ! dt "David Turner, Island Computers" wrote in message news:139sqe5314kp908@news.supernews.com... > In stock > > In excess of 70 systems > > Configuration special > > Alphaserver DS10 466Mhz > 1GB Memory, Dual 10/100 Ethernet > Front Access Disk Cage with Low Profile CDROM > Dual 36GB 10KRPM Hot PLug Disk > U160 Dual Channel SCSI Controller > 4 PCI slots (one taken by U160 Ctr) > Works with all power variants worldwide > > Only $2075 > > 1 Yr Warranty on everything ! > > -- > > David B Turner > Island Computers US Corp > 2700 Gregory St, Suite 180 > Savannah GA 31404 > > T: 877-6364332 x201 > Intl: 001 912 447 6622 > > E: dturner@islandco.com > F: 912 201 0402 > W: http://www.islandco.com > > ------------------------------ Date: Wed, 18 Jul 2007 17:41:09 -0400 From: "Richard B. Gilbert" Subject: Re: DS10 Deal for the rest of January Message-ID: <469E88F5.1000403@comcast.net> David Turner, Island Computers wrote: > In stock > > In excess of 70 systems > > Configuration special > > Alphaserver DS10 466Mhz > 1GB Memory, Dual 10/100 Ethernet > Front Access Disk Cage with Low Profile CDROM > Dual 36GB 10KRPM Hot PLug Disk > U160 Dual Channel SCSI Controller > 4 PCI slots (one taken by U160 Ctr) > Works with all power variants worldwide > > Only $2075 > > 1 Yr Warranty on everything ! > January?????? You don't mention licenses. Those boxes are boat anchors without the licenses! ------------------------------ Date: Wed, 18 Jul 2007 16:54:04 -0500 From: Ron Johnson Subject: Re: DS10 Deal for the rest of January Message-ID: <0_vni.16602$EZ1.12169@newsfe18.lga> On 07/18/07 16:41, Richard B. Gilbert wrote: > David Turner, Island Computers wrote: >> In stock >> >> In excess of 70 systems >> [snip] >> > > January?????? > > You don't mention licenses. Those boxes are boat anchors without the > licenses! Win 2000 beta !!! -- Ron Johnson, Jr. Jefferson LA USA Give a man a fish, and he eats for a day. Hit him with a fish, and he goes away for good! ------------------------------ Date: Wed, 18 Jul 2007 13:18:04 -0700 From: Doug Phillips Subject: Re: PC EDT keypad (was EDT Replacement) Message-ID: <1184789884.392748.270260@i13g2000prf.googlegroups.com> On Jul 17, 11:13 am, "C.W.Holeman II" wrote: > Bob Koehler wrote: > > emacs has had EDT keybindings for a long, long time. But not all > > keyboards have those keys. > > The keyboard keypad that I am using has a double height "+" key. Are > there keyboards that work on a PC that have the EDT keypad? > Aside from getting an LK keyboard, you might be able to map the keys. I use Reflection (which maps the keys properly except for the [+] issue) and have changed the PC [+] to map to the LK [,] and PC Shift/ [+] to map to the LK [-]. That;s because I seem do a lot more delete characters than delete words. As a data entry user, I'd probably want the large [+] mapped to [-]. The design of the PC's 10-key was apparently done by people who didn't do data entry and use 10-key pads. Having a large and handy [+] when normally [ENTER] means "plus", and then locating the small [-] key inconveniently above it when [-] is used so often (not even to mention the PF4 issue) was not properly thought out. I suppose if you think "calculator" then it might make some sense, but for data entry it does not. ------------------------------ Date: Wed, 18 Jul 2007 13:07:23 -0600 From: Jeff Campbell Subject: Re: these sshmucks are at it again... Message-ID: <1184785605_1913@sp12lax.superfeed.net> VAXman- @SendSpamHere.ORG wrote: > More ssh attacks. They are mostly a nuisance. However, logs full of > OPCOM messages like this > > %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%% > Message from user AUDIT$SERVER on ****** > Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 > Auditable event: Network login > Event time: 18-JUL-2007 08:05:42.85 > PID: 20200D5E > Process name: TCPIP$SS_BG3304 > Username: TCPIP$SSH > Process owner: [TCPIP$AUX,TCPIP$SSH] > Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE > Remote node id: 11223344 (aa.bbb) > Remote node fullname: aa.bb.cc.dd > Remote username: TCPIP$SSH > Posix UID: -2 > Posix GID: -2 (%XFFFFFFFE) > > %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%% > Message