Security alarm msg - VMS

This is a discussion on Security alarm msg - VMS ; I noted following on opcon. Why is the remote node id in decimal format? This is on 8.3 Itanium. Message from user AUDIT$SERVER on REX Security alarm (SECURITY) and security audit (SECURITY) on REX, system id: 2060 Auditable event: Network ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Security alarm msg

  1. Security alarm msg

    I noted following on opcon. Why is the remote node id in decimal format?
    This is on 8.3 Itanium.

    Message from user AUDIT$SERVER on REX
    Security alarm (SECURITY) and security audit (SECURITY) on REX, system id:
    2060
    Auditable event: Network breakin detection
    Event time: 6-SEP-2008 06:49:14.22
    PID: 20F0B1A8
    Process name: TCPIP$FTPC00079
    Username: newuser
    Remote node id: 998090410
    Remote node fullname: 59-125-166-170.HINET-IP.hinet.net
    Remote username: FTP_3B7DA6AA
    Status: %LOGIN-F-NOSUCHUSER, no such user


    --
    PL/I for OpenVMS
    www.kednos.com

  2. Re: Security alarm msg

    On Sep 6, 9:56*am, "Tom Linden" wrote:
    > I noted following on opcon. *Why is the remote node id in decimal format?
    > This is on 8.3 Itanium.
    >
    > Message from user AUDIT$SERVER on REX
    > Security alarm (SECURITY) and security audit (SECURITY) on REX, system id: *
    > 2060
    > Auditable event: * * * * *Network breakin detection
    > Event time: * * * * * * * *6-SEP-2008 06:49:14.22
    > PID: * * * * * * * * * * *20F0B1A8
    > Process name: * * * * * * TCPIP$FTPC00079
    > Username: * * * * * * * * newuser
    > Remote node id: * * * * * 998090410
    > Remote node fullname: * * 59-125-166-170.HINET-IP.hinet.net
    > Remote username: * * * * *FTP_3B7DA6AA
    > Status: * * * * * * * * * %LOGIN-F-NOSUCHUSER, no such user
    >
    > --
    > PL/I for OpenVMSwww.kednos.com


    Tom,

    I don't have access to an equivalent configuration at this instant.
    What is the inverse DNS for the address look like?

    - Bob Gezelter, http://www.rlgsc.com

  3. Re: Security alarm msg

    Tom Linden wrote:
    > I noted following on opcon. Why is the remote node id in decimal format?
    > This is on 8.3 Itanium.
    > Remote node id: 998090410



    It has been like that for a long while. You need to do a netstat -n to
    get the real IP if the connection is still active, or look at your
    router's syslog file to get the real IP address, or plug that decimal
    number in a symbol, do a show symbol, and extract individual hex bytes,
    convert them to decimal to get your usable IP address.

    I suspect some coder decided it was much easier to just feed an integer
    instead of doing an sprinff to convert 4 individual bytes into usable IP
    address. (dotted decimal notation).

    I wonder what they will do with IPv6 addresses. Will be a mighty long
    number :-) And we won't be able to feed it to a symbol because VMS
    symbols are limited to 32 bits, right ?

  4. Re: Security alarm msg

    "Tom Linden" writes:

    >I noted following on opcon. Why is the remote node id in decimal format?
    >This is on 8.3 Itanium.


    >Message from user AUDIT$SERVER on REX
    >Security alarm (SECURITY) and security audit (SECURITY) on REX, system id:
    >2060
    >Auditable event: Network breakin detection
    >Event time: 6-SEP-2008 06:49:14.22
    >PID: 20F0B1A8
    >Process name: TCPIP$FTPC00079
    >Username: newuser
    >Remote node id: 998090410
    >Remote node fullname: 59-125-166-170.HINET-IP.hinet.net
    >Remote username: FTP_3B7DA6AA
    >Status: %LOGIN-F-NOSUCHUSER, no such user


    That is someone trying to break into your system via FTP. They use a
    brute force attack (being unaware of VMS's breakin evasion).

    Don't take it personally, it's likely a script kiddie at work, and the
    attacking system (59-125-166-170.HINET-IP.hinet.net) is as likely as
    not a trojaned zombie slave. Your IP address came out of a random number
    generator.

    Do an $ANALYZE/AUDIT/SINCE= and you may see hundreds, thousands or
    tens of thousands of attempts while a script hacks away.

    The "Remote node id" being a number corresponding to the IP address is one
    of many problems TCP/IP has with security auditing.