from user AUDIT$SERVER on ****** > Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 > Auditable event: Network login failure > Event time: 18-JUL-2007 08:05:48.42 > PID: 20200D5E > Process name: TCPIP$SS_BG3304 > Username: TCPIP$SSH > Remote node fullname: SSH_PASSWORD:some.hackers.net > Remote username: SSH_11223344 > Status: %LOGIN-F-NOTVALID, user authorization failure > > would be much more useful if ONE of the above two logged messages would > include the username the hacker is trying to use for access. I do not > see it (the username under attack) in any of the SSH log files either. > > This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get > the username under attack, I'd appreciate it. HP, if you are listening, > this would be a nice feature if it doesn't already exist (I didn't see a > way get it when I perused the ssh doc). > > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. ANAL/AUDI will show you the attempted user names. On my system I see: Date / Time Type Subtype Node Username ------------------------------------------------------------------------ 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin 12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin 12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin 12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin 12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin 12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest 12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest 12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest 12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest 12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest 12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest 12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato 12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato 12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato 12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato 12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato 12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato HTH, Jeff ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- ------------------------------ Date: Wed, 18 Jul 2007 14:22:31 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: these sshmucks are at it again... Message-ID: <07071814223108_202003EE@antinode.org> From: Jeff Campbell > VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. > > ANAL/AUDI will show you the attempted user names. On my system I see: > > Date / Time Type Subtype Node Username > ------------------------------------------------------------------------ > 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin > 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin > [...] Unless it doesn't: Date / Time Type Subtype Node Username ID Term ----------------------------------------------------------------------------------------- [...] 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3 [...] ALP $ tcpip show version HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2 ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 18 Jul 2007 20:17:20 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: these sshmucks are at it again... Message-ID: In article <1184789244_1937@sp12lax.superfeed.net>, Jeff Campbell writes: > > >Steven M. Schweda wrote: >> From: Jeff Campbell >> >>> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. >>> >>> ANAL/AUDI will show you the attempted user names. On my system I see: >>> >>> Date / Time Type Subtype Node Username >>> ------------------------------------------------------------------------ >>> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin >>> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin >>> [...] >> >> Unless it doesn't: >> >> Date / Time Type Subtype Node Username ID Term >> ----------------------------------------------------------------------------------------- >> [...] >> 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1 >> 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3 >> [...] >> >> ALP $ tcpip show version >> >> HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 >> on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2 >> >> ------------------------------------------------------------------------ >> >> Steven M. Schweda sms@antinode-org >> 382 South Warwick Street (+1) 651-699-9818 >> Saint Paul MN 55105-2547 > >My TCPIP doesn't have ssh as 5.3 is too old. >The output I posted is from ftp attempts. > >I assumed TCPIP would have a common reporting format. >If it doesn't it should! > >Live and learn. The problem is that a remote ssh connects to the local ssh server port. The connection is created under the TCPIP$SSH username and not the user- name of the account the remote ssh is trying to access. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" http://tmesis.com/sig.jpg ------------------------------ Date: Wed, 18 Jul 2007 14:08:02 -0600 From: Jeff Campbell Subject: Re: these sshmucks are at it again... Message-ID: <1184789244_1937@sp12lax.superfeed.net> Steven M. Schweda wrote: > From: Jeff Campbell > >> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. >> >> ANAL/AUDI will show you the attempted user names. On my system I see: >> >> Date / Time Type Subtype Node Username >> ------------------------------------------------------------------------ >> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin >> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin >> [...] > > Unless it doesn't: > > Date / Time Type Subtype Node Username ID Term > ----------------------------------------------------------------------------------------- > [...] > 17-JUL-2007 18:33:25.68 BREAKIN NETWORK ALP TCPIP$SSH 20239AB1 > 17-JUL-2007 18:33:33.01 BREAKIN NETWORK ALP TCPIP$SSH 202398B3 > [...] > > ALP $ tcpip show version > > HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 > on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2 > > ------------------------------------------------------------------------ > > Steven M. Schweda sms@antinode-org > 382 South Warwick Street (+1) 651-699-9818 > Saint Paul MN 55105-2547 My TCPIP doesn't have ssh as 5.3 is too old. The output I posted is from ftp attempts. I assumed TCPIP would have a common reporting format. If it doesn't it should! Live and learn. Jeff ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- ------------------------------ Date: Wed, 18 Jul 2007 14:05:42 -0600 From: Jeff Campbell Subject: Re: these sshmucks are at it again... Message-ID: <1184789104_1935@sp12lax.superfeed.net> VAXman- @SendSpamHere.ORG wrote: > In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes: >> >> VAXman- @SendSpamHere.ORG wrote: >>> More ssh attacks. They are mostly a nuisance. However, logs full of >>> OPCOM messages like this >>> >>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%% >>> Message from user AUDIT$SERVER on ****** >>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 >>> Auditable event: Network login >>> Event time: 18-JUL-2007 08:05:42.85 >>> PID: 20200D5E >>> Process name: TCPIP$SS_BG3304 >>> Username: TCPIP$SSH >>> Process owner: [TCPIP$AUX,TCPIP$SSH] >>> Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE >>> Remote node id: 11223344 (aa.bbb) >>> Remote node fullname: aa.bb.cc.dd >>> Remote username: TCPIP$SSH >>> Posix UID: -2 >>> Posix GID: -2 (%XFFFFFFFE) >>> >>> %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%% >>> Message from user AUDIT$SERVER on ****** >>> Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 >>> Auditable event: Network login failure >>> Event time: 18-JUL-2007 08:05:48.42 >>> PID: 20200D5E >>> Process name: TCPIP$SS_BG3304 >>> Username: TCPIP$SSH >>> Remote node fullname: SSH_PASSWORD:some.hackers.net >>> Remote username: SSH_11223344 >>> Status: %LOGIN-F-NOTVALID, user authorization failure >>> >>> would be much more useful if ONE of the above two logged messages would >>> include the username the hacker is trying to use for access. I do not >>> see it (the username under attack) in any of the SSH log files either. >>> >>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get >>> the username under attack, I'd appreciate it. HP, if you are listening, >>> this would be a nice feature if it doesn't already exist (I didn't see a >>> way get it when I perused the ssh doc). >>> >>> >> VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. >> >> ANAL/AUDI