  5. Re: Security alarm msg

    In article , moroney@world.std.spaamtrap.com
    (Michael Moroney) writes:

    > That is someone trying to break into your system via FTP. They use a
    > brute force attack (being unaware of VMS's breakin evasion).
    >
    > Don't take it personally, it's likely a script kiddie at work, and the
    > attacking system (59-125-166-170.HINET-IP.hinet.net) is as likely as
    > not a trojaned zombie slave. Your IP address came out of a random number
    > generator.


    If only to keep the size of ACCOUNTNG.DAT under control, when I see this
    happening, I stop FTP and restart it immediately. I've done this
    perhaps 20 times over they years. I don't think there was a single time
    when this didn't immediately stop the attack.


  6. Re: Security alarm msg

    On Sat, 06 Sep 2008 17:43:23 -0700, Phillip Helbig---remove CLOTHES to
    reply wrote:

    > In article , moroney@world.std.spaamtrap.com
    > (Michael Moroney) writes:
    >
    >> That is someone trying to break into your system via FTP. They use a
    >> brute force attack (being unaware of VMS's breakin evasion).
    >>
    >> Don't take it personally, it's likely a script kiddie at work, and the
    >> attacking system (59-125-166-170.HINET-IP.hinet.net) is as likely as
    >> not a trojaned zombie slave. Your IP address came out of a random
    >> number
    >> generator.

    >
    > If only to keep the size of ACCOUNTNG.DAT under control, when I see this
    > happening, I stop FTP and restart it immediately. I've done this
    > perhaps 20 times over they years. I don't think there was a single time
    > when this didn't immediately stop the attack.
    >

    I did that too, right away. I actually had no need for ftp on that node
    anyway,
    and if I did I could just enable it


    --
    PL/I for OpenVMS
    www.kednos.com

  7. Re: Security alarm msg

    Tom Linden wrote:
    > I noted following on opcon. Why is the remote node id in decimal format?
    > This is on 8.3 Itanium.
    >
    > Message from user AUDIT$SERVER on REX
    > Security alarm (SECURITY) and security audit (SECURITY) on REX, system
    > id: 2060
    > Auditable event: Network breakin detection
    > Event time: 6-SEP-2008 06:49:14.22
    > PID: 20F0B1A8
    > Process name: TCPIP$FTPC00079
    > Username: newuser
    > Remote node id: 998090410
    > Remote node fullname: 59-125-166-170.HINET-IP.hinet.net
    > Remote username: FTP_3B7DA6AA
    > Status: %LOGIN-F-NOSUCHUSER, no such user
    >


    The remote node id seems to be the decimal equivalent of the dotted
    decimal IP octet...

    X = 998090410 Hex = 3B7DA6AA Octal = 07337323252

    %X3B = 59, %X7D = 125, %XA6 = 166, %XAA = 170

  8. Re: Security alarm msg

    On Tue, 09 Sep 2008 11:13:46 -0700, Marty Kuhrt
    wrote:

    > Tom Linden wrote:
    >> I noted following on opcon. Why is the remote node id in decimal
    >> format?
    >> This is on 8.3 Itanium.
    >> Message from user AUDIT$SERVER on REX
    >> Security alarm (SECURITY) and security audit (SECURITY) on REX, system
    >> id: 2060
    >> Auditable event: Network breakin detection
    >> Event time: 6-SEP-2008 06:49:14.22
    >> PID: 20F0B1A8
    >> Process name: TCPIP$FTPC00079
    >> Username: newuser
    >> Remote node id: 998090410
    >> Remote node fullname: 59-125-166-170.HINET-IP.hinet.net
    >> Remote username: FTP_3B7DA6AA
    >> Status: %LOGIN-F-NOSUCHUSER, no such user
    >>

    >
    > The remote node id seems to be the decimal equivalent of the dotted
    > decimal IP octet...
    >
    > X = 998090410 Hex = 3B7DA6AA Octal = 07337323252
    >
    > %X3B = 59, %X7D = 125, %XA6 = 166, %XAA = 170


    Right, my question really was why it was expressed in that manner.


    --
    PL/I for OpenVMS
    www.kednos.com

  9. Re: Security alarm msg


    "Tom Linden" wrote in message
    newsp.ug2boszghv4qyg@murphus.hsd1.ca.comcast.net...
    >I noted following on opcon. Why is the remote node id in decimal format?
    > Remote node id: 998090410


    It's stored as an integer in the binary log and the formatter in ANALYZE/AUDIT
    only understands DECnet addresses.