will show you the attempted user names. On my system I see: >> >> Date / Time Type Subtype Node Username >> ------------------------------------------------------------------------ >> 12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin >> 12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin >> 12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin >> 12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin >> 12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin >> 12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin >> 12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest >> 12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest >> 12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest >> 12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest >> 12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest >> 12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest >> 12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato >> 12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato >> 12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato >> 12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato >> 12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato >> 12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato > > From ssh? I don't think so... Here is what I see for both LOGFAIL and > BREAKIN event types in my AUDIT logs: > > Date / Time Type Subtype Node Username ID Term > 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F > > 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A > > > > Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 > My TCPIP doesn't have ssh as 5.3 is too old. The output I posted is from ftp attempts. Live and learn. Jeff ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- ------------------------------ Date: Wed, 18 Jul 2007 17:43:47 -0400 From: "Richard B. Gilbert" Subject: Re: these sshmucks are at it again... Message-ID: <469E8993.1070101@comcast.net> VAXman- wrote: > In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes: > >> >>VAXman- @SendSpamHere.ORG wrote: >> >>>More ssh attacks. They are mostly a nuisance. However, logs full of >>>OPCOM messages like this >>> >>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%% >>>Message from user AUDIT$SERVER on ****** >>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 >>>Auditable event: Network login >>>Event time: 18-JUL-2007 08:05:42.85 >>>PID: 20200D5E >>>Process name: TCPIP$SS_BG3304 >>>Username: TCPIP$SSH >>>Process owner: [TCPIP$AUX,TCPIP$SSH] >>>Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE >>>Remote node id: 11223344 (aa.bbb) >>>Remote node fullname: aa.bb.cc.dd >>>Remote username: TCPIP$SSH >>>Posix UID: -2 >>>Posix GID: -2 (%XFFFFFFFE) >>> >>>%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%% >>>Message from user AUDIT$SERVER on ****** >>>Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 >>>Auditable event: Network login failure >>>Event time: 18-JUL-2007 08:05:48.42 >>>PID: 20200D5E >>>Process name: TCPIP$SS_BG3304 >>>Username: TCPIP$SSH >>>Remote node fullname: SSH_PASSWORD:some.hackers.net >>>Remote username: SSH_11223344 >>>Status: %LOGIN-F-NOTVALID, user authorization failure >>> >>>would be much more useful if ONE of the above two logged messages would >>>include the username the hacker is trying to use for access. I do not >>>see it (the username under attack) in any of the SSH log files either. >>> >>>This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get >>>the username under attack, I'd appreciate it. HP, if you are listening, >>>this would be a nice feature if it doesn't already exist (I didn't see a >>>way get it when I perused the ssh doc). >>> >>> >> >>VMS 7.3-1 Alpha TCPIP 5.3 ECO 4. >> >>ANAL/AUDI will show you the attempted user names. On my system I see: >> >> Date / Time Type Subtype Node Username >> ------------------------------------------------------------------------ >>12-JUL-2007 01:07:58.33 LOGFAIL NETWORK AS600 admin >>12-JUL-2007 01:07:58.86 LOGFAIL NETWORK AS600 admin >>12-JUL-2007 01:07:59.43 LOGFAIL NETWORK AS600 admin >>12-JUL-2007 01:08:00.01 LOGFAIL NETWORK AS600 admin >>12-JUL-2007 01:08:00.72 LOGFAIL NETWORK AS600 admin >>12-JUL-2007 01:08:01.43 BREAKIN NETWORK AS600 admin >>12-JUL-2007 01:08:02.26 BREAKIN NETWORK AS600 guest >>12-JUL-2007 01:08:02.91 BREAKIN NETWORK AS600 guest >>12-JUL-2007 01:08:03.56 BREAKIN NETWORK AS600 guest >>12-JUL-2007 01:08:04.17 BREAKIN NETWORK AS600 guest >>12-JUL-2007 01:08:04.89 BREAKIN NETWORK AS600 guest >>12-JUL-2007 01:08:05.72 BREAKIN NETWORK AS600 guest >>12-JUL-2007 01:08:06.57 BREAKIN NETWORK AS600 Administrato >>12-JUL-2007 01:08:07.43 BREAKIN NETWORK AS600 Administrato >>12-JUL-2007 01:08:08.14 BREAKIN NETWORK AS600 Administrato >>12-JUL-2007 01:08:08.65 BREAKIN NETWORK AS600 Administrato >>12-JUL-2007 01:08:09.26 BREAKIN NETWORK AS600 Administrato >>12-JUL-2007 01:08:09.88 BREAKIN NETWORK AS600 Administrato > > > From ssh? I don't think so... Here is what I see for both LOGFAIL and > BREAKIN event types in my AUDIT logs: > > Date / Time Type Subtype Node Username ID Term > 18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F > > 18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A > > > > Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 > Don't you have a router and/or firewall that you can configure to block access from the source IP or network? ------------------------------ Date: Wed, 18 Jul 2007 22:38:57 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: these sshmucks are at it again... Message-ID: VAXman- @SendSpamHere.ORG writes: >In article <1184785605_1913@sp12lax.superfeed.net>, Jeff Campbell writes: >>> This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get >>> the username under attack, I'd appreciate it. HP, if you are listening, >>> this would be a nice feature if it doesn't already exist (I didn't see a >>> way get it when I perused the ssh doc). Unfortunately, SSH doesn't report the username to the audit server properly. See below. >>ANAL/AUDI will show you the attempted user names. On my system I see: >From ssh? I don't think so... Here is what I see for both LOGFAIL and >BREAKIN event types in my AUDIT logs: > Date / Time Type Subtype Node Username ID Term >18-JUL-2007 07:55:26.57 BREAKIN NETWORK ****** TCPIP$SSH 20200D4F >18-JUL-2007 07:54:56.92 LOGFAIL NETWORK ****** TCPIP$SSH 20200D4A >Using HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 I wrote a little program that listens to the audit server, and when it detects a TCPIP breakin attempt, it'll disable the attacking IP address. Except it's not all there. I do detect the breakin and figure out the IP address to disable, but don't actually disable anything. It knows about SSH, FTP and TELNET breakin attempts. What I found that makes this a mess: There is a "remote node address" field where I'd think the IP address of the attacker would go. TELNET puts it there. So does FTP, but in the reverse byte order of TELNET! (Big-endian vs. little endian issue) SSH doesn't use the field at all! I can figure out the SSH attacker address via a hack. FTP and TELNET do tell you the username being attacked. SSH does - only if it exists on the system! Otherwise it uses the username TCPIP$SSH. What's stopping me from the final touch and give it to you: Being busy, and writing a simple LIB$SPAWN to do either a: $ TCPIP SET COMMUNICATION/REJECT=ip.add.re.ss or $ TCPIP SET ROUTE ip.add.re.ss /GATEWAY=black.hole or something, and a LIB$SPAWN to do a SET AUDIT, plus cleanup. The hard part is done and working. Does anyone know of a system service or $QIO that will do the above TCPIP commands, or the equivalent of a $ SET AUDIT/LISTENER=mailbox and $ SET AUDIT/NOLISTEN ? I especially want the latter in an exit handler, because if the program doesn't shut down properly, the mailbox gets full and the audit server gets upset and starts suspending all the processes! I don't want anyone getting pissed off at me because this program hung your system, even if it's the audit server at fault. If you try to log in to fix it, the audit server suspends the process before you get a chance to do anything! ------------------------------ Date: Thu, 19 Jul 2007 02:08:30 GMT From: John Santos Subject: Re: these sshmucks are at it again... Message-ID: JF Mezei wrote: > Brad