  10. Re: Security alarm msg

    Tom Linden wrote:
    > I noted following on opcon. Why is the remote node id in decimal format?
    > This is on 8.3 Itanium.
    >
    > Message from user AUDIT$SERVER on REX
    > Security alarm (SECURITY) and security audit (SECURITY) on REX, system id:
    > 2060
    > Auditable event: Network breakin detection
    > Event time: 6-SEP-2008 06:49:14.22
    > PID: 20F0B1A8
    > Process name: TCPIP$FTPC00079
    > Username: newuser
    > Remote node id: 998090410
    > Remote node fullname: 59-125-166-170.HINET-IP.hinet.net
    > Remote username: FTP_3B7DA6AA
    > Status: %LOGIN-F-NOSUCHUSER, no such user
    >
    >


    Note, when the IP is not backtranslatable:

    %%%%%%%%%%% OPCOM 15-SEP-2008 06:19:09.14 %%%%%%%%%%%
    Message from user AUDIT$SERVER on CHAIN
    Security alarm (SECURITY) and security audit (SECURITY) on CHAIN, system
    id: 103
    5
    Auditable event: Network breakin detection
    Event time: 15-SEP-2008 06:19:09.14
    PID: 20202C8D
    Process name: TCPIP$FTPC0002C
    Username: admin
    Remote nodename: 218.80.215.198
    Remote node id: 3662731206 (53.966)
    Remote username: FTP_DA50D7C6
    Status: %LOGIN-F-NOSUCHUSER, no such user

    So it would probably be far better if the software didn't try to
    translate the IP address and log the IP address as the nodename instead
    of a useless integer number.

  11. Re: Security alarm msg

    JF Mezei wrote:
    > Tom Linden wrote:
    >> I noted following on opcon. Why is the remote node id in decimal format?
    >> This is on 8.3 Itanium.
    >>
    >> Message from user AUDIT$SERVER on REX
    >> Security alarm (SECURITY) and security audit (SECURITY) on REX, system id:
    >> 2060
    >> Auditable event: Network breakin detection
    >> Event time: 6-SEP-2008 06:49:14.22
    >> PID: 20F0B1A8
    >> Process name: TCPIP$FTPC00079
    >> Username: newuser
    >> Remote node id: 998090410
    >> Remote node fullname: 59-125-166-170.HINET-IP.hinet.net
    >> Remote username: FTP_3B7DA6AA
    >> Status: %LOGIN-F-NOSUCHUSER, no such user
    >>
    >>

    >
    > Note, when the IP is not backtranslatable:
    >
    > %%%%%%%%%%% OPCOM 15-SEP-2008 06:19:09.14 %%%%%%%%%%%
    > Message from user AUDIT$SERVER on CHAIN
    > Security alarm (SECURITY) and security audit (SECURITY) on CHAIN, system
    > id: 103
    > 5
    > Auditable event: Network breakin detection
    > Event time: 15-SEP-2008 06:19:09.14
    > PID: 20202C8D
    > Process name: TCPIP$FTPC0002C
    > Username: admin
    > Remote nodename: 218.80.215.198
    > Remote node id: 3662731206 (53.966)
    > Remote username: FTP_DA50D7C6
    > Status: %LOGIN-F-NOSUCHUSER, no such user
    >
    > So it would probably be far better if the software didn't try to
    > translate the IP address and log the IP address as the nodename instead
    > of a useless integer number.


    A few years ago when I was still working, some research on the origins
    of the spam I was receiving suggested that blocking the 218 net would
    eliminate 90%! One of nicer aspects of spam from 218 is the thought
    that the Chinese could simply shoot the bastards!

  12. Re: Security alarm msg

    On 2008-09-15 14:39, "Richard B. Gilbert" wrote:

    > A few years ago when I was still working, some research on the origins
    > of the spam I was receiving suggested that blocking the 218 net would
    > eliminate 90%! One of nicer aspects of spam from 218 is the thought
    > that the Chinese could simply shoot the bastards!


    Well, according to the RIPE database [1] these network is spread around
    the whole world -- it's not "just China":

    | The country is really worldwide.
    | This address space is assigned at various other places in
    | the world and might therefore not be in the RIPE database.

    Michael

    [1]


    --
    Real names enhance the probability of getting real answers.
    My e-mail account at DECUS Munich is no longer valid.


+ Reply to Thread