Hamilton wrote: > >> The more time the b****rds spend >> trying to break into my system, the less time they have to break into >> some >> other poor schmuck's system. A public service, I call it. :-) > > > Then the owners of VMS should port SSH to VAX so that hobbysist could > let the sshmucks try to login on all mighty microvax IIs :-) That would > slow them down :-) The VAX version of TCPware (and presumably Multinet) supports SSH. -- John Santos Evans Griffiths & Hart, Inc. 781-861-0670 ext 539 ------------------------------ Date: Wed, 18 Jul 2007 22:59:13 +0200 From: "Martin Vorlaender" Subject: Re: What's up with Google - Groups today? Message-ID: Neil Rieck wrote: > "Peter 'EPLAN' LANGSTOeGER" wrote... >> It is 18-JUL-2007 09:00 in Vienna (means MET-DST or nowadays CEDT - >> I don't know why MET got canned and only CET seems to be used now) > > It's Middle Europe vs. Central Europe isn't it? I think MET is now used for Middle Eastern Time. cu, Martin -- One OS to rule them all | Martin Vorlaender | OpenVMS rules! One OS to find them | work: mv@pdv-systeme.de One OS to bring them all | http://www.pdv-systeme.de/users/martinv/ And in the Darkness bind them.| home: martin.vorlaender@t-online.de ------------------------------ Date: Wed, 18 Jul 2007 19:37:24 -0000 From: Pierre Subject: Re: XML for VMS Message-ID: <1184787444.126454.26620@j4g2000prf.googlegroups.com> On Jul 17, 10:51 am, "P. Sture" wrote: > In article <1184604387.066543.150...@m3g2000hsh.googlegroups.com>, > > > > Pierre wrote: > > On Jul 16, 3:49 pm, "P. Sture" wrote: > > > In article <1184592195.706705.304...@n2g2000hse.googlegroups.com>, > > > > Pierre wrote: > > > > On Jul 14, 9:37 am, "P. Sture" wrote: > > > > > In article <1184363711.378066.42...@o61g2000hsh.googlegroups.com>, > > > > > > > you may use xmlstarlet. it's built upon libxml2 and libxsl. we use it > > > > > > everyday from DCL to extract data from XML file and create DCL symbols > > > > > > that can be used later on. > > > > > > Is this the one at ? > > > > > > If so, how does one build it for VMS? > > > > > > -- > > > > > Paul Sture > > > > > it almost build out-of-the-box (you just have to write a build > > > > procedure) > > > > > I can send you mine if you wish. > > > > Yes please. > > > > -- > > > Paul Sture > > > here is my build.com procedure > > > $ set process/parse=extended > > $ pipe del *.exe;* > nla0: 2> nla0: > > $ pipe del *.obj;* > nla0: 2> nla0: > > $ src = "xml," +- > > "binsert," +- > > "stack," +- > > "strdup," +- > > "trans," +- > > "xml_C14N," +- > > "xml_depyx," +- > > "xml_edit," +- > > "xml_elem," +- > > "xml_escape," +- > > "xml_format," +- > > "xml_ls," +- > > "xml_pyx," +- > > "xml_select," +- > > "xml_trans," +- > > "xml_validate," +- > > - > > "snprintf" > > $ > > $ i=0 > > $ loop: > > $ source = f$elem(i,",",src) > > $ if source.nes."," > > $ then > > $ options = "/names=(shortened,as_is)/float=IEEE/ > > IEEE_mode=denorm_results/warning=(disable=NOTCONSTQUAL)" > > $ options = options + "/NOOP/DEBUG" > > $ command = "cc''options' ''source'" > > $ write sys$output "$ ''command'" > > $ 'command > > $ i = i+1 > > $ goto loop > > $ endif > > $ link: > > $ command = "link/exe=xml.exe ''src',libxml_libs:libxslt.olb/ > > lib,libexslt.olb/lib,libxml.olb/lib" > > $ write sys$output "$ ''command'" > > $ 'command > > > you may notice an extra source (snprintf.c) in the build procedure > > I took it fromhttp://www.ijs.si/software/snprintf/to be able to > > built xmlstarlet as my C compiler complained on some missing > > functions. I think that depend on the DECC version. > > I don't remember the "why" of the /IEEE_mode=denorm_result options :( > > > ask me if you encounter troubles, I'll try to answer. > > Did you have a config.h to go with that? > > For comparison, the libxml2 package comes with its own config.vms. > > -- > Paul Sture I also recompiled libxml2 and libxsl but I do not have much time this week to check if I changed some options or not. try with the config.h of my previous post. I'll check next week all this and be more present on the newsgroup. sorry for the delay. Pierre. ------------------------------ End of INFO-VAX 2007.391 ************************